There are plenty of misconceptions about what constitutes a virus andn we trust them and can we trust their products? Dennis Howlett examines the criticism and suggests a few remedies. what does not. Some people think a virus is a piece of buggy code that behaves erratically and does something nasty on the desktop - but under that definition some commercial applications would qualify as prime contenders.
Viruses are not like that at all. The simplest definition is that a virus is a program that replicates itself. According to antivirus specialist (AV) company Dr Solomon's, "In retrospect, it's unfortunate that the word 'virus' was used because it makes the problem sound a lot worse than it is. It might have been better to use the word 'weed'. But we're stuck with 'virus'."
The company claims that 95% of viruses do no more than replicate plus some trivial extras like beeping the keyboard or displaying a message.
If a program does something nasty that you weren't expecting, that doesn't make it a virus unless it replicates. Such a program is called a Trojan horse, after the legendary statue that carried invaders into Troy.
There are an estimated 22,000 viruses floating around in the ether but, according to the April '98 edition of the virus bible, Joe Wells' WildList, the number reported 'in the wild' is 262. WildList defines a virus as being in the wild when two or more members of Wells' professional 47-person AV team finds a particular strain in existence. To this 'wild' figure, the listing adds a further 573 viruses that have been reported by a single panel member.
So it would seem that, on the basis of numbers alone, although there seems to be a high risk of infection, we are still only talking about less than 4% of the total of all known viruses.
The WildList is controversial because it is dependent on reports from a very small band of professionals. It takes no account of users' findings where, for example, an AV product has been able to detect a new variant heuristically and treat it without recourse to the AV vendor.
Does this mean the real risk of infection is quite low? The answer is an emphatic 'no'. Risk does not depend on a numbers game but on what happens when a virus is activated.
In the old days of DOS-based viruses, the nature of the attack was predictable because specific viruses only did specific things. Dangerous though this was, the virus could be treated in the almost-sure knowledge that it would not behave differently elsewhere. In addition, DOS-based viruses tended to attack individual PCs rather than making a networked onslaught. There are exceptions, however, like the famous instance of the virus distributed on a MacOS CD - but such cases are mercifully rare.
All this changed with the introduction of macro viruses, initially attached to Word documents but now increasingly seen in Excel spreadsheets. The unlucky recipient of a WordMacro (WM) virus, contained in a document that was distributed across a network, could find that the virus mutates into variants as different people take different actions. This is because the behaviour of WM viruses is unpredictable, partially because viruses tend to be badly written code and partly because the actions a macro takes will depend on the instructions passed as it executes.
The problem is compounded by the fact that we live in an age where collaborative computing is the name of the game and where users are encouraged to distribute documents around the organisation. WM viruses have become such a standard feature of the computing landscape that all AV vendors report at least 35% of reported attacks come from WM sources (see boxout for Sophos estimates).
Some researchers put the figure as high as 50%.
From a management perspective, the prevalence of viruses is worrying enough for some people to introduce Draconian measures. For instance, many companies, the Halifax Building Society for instance, have made virus introduction a sackable offence but this is an untenable position, except in cases where malice is provable.
According to Heidi Alpe, marketing manager at Content Technologies: "Adopting severe disciplinary measures is unlikely to work because, if people are too scared to own up to the fact, it is difficult to trace and therefore difficult to solve."
In the modern enterprise, tracking difficulties are increased when you have to solve problems such as how to trace the source of infection caused by documents transmitted across the Internet or around the intranet where there may be multiple mailers and recipients?
In addition, where does the responsibility start and stop? If a user has unwittingly picked up a virus from an external source, is that person responsible for introducing it into the business? What about files taken from third parties who have access to your intranet? What about the maintenance chap who wanders from one business unit to another? The list of possible causes of infections is legion and so while one might point to specific areas of weakness - such as Internet access gateways - the management dilemma must be handled in ways that are enforceable.
Andy Harris, director of development at Content, commented "Users have enough problems understanding IT in the first place. Just yesterday, it took me over 20 minutes to get a Web site working properly and I've got over 20 years' experience in IT."
He believes that staff should be made aware of the basic provisions of the Data Protection Act and Computer Misuse Act. Harris said, "Put simply, this means watch what you're doing with personal information and don't go hacking around with systems you're not supposed to. You could be breaking the law."
In his opinion, translating this understanding into policy should be enough to at least make people aware of the dangers.
Despite this, virus attacks remain common and costly. According to the 1997 NCSA Computer Virus Prevalence Survey: "Virtually all medium and large organisations in North America (99.33%) have experienced at least one computer virus infection first hand. This year's survey reports that, while the usage of antivirus software is up - 73% of machines versus 60% in 1996 - the infection rate grows."
The report then moves on to say that the rate of infection is running at around 3.3% of machines per month, up from around 1% in 1996. This situation is becoming worse because many companies seem to be resistant to implementing AV software. According to Harris, a survey that Content conducted among the UK's top 100 companies showed that only 16% claimed to have AV tools - and, of those, only 3% were keeping their software updated.
Even when companies do use AV software, it may turn out to be largely ineffective. Lindsay Wright, security specialist with researcher Brown Wright, told us: "Most of the current (virus) scanners miss an awful lot of what appear to be virus files. Many also produce a high level of false alarms. It is appalling. Later versions of some scanners pick up files that previous versions said were clean. As a user, I'd be very upset indeed." A Brown Wright report, The Great Virus Scanner Mystery, tested 17 of the best-known AV products against a library of 6,301 files, culled from the Internet, that are claimed to show viral characteristics. In a damning condemnation of the AV industry, the report summarises: "Virus scanning software does not provide effective protection from viruses."
What's more, the report highlights the additional costs of using AV software in terms of poor usability, time taken to perform scanning operations and so on. For example, of Dr Solomon's, Wright commented, "Version to version comparisons show some very odd results. For example, version 7.70 reports four infections that 7.73 misses; and, indeed, with each new release a few files reported by earlier releases are usually pronounced as clean." In another product review, Wright said, "In Paranoid mode, F-Prot seems to adopt a 'guilty until proven innocent' philosphy but extensive 'false-alarming' is not helpful."
Needless to say, the AV industry is up in arms about this report. Paul Ducklin, technical manager at Sophos, said, "Both Solomon's and ourselves attempted to get hold of the report without success. To the best of my knowledge, they did not test file content and, as I understand it, the tests are unscientific because they are not repeatable."
Wright made no bones about what was done. "The tests are only repeatable with some difficulty. We're aware that Internet virus sites are transient and there was no attempt to be scientific in the true sense. In all probability, there is a lot of junk but the point is that the scanners gave a wide variety of results, not recognising some viruses and giving false results elsewhere," he said.
Whether one agrees with Wright or the industry pundits, there is reason enough to be sceptical. Symantec's recent advertising campaign for its Norton AntiVirus product showed what was clearly a bug with a bullet going through its head and Solomon's Web site has a cartoon bug on the main AV page. It is difficult not to be cynical and ask what these vendors are doing in the business since they apparently don't know the difference between a bug and a virus.
How does one move forward in an Internet-enabled world? Wright suggests disk-blocking technology of the type found in Reflex Magnetics' DiskNet, which contains anti-tamper features that do not exist in any AV software products.
Content believes that, alongside adequate firewall protection, content analysis should be used as the first line of defence. The problem with that solution is that it relies on the effectiveness of the scanning technology that lies behind it.
Sophos and Content are forming a partnership to provide a composite solution to answer many of the criticisms of current AV tools. Content's MIMEsweeper performs the initial recursive analysis needed to determine the contents of files coming in, or going out of, the network through the Internet gateway. Sophos sits behind MIMEsweeper and its virus database is initialised once at start-up, with subsequent communication being routed directly into its Savi DLL. In this way, Sophos AntiVirus is able to react instantly to individual requests to sweep files without further initialisation.
Performance improvements typically exceed 10-fold, compared to command-line virus scanners. Savi also eliminates memory constraints by using a single multi-threading copy of the virus database to process all requests.
With the possibility of other infection sources and the difficulty of knowing which AV product is likely to catch everything, a combination of scanners may appear to offer a more positive way forward. This route is fraught with problems because, as Wright pointed out: "How do you know which ones to pick? If you had five, would it make any difference? I don't think so."
Wright believes that a mix of boundary protection systems would definitely make a difference: "I think that anything else needs weekly, enforced, full scans. Maybe getting the AV systems to trawl behind screensavers is a way out, provided the screen saver itself doesn't bring down the system."
A lot can be done to reduce both the real and the perceived risk. Locking down the hard disk, using products like DiskNet, is one way but may meet resistance. With DOS underpinning Windows, there's a strong case for Microsoft doing more but it shows no apparent willingness to do so.
The WordMacro virus threat is more easily solved. Through its Web site, McAfee, now part of Network Associates, advocates creating RTFs (Rich Text Files). RTFs can maintain most of the formatting of a Word document but can't carry macros and their potential virus payloads. These files can be easily created within and read by Word. For the vast majority of users, this would be very simple to implement and would immediately remove a significant source of concern.
Viruses will never go away. If anything, the risks will increase rather than diminish but they may not be as bad as the AV vendors, who play on the fear factor, would have us believe.
The best policy is to keep a clear head and seek independent advice.
HOW COMPUTER VIRUSES CAN BE SPREAD ACROSS THE ENTERPRISE
Games, shareware and bulletin boards have all been cited as common sources of viral infection. While there is some truth in this notion, it is only part of the story. Prior to WordMacro viruses, the most common causes of infection were floppy disks, containing infected boot sectors and directories, that were passed around a company.
The growth of networks and Web technologies has meant that files can be more easily transferred from the Internet and through the intranet.
The spread of WM viruses, in particular, indicates that the higher rates of infection are resulting from documents transmitted in this way.
Computer viruses are usually spread through file transfers - this leaves responsibility at the vulnerable user's doorstep.
Dubbed Barnard's star B, newly discovered planet is believed to be rocky
Also, what's a USB stick?
Gravitational waves become extremely weak by the time they reach the Earth and require highly sensitive equipment for detection
The reactor topped out at 100 million° C