When Marketing Spin Hurts You
As most people know, my Bloglines is FULL of blogs that I read on a regular basis. Generally these blogs are interesting, however they are occasionally filled with marketing spin. This happened with a recent post on the F-Secure blog. It seems they failed the VB100 test (which they normally pass) and wanted to head it off at the pass before anyone else could talk about it. That's fine... they didn't send the most up-to-date signatures that they could have sent, and VB100 doesn't perform an update after an install. A mistake on F-Secure's part but it's minor... they even went so far as to get somebody from Virus Bulletin to comment on the quality of their product. I was impressed by this, generally I wouldn't think that a neutral organization would do this, so it gives the product a big of a boost in my eyes. However one statement in the post did catch me offguard:
"we nowadays ship around six updates a day"
I realize that this was meant as a positive thing, but it got me thinking and I just can't see it in a positive light. When you are pushing out that many updates it tells me one of two things. i) You are "sweatin' the small stuff" or ii) You have a bad QA process and need to push out fixes. I was curious about this, so I went over to Symantec and checked out Threat Explorer. It listed 62 new threats dated back to May 16th. So if we take May 16th - June 13th, that's 29 days. Which means 2.1 threats per day. Now, that's Symantec, not F-Secure so I went over and took a look at their Virus Description Modifications page. Of course there's no guarantee that these are new virus descriptions, in fact I noticed some that I'm fairly sure aren't... but I figure description modifications would include creation. Over the same 29 day period, they have 21 viruses. That's 0.7 threats per day. I grabbed a few more stats from other sites; Panda listed 11 (0.37 threats per day) and McAfee listed 24 (0.8 threats per day).
So, even if we use Symantec's numbers for F-Secure, there's no reason to push out more than 2 updates per day, and even then, I would feel that one update daily would be more than sufficient. Even that may be overkill in some cases but I could see a "daily" update. I think the last thing a company should be doing is bragging about 6 updates per day, especially when the number of new virus threats if much way below that. This makes me think of the poor QA we've seen out of AV companies in the past; McAfee update exterminates Excel or Flawed Symantec update cripples Chinese PCs. It really makes me question the integrity and quality of the updates that I'm receiving.
So kudos F-Secure on the quick thinking to put a positive spin on your failure to pass VB100, but at "six updates a day" you've failed something even bigger in my eyes. Given that the F-Secure blog was one that I enjoyed reading and that I'd just picked up my new Vista PC, I was thinking about buying F-Secure Internet Security 2007 and installing it on my machine. Now I'm afraid to... the product has just gone to the bottom of my list and it's all because "six updates a day" leaves a bad taste in my mouth.
I was able to walk the Exhibitors floor at InfoSec Canada earlier today and one of the things I was able to do was chat with a Sales guy from F-Secure. He was actually really great to talk to... I wanted to know more about the "6 updates a day" and he was more than happy to discuss it and provide me with some information. He said that 6 is just an average, that some days they are much higher with a record of ~21 in a single day. I found this little shocking, and he named other AV vendors and pointed out that some of them will do 20-30 updates daily. (I would love to hear from any AV vendors that read this, just how many updates your software has daily).
He also said that it's because their software includes not only updates for malware but also for spyware. Maybe it's just me, but I've always considered malware to be blanket term that includes worms, trojans, adware and spyware. Anyways that was another bit of justification he gave for the number of updates he did. Either way I'm still not overly impressed, however the guy was friendly enough and provided me a 30-day demo of all their products (including their mobile solution) so I may check them out and see what I think... but if I really do see 6-updates daily... I don't think it'll be around longer than 30 days. As a side note they had nice swag at their booth... the key chains that you push to separate into two key chains, with the F-Secure logo etched into the side.
F-Secure was nice enough to blog about this issue. However they couldn't even spell my name correctly, they currently have my last name spelled 'Regulay'. They attempt to address the issue I've brought up... and I'm glad that they have clarified (as kurt already had) that they only do descriptions for, what I'm going to call, 'media worthy' viruses. They were also good enough to provide a link to F-Secure Forums, which contains a change log for each of their releases (well almost each, I noticed certain daily releases weren't included...I'm guessing those are the ones with big QA fixes). I say big QA fixes because, for example, June 14th - Package #4 saw the deletion of 29 pieces of malware, most of which were replaced in that update. My assumption if they are replacing them is that they i) had bad QA or ii) jumped the gun and shipped improper detection before they had all the facts. They also mention that one day they had 11 updates... I definitely feel this is too much... I know there are lots of people that agree with me, since they've voiced their belief privately... hopefully some of them will speak up.