Someone Else

Robert Moir writes about Operating Systems, Computer Security and Virtualisation.

False alarm fall out.

David Harley reports on an ongoing rumble in the Mac community about the awful false alarm problems that hit Mac users who run Sophos Anti Virus.

I've seen many of these complaints from Mac Sophos users. It certainly is a bitter pill for them to swallow that after years of no real threat to speak of, in the month where some holes finally do start to come into the light that they are damaged far more by their protection than they would have been by the threat it was guarding against. False alarms are sadly a fact of life with the current breed of virus scanner. Some scanners are worse than others (and Sophos is far from the worse), and some scanners are so bad that people tell jokes about them.

I've seen people threaten to sue, and I too have seen people wanting to walk away from "pay for" AV and support open source products. The Open Source scanners certainly should be supported, but as much as I myself like and use Clam, it simply isn't designed to do the same things that Sophos can do.

At the end of the day, it is all about cost. Someone's time reparing a machine thats been attacked by either a worm or a runaway virus scanner can be a considerable cost. Is the cost of the insurance greater or lesser than the cost of the risk for you?

Keep in mind that if your comnputer becomes infected with malware that attempts to spread itself to others then part of the cost is your reputation. I can minimise the cost of a security issue to my business by working all night to recover from it, but I can't wind back the hands of time and regain the trust of people whose computers have become wrecked because of my foolishness.

So what to do? I won't rewrite stuff I basically agree with from the articles I've linked to as there is no point in that so I'll just leave you with a couple of questions:
  • Are Mac users too fussy about AV, or are Windows users too accepting of shoddy products?
  • What if I told you that a possible method for improving issues with false alarms and detecting "new" viruses means changing the way you think about virus scanning?
  • Virus Scanners could be looked on as insurance. If the risk of fire was increasing where you live, and the insurance companies put up the cost of fire insurance accordingly, you might not like it. But would you want to go without insurance?
History Lesson:
Way back in the mists of time, Dr Alan Solomon, Yes - THAT Dr Solomon! Of Dr Solomon's Anti Virus Fame. Anyway, he wrote an interesting little article that talks about the perfect Anti Virus program. Always detects Viruses and never gives a false alarm. Personally, I wouldn't want to rely on it but it does illustrate the point.

More History:
It's nice to catch up with David Harley and (in his comments) Paul Schmehl again. They both used to be Alt.Comp.Virus regulars 'back in the day' and are two people whose posts I always tried to read - even if I didn't always agree with them!

If you're at all interested in security and malware then keep an eye on the site that hosts David's blog.
Posted: Feb 27 2006, 08:03 PM by Robert Moir | with 5 comment(s)
Filed under:

Comments

Sandi said:

You may find this old Blog entry interesting:

http://msmvps.com/blogs/spywaresucks/search.aspx?q=norton&p=1
# February 27, 2006 4:07 PM

JazzCrazed said:

The ultimate point is not the difference between proprietary and open source AV products, but the fact that no single AV product is, nor will ever be, perfect (as Alan Solomon cleverly illustrates), and that the best solution is probably a layering of different products. And, of course, paying close attention to developments in security.

Whatever the case, hinging security decisions on the business plan of a product, ignoring the actual specific qualities, is dangerous, indeed.

Still, whatever state they are in now, I believe open source products are the future where security is concerned.
# March 10, 2006 10:01 AM

Robert Moir said:

A fair point, Jazzcrazed. Following a commercial product blindly is equally dangerous as following an open source product blindly.

I support things like Clam and make use of them myself. I just wanted to underline that their scope is - well I won't say "limited", rather "different" to the commercial products.

My personal perspective, I guess, is that security involves multiple layers of tools and "defences", and the best overall solution can usually be found by cherry picking the stars of the commercial and open source worlds.
# March 10, 2006 10:18 AM

JazzCrazed said:

Agreed with you there.

But hopefully Microsoft doesn't convince people to <a href="http://news.com.com/Spyware-killing+Vista+could+take+out+rivals/2100-1029_3-6050733.html">stick with just one tree - their own</a>.

Maybe it's not so much the specific programs, but the fact that the industry as a whole functions properly by following a very open-source like philosophy - that of widespread cooperation. Linus Torvalds saying, "the more eyes on a bug, the higher it floats," certainly transitions seamlessly to antivirus and security software.
# March 18, 2006 6:07 PM

Robert Moir said:

Yes, the open nature of the security industry in some areas has been one of the very great benefits.

Actually, I'm not Idea [I]that[/i] impressed with Windows Defender. I'm interested in Vista making AV and AntiSpyware less important because the need/threat is greatly diminished because there are much less places for such malware to get a toehold on a system... sign me up for better built in security! But I'd hate the market to die away because Microsoft simply 'bundled their own'. Mind you, the XP firewall hasn't killed off third party firewalls.
# March 19, 2006 10:54 AM