[fw-wiz] Opinions on the security of antivirus software

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 07/05/02


From: Mikael Olsson <mikael.olsson@clavister.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Jul  5 11:41:13 2002

Hi,

I was wondering what opinions you people have on different antivirus
packages, security-wise.

From what I've seen, most popular antivirus packages tend to distribute
their updates in self-executing files with little or no authenticity
validation.

This, in my opinion, leaves a lot to be desired for security.
The downloads are themselves completely unauthenticated (usually
plain FTP, which has its own sets of problems, as we all know),
and even those that attempt authenticity validation do not appear
to have to know-how to do it properly. [1]

So: what are YOUR opinions on the (in)security of the antivirus
packages out there?
And: How competent is the scanner engine? What kind of encodings
and packaging formats does it recognize? And, most importantly:
what does it do when something is "bad"? (e.g. broken base64
encoding that the browser will handle even though it is broken)?

Signature update speed is secondary here (most get updates out
within a day -- fine by me), and beautiful GUIs get zero points.

I recently looked at Sophos' site; it appears they distribute
the brunt of the changes through CDs and only distribute new
signatures over the 'net. To me, this seems a sound idea... ?

Thanks,
/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
"It's July. I'm on vacation. Can't you tell? :)"
[1] At least one major vendor claimed to do this, I believe it was
    Symantec, although huge flaws were found that allowed an attacker
    to inject pretty much ANY executable and have it run by the
    internal server(s). They claim it is fixed now, but ...