Comments on: When Marketing Spin Hurts You

By: kurt wismer

kurt wismer — Mon, 19 Jan 2009 14:20:06 +0000

"Do you have evidence that customers want this many updates? I would love to see it."

what, you mean like users saying 'i prefer X because it has weekly/daily/hourly updates' when most didn't update that frequently? because that i've certainly seen, however it's been a while (the update frequency hasn't really increased that much in recent memory) and sifting through google groups for something like that is no fun…

alternatively, the very fact that the updates are that frequent could be considered as evidence for the existence of market pressure for frequent updates… distributing updates costs money, the more you distribute the more it costs… unless all anti-virus companies (all of them increased their update frequency) are run by buffoons who throw good money after bad, it's logical to assume they increased their update frequency because they were losing market share to competitors who'd already increased their own update frequency…

"As for it being impossible to tell which will be significant… I disagree… it’s not unlike vulnerabilities. Significance is definitely measurable and risk can be associated with a virus. Anyone who thinks you can’t determine (within a reasonable degree of accuracy) the significance of a viruses, probably shouldn’t be working in the industry. I’m not saying it has to be exact… but you can start with basic categories…"

i'm afraid you've oversimplified things far too much… external and largely unpredictable factors (ie. the systems and people that a piece of malware encounters in the wild, as well as the nature in which it's deployed and the effort put into doing so) are the key elements that determine which will be significant and which won't… enumerating properties of the malware itself tells you about some of it's potential but not enough to predict what will happen in practice to any usable degree of accuracy…

or at least it never has in the past… if you're certain you can do what others have failed to do then you have a bright future in the industry, assuming you can prove it…

By: David Harley

David Harley — Sun, 24 Jun 2007 12:25:12 +0000

I’m a little late into this discussion, so I’ll pick on one or two points, not quite at random.
1) The fact that you’re focusing on viruses suggests to me that you’re still hung up on a 1990s worldview. Viruses haven’t disappeared, but their market share has shrunk to the point where it’s rarely worth talking about them in isolation from other forms of malwre. The trouble is, the current threatscape is infinitely more complex (not to say messy) and dynamic. AV is a much tougher job than it was then. Most relevantly to this discussion, sheer glut makes it much harder to count what’s out there, let alone categorize it so that we know that my sample X is the same sample as your sample Y. If you can’t do that, you have little hope of realistically assessing real-world risk. I’m with Kurt on that (hi, Kurt! Long time no mail.)
2) I’d accept that spyware -is- malware. (Usually.) Though exactly what either is remains contentious. Your contact at F-Secure may have been distinguishing on the grounds that AV is generally expected to catch at least a proportion of all malware, whereas there are products that specialize in spyware, but I’m not convinced that it’s germane to your point either.
3) I think your mention of QA fixes is a wee bit off-base. Granted, an update may sometimes include other stuff (partly depending on the vendor) like slipstream bug fixes, engine updates, application patches, whatever, but most of the time it’s just definitions. Signatures, if you must. And yes, there are high profile, PR-disastrous problems with false positives from time, but they’re actually astonishingly rare. Yes, an update sometimes improves on a previous definition. What’s wrong with that? You modify a definition as you learn more about a dynamic threat. Often, your modification is to genericize it so that catches more variants and subvariants. I’m reassured when I notice that a vendor is responsive to better information: I don’t assume they were wrong in the first place. Sometimes they were, of course, but I’m not perfect either.
4) You’re mistaken if you think that a vendor’s current threatlist tells you much about the samples they’re looking at currently, let alone the global threatscape. It’s not a metric: at most, it’s a list of malware they’re guessing to be most “interesting” at the moment. But it’s just a guess, and will include fairly generic names, not the dozens of subvariants and repacks that may be on the workbench at the moment.
5) Your rating system would be practically valueless to me, wearing my administrator hat. Actually, the rating systems some AV companies still have don’t work very well for me either. They’re usually weighted towards multiple reports from multiple sites, but as a useful metric, that only works for old-fashioned mass mailers and the like, and only then if very carefully done. In real life, I used to find them a liability, because I wasted a lot of time explaining to local administrators that either they or the vendor site were misinterpreting.

There was a time when I updated my users’ systems according to my own risk assessments, but that was several years ago and the threatscape was very different. If I were still that hands-on, I’d accept as many updates as the vendor chose to supply, so that neither I nor they wasted time guessing which upcoming variants would have the most impact. Subject to the major proviso that an update mechanism that hurts business processes is a major problem. I’d expect my user population to have a similar perspective in one sense: “I don’t mind how often you update as long the updates don’t get in my way.” In another sense, there is a difference in that they’d generally expect 100% detection in return for all those updates, and that isn’t going to happen.

In fact, you’re not altogether wrong: it’s not necessarily the vendor with the most updates you want to use, except in so far as it shows that they’re responsive to processing incoming samples. What I want are vendors who:
* update as often as they can -but-
* aren’t totally dependent on their updating processes, ie have advanced heuristics
* have as little impact as possible on business processes: that is, they don’t slow my systems to a crawl when they update, or when they run a background scan, or insist on rebooting my system because they’ve just downloaded an engine update despite the fact that I’m in the middle of something critical.

I’m afraid your complaint is naive. It assumes that AV vendors should and can be better than they are. My view is that they’re better than most people outside the industry think they are. And if you want to focus on the things they don’t do optimally, which is fair enough, update frequency isn’t the place to start -unless- you understand the limitations on the industry and the technology. Sorry, but I’m not sure you do.

By: kurt wismer

kurt wismer — Fri, 15 Jun 2007 23:22:45 +0000

“Do you have evidence that customers want this many updates? I would love to see it.”

what, you mean like users saying ‘i prefer X because it has weekly/daily/hourly updates’ when most didn’t update that frequently? because that i’ve certainly seen, however it’s been a while (the update frequency hasn’t really increased that much in recent memory) and sifting through google groups for something like that is no fun…

alternatively, the very fact that the updates are that frequent could be considered as evidence for the existence of market pressure for frequent updates… distributing updates costs money, the more you distribute the more it costs… unless all anti-virus companies (all of them increased their update frequency) are run by buffoons who throw good money after bad, it’s logical to assume they increased their update frequency because they were losing market share to competitors who’d already increased their own update frequency…

“As for it being impossible to tell which will be significant… I disagree… it’s not unlike vulnerabilities. Significance is definitely measurable and risk can be associated with a virus. Anyone who thinks you can’t determine (within a reasonable degree of accuracy) the significance of a viruses, probably shouldn’t be working in the industry. I’m not saying it has to be exact… but you can start with basic categories…”

i’m afraid you’ve oversimplified things far too much… external and largely unpredictable factors (ie. the systems and people that a piece of malware encounters in the wild, as well as the nature in which it’s deployed and the effort put into doing so) are the key elements that determine which will be significant and which won’t… enumerating properties of the malware itself tells you about some of it’s potential but not enough to predict what will happen in practice to any usable degree of accuracy…

or at least it never has in the past… if you’re certain you can do what others have failed to do then you have a bright future in the industry, assuming you can prove it…

By: [for malware that,new virus descriptions]-0.7 New Threats Per Day? « ewarblog test 1

Fri, 15 Jun 2007 17:31:02 +0000

[...] Tyler Reguly over at ComputerDefense.org saw our weblog post on the missed VB100 test. We mentioned there that we release about six updates per day. He felt that it was overkill to do that many updates based on our number of new virus descriptions. The fact is that we normally only create descriptions for malware that are widespread, that are unique, that we get questions about, or that get mentioned in the media. It has little to do with the amount of new malware our products detect. [...]

By: Tyler Reguly

Tyler Reguly — Fri, 15 Jun 2007 14:17:07 +0000

@Ross

Unfortunately I was typing my last comment while you were leaving yours.

It is entirely possible that different teams go at different times… That’s an update cycle I could see… However if that was the case, then I want the software to allow me to select when I receive updates from certain teams..

As for wanting immediate detection of threats covering multiple vectors… I agree with that… You’ll note in my rating system that those would still receive daily updates. I would want a signature for a very real threat, however 95% of the information listed on F-Secure’s annoucement forum (Which I’m about to add to the parent post) is fairly useless / minor stuff.

By: Tyler Reguly

Tyler Reguly — Fri, 15 Jun 2007 14:12:16 +0000

@BeltnBraces: The easiest way to avoid a virus is to be smart. Don’t visit certain websites, don’t click links you don’t know, etc… As far as exploits, a simple firewall would do the trick there Yet you seem to be the one missing the point. Microsoft does this… if there’s any exploits to be worried about, it’s quite often in one of their products yet they have a regular patch cycle. As for my PC being open to attack for 24 hours… As far as I’m concerned it should be open to attack for 24 hours anyways… I don’t see how they could possibly properly QA their signatures in various environments to ensure no problems if they are releasing them in less than 24 hours.

@kurt
Do you have evidence that customers want this many updates? I would love to see it.

As for it being impossible to tell which will be significant… I disagree… it’s not unlike vulnerabilities. Significance is definitely measurable and risk can be associated with a virus. Anyone who thinks you can’t determine (within a reasonable degree of accuracy) the significance of a viruses, probably shouldn’t be working in the industry. I’m not saying it has to be exact… but you can start with basic categories… here’s a simple example:

Type (I’m sure this could be improved upon, as I said… simple example)
Rating 5 – Worm
Rating 4 – Virus
Rating 3 – Trojan
Rating 2 – Spyware/Keylogger
Rating 1 – Adware

Method of Spreading (again it could be improved upon)
Rating 5 – Multiple Remote Exploits
Rating 4 – Single Remote Exploit / Email (Requiring Viewing Only) / Website (Requiring Viewing Only)
Rating 3 – Email (Require User Interaction) / Website (Requiring User Interaction)
Rating 2 – Installation of other software
Rating 1 – Direct Download

Damage
Rating 5 – Monitoring of Personal Information
Rating 4 – Botnet
Rating 3 – Remote Access
Rating 2 – File Deletion
Rating 1 – Self Replication (No malicious activities)

Sure I’ve left plenty out.. but there’s a very basic system… a Scoring system of 15. Those rated 10-15 may warrant multiple updates daily as they are ready…Those rated 5- 10 could go daily or maybe even weekly and those that are below 5 could go weekly or even monthly.

By: Ross Barrett

Ross Barrett — Fri, 15 Jun 2007 14:10:08 +0000

HT, it could be that they have multiple groups working on different aspects of their detection, e.g. a virus group, a ad/spyware group, a trojan/rootkit group, and that each group has it’s own schedule for updates. The updates go out when they are ready and are not held up by the other groups. Also, if I was inclined to install AV software on my box (which I’m not), I personally would want partial detection of a threat (for instance covering one of several vectors) ASAP and not have to wait for a perhaps more fully matured detection. So long as they are not quarantining critical parts of my OS or productivity suite I’m not worried about their QA process.

-Ross

By: kurt wismer

kurt wismer — Fri, 15 Jun 2007 11:45:09 +0000

“One of the things that the F-Secure sales guy said to me was “this way you don’t end up waiting a month like you would with Microsoft”… The business industry asked for that change.. They didn’t want constant updates, they wanted a predictable pattern, and Microsoft gave them exactly what they asked for.”

you think the increased update frequency of anti-virus products wasn’t also requested by their customers? pressure to update more frequently probably started as early as the melissa word macro virus if not earlier…

“Even if it was 1000 new threats daily… how many of those are insignificant… how many of those affect a single person… or are submitted by the actual virus author and never released.”

it’s impossible to know beforehand which ones are going to be significant… and as for viruses that are submitted but never released, that’s not really the norm anymore in a financially motivated malware world…

“Until I see a valid reason for 6 updates a day, I’m going to write it off as frivolous and completely useless.”

the obvious (and by now rather old) reason is mass mailing worms… they were able to go global in 24 hours so a once a day update schedule wouldn’t have been sufficient to get ahead of a well timed release… the same principle applies to the non-replicative malware that is being mass mailed today (even though it’s not mass mailing itself)…

By: BeltnBraces

BeltnBraces — Fri, 15 Jun 2007 10:50:16 +0000

I think you may have missed the point. Would you like your new Vista PC to be open to attack by some new virus/exploit for up to 24 hours pending the release of an update that you could have had as soon as it was developed?

If the answer to the above is ‘No’ then now you have a valid reason for 6 updates a day.
If your answer to the above is ‘yes’, then… I dont know what to say without appearing rude.

By: Tyler Reguly

Tyler Reguly — Fri, 15 Jun 2007 05:32:45 +0000

That could very well be the case… Yet I still wouldn’t care if it was 100 new threats daily… that doesn’t justify more than a single daily update.

One of the things that the F-Secure sales guy said to me was “this way you don’t end up waiting a month like you would with Microsoft”… The business industry asked for that change.. They didn’t want constant updates, they wanted a predictable pattern, and Microsoft gave them exactly what they asked for.

Any other industry publishing updates provides you with a list of what’s updated and what’s changed… I have been through the F-Secure FTP and website and haven’t seen a changelog for any of their updates. Even if it was 1000 new threats daily… how many of those are insignificant… how many of those affect a single person… or are submitted by the actual virus author and never released.

Until I see a valid reason for 6 updates a day, I’m going to write it off as frivolous and completely useless.