Re: question

From: Alun Jones [MSFT] (
Date: 06/21/04

Date: Mon, 21 Jun 2004 09:04:09 -0700

"sgopus" <> wrote in message
> Who wants to waste time reading the philosphy of life.
> it's clear someone has a virus, you got sent a virus.
> the whofores and whatnots don't matter, keep the AV
> software.

Oh, I don't know - there's something to be said for keeping an eye on the
antivirus companies. Any company that advertises based on "N viruses
scanned for and removed", you have to figure that perhaps a few dozen of
those are viruses you'll encounter in the wild, the remaining several
hundred are either functionally dead, or have been created in the lab for
the sole purpose of showing off, and then distributed only to the antivirus
companies. For any computer, unfortunately, it's impossible to accurately
predict which viruses you need to worry about - the important virus is
whichever one your antivirus didn't detect until after it made its way into
your system.

As for "there's never a virus but antivirus makes it so" (I'm paraphrasing
here with a little Shakespearian allusion), that's a dual concept - to most
users, yes, it's only possible to see a virus when the antivirus detects it,
but the virus is still there, steadily doing its work.

A neighbour's machine was operating very slowly, and files seemed to go
missing every so often. I investigated it, and found 11,663 copies of one
particular virus on it. No current antivirus software running. So yes, a
virus can exist even in the absence of an antivirus, and you can see its
effects even without an antivirus suite.

The duality comes with those "lab" viruses that are created solely to give
to the antivirus companies as demonstrations. Without the antivirus
companies, many viruses would not be written. That's not even remotely an
argument to cut out the antivirus companies, obviously, but it's worth
remarking on, just as it's worth noting that a good number of recent worms
have been created out of "proof of concept" postings to security newsgroups
and mailing lists. It doesn't suggest that those newsgroups and mailing
lists should be taken down, only that we should all be careful what we post
there, and how functional "proofs of concept" are.

> Next time, keep it short!

That's for sure.


Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.