Re: [fw-wiz] Antivirus vendor conspiracy theories

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 11/27/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] smtp proxy on firewall" 
    To: MHawkins@TULLIB.COM
Date: Sat, 27 Nov 2004 08:37:30 -0500 (EST)

    On Tue, 23 Nov 2004 MHawkins@TULLIB.COM wrote:

    > This makes the burglar alarm, portable generator and snow tire vendors very
    > predictable in their product offering and the customer is suitably informed
    > as to the various benefits and or limitations that such products provide.

    Actually, their customers just don't understand the failure modes of their
    systems well enough to complain, and more importantly, the failure events
    are far enough apart that most people thing tings are just fine.

    > Antivirus vendors have painted themselves into their own conspiracy theoried
    > corner by purveying a product that is based on technology that is purely
    > reactive and for the last ten years they've use one method of protection
    > thereby enabling other attack vectors to be repeatedly successful.

    That's not the vendor's faults, it's the market which wouldn't accept the
    administrative overhead of "known good only" prevention. Also, there are
    at least two methods of protection- and they're implemented very
    differently than they were originally in many products.

    > To use your own analogies, there is nothing proactive about locking a door
    > after you've been broken into, there is nothing proactive to driving slower
    > in the snow after you've already ended up in a ditch, and there's nothing
    > proactive about remembering to gas up the generator after the power blinks
    > off. Yet, that is what antivirus vendors are selling to the consumer and
    > they're marketing spin tells the average joe "install this product and
    > protect yourself from dangerous Internet viruses, worms etc" while year

    The virus threat is a situation that's more like the flu. Flu shots may
    or may not be good for the strain that gets the most spread. Out of the
    thousands of new viruses released each year, only a very small number get
    traction- because AV works well against better than 90% of the threats
    it's supposed to work against, and that's a good thing. Hand-washing is
    more effective than flu shots, but look at the panic in the US this year
    over shot availability.

    > after year major infections spread and the consumer, faced with the
    > cognitive dissonance between antivirus vendor marketing spin and the reality
    > of a system rebuild, crashes, deleted files etc, wakes up and realizes that
    > the antivirus vendors are peddling an awful product that really doesn't
    > protect their system at all.

    Marketing spin is marketing spin, and should be taken as such. However,
    AV works against almost 100% of existing in-the-wild viruses, and probably
    greater than 90% of new viruses, that's not "doesn't protect their systems
    at all." Go into any good-sized company and look at the AV software's
    logs, you'll see quarantined files at probably any company of 40 or so
    employees or more where Windows desktops are in evidence. Now, why we're
    not going through those logs and enhancing protections to stop those
    events as a matter of course...

    The market won't accept better mechanisms, just like better
    firewalls are disdained in favor of IDS, which is also a reactive
    technology. As an industry, we've failed in getting vendors to go the
    "this is now allowed to work" have it blessed first mode, so we're left
    with picking up the pieces reactively.

    As poor as ActiveX is implementation-wise (it's difficult to imagine a
    worse implementation,) the "this code must be signed by a trusted party
    before it is executed" idea is a good one, but the market won't accept an
    implementation that requires the bar to be high enough that the model
    would actually work.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] smtp proxy on firewall"