Simple rules can deal with most threats without the need for AV products, says Nick Scales
With the recent huge publicity about "new" viruses, you would have expected the industry to have learned something, but it appears it has not. When is someone going to ask why?
We hear excuses all the time from the people who are meant to be protecting us, saying that certain viruses are unusual or difficult to detect. In cases where an exploit is sent through an e-mail and, by opening it, a virus is downloaded in the background, anti-virus suppliers will say it was not a virus but "carrier mail", excusing themselves from blame.
So if it is not the wrong type of virus, it must be Microsoft's fault, or maybe the user, but it is never the anti-virus industry.
There is a fundamental problem with anti-virus definition and recognition technology: it happens after the event. Any protection that requires you to identify the virus means that someone has to have seen it and someone has to create a definition file. Then they have to get this definition out before users can be protected.
So why do we continue to use a system that cannot be really safe, which, by definition, requires some infection before we can provide protection and which we cannot protect from new, unknown viruses?
Anti-virus firms want you to believe you can receive anything from anyone. This fallacy is what is causing most of the havoc.
The world needs to wake up to the fact that anti-virus companies are in the business of developing virus definition files. Users are spending more than £1.6bn a year on this type of technology.
This problem is solvable, quickly, with non definition-based technologies. Applying simple logic makes a real difference. It is not rocket science; it is simple and fool-proof. It is based on the reality of how we work.
There is only a small percentage of people who, within their normal patterns of e-mail behaviour, expect to receive executable code from unknown sources. The small subset of people who do accept unknown code in an unsolicited fashion create immunity because the group is so small.
Viruses need a critical mass of infectable hosts to be able to propagate. By the correct enforcement of policy, you can implement a system that is at least as effective as an anti-virus product without definitions or updates.
A very clear-cut example of effective protection is the simple logic that 99% or more of all normal communications do not contain any executable code. If you want a piece of executable code, you invariably know you want it.
Consider adopting some simple rules that can stop more than 78% of all viruses, with no traditional anti-virus products at all:
- Only accept executable code from people you know and are expecting it from
- Only accept password protected files from people you know and are expecting them from.
These rules have one flaw as far as the anti-virus industry is concerned: they do not require the naming of viruses, they are not sexy, do not cause fear and do not sell virus definition files.
It is time we realised that the excuses the anti-virus suppliers are using are no different from "wrong type of snow".
Nick Scales is chief executive of security technology company Secure::42
Questions to ask anti-virus suppliers
- Does the supplier publish its failure rate?
- Are customers who become infected allowed to talk about it?
- Is there an independent anti-virus test that shows real failure rates?
- Exactly what does the industry standard "100% award" mean?
- Do any of its users feel they can use the internet safely?
- What percentage of its user base becomes infected before a definition is created?
- Why does the industry only test against known viruses that have been public for some time?
- Why does the industry name viruses and promote a climate of fear?
- Why does the incubator community exist if anti-virus is effective?