Sunday, July 18, 2004

all anti-virus products fail

if you haven't figured this out yet (and apparently most folks haven't) there is no such thing as a perfect anti-virus product... they all fail to stop a virus at one time or another either because the virus is too new, or it spread in ways that the anti-virus couldn't do anything about (network share enumeration, exploits, etc), or a host of other reasons...

for years now i've seen people 'discover' the lack of perfection in their anti-virus and the overwhelming response to this is to jump ship and try a different product... the assumption is that because their anti-virus didn't protect them there must be something wrong with it and they should try and find a better one...

the reality is that no matter what product you use, or even how many you use, your anti-virus product will fail at some point... the fact that it failed to prevent an incident (or 2 or 4 or however many it failed to prevent) does not necessarily mean there's anything wrong with the product - it could be that there's something wrong with the user...

the security of a system is only as strong as it's weakest link and most of the time that link is the computer operator - either s/he takes unnecessary risks, or s/he doesn't keep the anti-virus up to date, or s/he doesn't take any other safe-hex measures, etc . . . there's only so much these products can do to protect someone from themselves...

i'll be blunt - the knee-jerk reaction to blame the anti-virus for failing to prevent a virus incident needs to change... users need to start asking themselves if there was something they could have done to prevent the incident - some security precaution they could have taken, some policy they could have put in place... the anti-virus should not be the sole defence against malware, it should be one of many and it should be the one that acts when all other measures fail to prevent the incident...

and what other measures are those?
  1. the use of a firewall
  2. the closing of network shares and unnecessary ports
  3. keeping up to date with security patches and the migration away from the most often targeted applications (to minimize the impact of patch maintenance failure)
  4. minimizing the amount of outside active content (applications, word documents, excel spreadsheets, etc) that are introduced into the system
  5. turning off unnecessary active content support in your browser
  6. not accepting attachments from strangers
  7. not accepting attachments from legitimate contacts until after verifying that they intended to send it and what it is
  8. the use of strong passwords
  9. the scanning of all incoming material, preferably after a suitable 'cool down' period so that it's novelty doesn't play a part in avoiding detection of any malware that may be present


even after all that, you can still expect a virus/worm/malware incident once in a while... no security is perfect, that's just something we have learn to accept and plan for (i.e. make sure you have a plan for disaster recovery)...

0 comments: