Bug Watch: A question of reputation

This week's expert, Sophos antivirus consultant Natasha Staley, looks at the question of reputation when it comes to reliable information.

As the profile of computer viruses continues to rise and the numbers steadily climb, it is little wonder that many organisations are making it their business to find out what the latest threats are and where they should be concentrating their efforts. Indeed, this is what security experts have been urging for some time.

Understandably, companies turn to antivirus vendors as a source of accurate and precise information. As the people analysing the viruses and receiving the reports they are bound to be able to give the most reliable view of a situation, right?

You'd be forgiven for thinking so because, unfortunately, this isn't always the case. In June of this year the first virus capable of infecting JPEG graphic files was discovered. The virus, known as Perrun, was sent straight to antivirus vendors and has never been seen in the wild.

Nonetheless, some antivirus vendors issued press releases warning users about this virus and suggesting that graphics files and MP3 music files could never be considered 'safe' again. In reality, the warnings were nonsense.

Another issue constantly falling prey to vendor hype is that of viruses for mobile devices. There have been various predictions that we are about to witness an avalanche of viruses for PDAs and mobile phones, or that they even represent a real threat right now and need to be protected against.

The truth is rather more mundane. Currently there is only one virus in existence for PDAs: Phage, which was written for the Palm OS. Again, this has never been seen in the wild and is never likely to be.

It isn't even possible to write a virus for a mobile phone at the moment because their operating systems are simply not sophisticated enough.

There is, of course, a likelihood that viruses for these platforms will emerge at some time in the future but, with the mobile threat currently non-existent, and with hundreds of PC viruses still appearing each month, businesses would be better advised to concentrate on the more common and less glamorous threats.

Ultimately, antivirus users and vendors alike suffer as a result of these false prophecies of doom. Hyping up the threat can force systems administrators to worry unnecessarily and cause panic among their users.

Resources may be misplaced and other areas that should be addressed can be neglected. It would surely come as no surprise if organisations became tired of the steady flow of so-called threats that never emerge and, as a result, ignore warnings altogether.

When the time comes to raise the alarm about a genuine threat there may well be no one left who is interested in listening.

For the antivirus vendors this is also a question of trust. Part of the service they deliver to customers should be an accurate and dependable information source.

Exercises in scaremongering can only damage customer relationships and chip away at their credibility in the long run. Vendors take heed: it is your own reputation on the line.