Melissa was the virus that rocked the security industry and warned the experts that they needed to change their procedures to keep up with the bad guys.

Now vnunet.com takes a peek behind the scenes and reveals what goes on in the antivirus (AV) labs when the latest Melissa worms its way into town.

"We discover between five and 10 new viruses a day, but most of these never make it into the wild," said Raimond Genes, European president at Trend Micro.

He explained that the fight against viruses relies heavily on customers and rival AV companies for information on the latest threats.

Genes said that typically, if a company suspects that an as yet unidentified virus is loose on its network, the firm sends a sample in to be analysed. This is then passed on to other AV firms which, although working in competition, ensures that end users benefit from protection as soon as possible.

Virus researchers also spend time surfing the underground virus writing websites where some authors might post their latest creations. This allows AV companies to get the drop on any new techniques or potential threats that have not yet surfaced.

But very occasionally, when a fast spreading mass mailing virus appears, early victims may have shut down their email systems and will not be able to send in samples of the virus.

"In this case we work out common attributes of the virus that could be used against it, such as subject lines or attachments in the email," said Genes.

This information can be used to set up a filter on the customer's mail system to block out virus-carrying email, even if the virus itself has not yet been analysed.

Once the virus has been identified, a warning is issued which decides whether the threat is so great that customers need to be actively alerted, or whether the virus signature will just be included in the latest update.

Typically, a 'yellow alert' is issued if the virus has been reported by three customers and is spreading. A 'red alert' is given if it has been reported by five customers and is spreading. Anything less than this qualifies the virus signature to be included in the next software update.

"The Goner virus found on 4 December was particularly easy to analyse," said Genes. "We had an antidote ready within 50 minutes of its discovery. But with more complex viruses we would release a preliminary warning and further details as they are discovered."

After a sample has been obtained, AV teams working round the clock will develop an antidote and make it available for download or push it out to customers if need be.

"But in the case of Nimda, after we released a patch we found that the virus could change shape to avoid it and had to develop another one," explained Genes. "Although in the case of Kournikova, which was created with a kit, we simply released an antidote that caught all viruses made with that kit."

The AV companies' reliance on end users and customers runs throughout the entire virus discovery and protection process, from the initial alert through to information on how the virus is spreading.

"But as soon as we release a patch, we stop getting feedback from our customers," said Genes. "As soon as they are protected it becomes difficult to get information on how the virus is spreading."

Explaining that the fight against viruses had changed dramatically since the advent of Melissa, Genes said: "Before mass mailing viruses, which cross the globe in minutes, we would see viruses spreading regionally. It would take weeks for a virus discovered in the US to reach Europe.

"In the last year we have gone from recommending companies to update their virus software every week to every day. And with the arrival of viruses such as Nimda we have found customers asking for software that updates every hour.

"It was more luck than judgement that the AV industry handled the Melissa outbreak so well. But it showed us that we needed to change the virus handling procedure to keep users protected and keep up with the virus writers."