Debate | SC Media

Debate

November 14, 2006

FOR, by David Vella, senior product manager for MailSecurity, GFI Software

There is no single engine which is the fastest at reacting to all viruses and the best at identifying all threats, all companies using a single anti-virus engine are leaving themselves open to viruses and other malware.

Using multiple anti-virus engines provides three primary security benefits.

First, each anti-virus engine has different reaction times. No one comes out on top every time!

Additionally, multiple proactive and heuristic engines working in parallel are the most effective. McAfee was the first to detect the Win32/ Blackmal.E through its proactive and heuristic engine; however, it did not detect the Win32/ MyDoom.BB. It was caught first by Kaspersky.

Finally, anti-viruse engines have strengths and weaknesses. Some engines excel at identifying certain type of malware, while others are stronger at detecting viruses, trojans and backdoors.

A multiple anti-virus engine approach provides the most holistic approach for protecting a network against infection with no extra taxation on performance.

 

AGAINST, by Bob Hansmann, senior product marketing manager, Trend Micro

Due to response times measured in ‘days' during the 1990s, multi-engine anti-virus techniques increased the likelihood that at least one of them would be among the earliest to detect a new threat. Nevertheless, this improved response time came with increased ‘false positive' disruptions.

With so many major outbreaks, the trade-off was in favor of the multi-engine approach, sometimes protecting systems a day or more ahead of many single solution systems.

But today's typical anti-virus response is under an hour, eliminating the ‘value' of this approach, while the ‘false positive' problem has remained steady for many vendors. This year alone, updates from major AV vendors have shut down QuickTime, killed Microsoft Excel, and even identified core operating system files as threats, thereby interrupting operations.

So, if you are using four or five anti-virus engines, you have esentially increased the likelihood of a false positive by up to 500 percent. Not a smart trade-off for potentially faster detection.

 

THREAT OF THE MONTH:
AV hackers

What is it?
For years, the "cat-and-mouse game" has continued between malicious-code authors and security vendors. Recently, VeriSign iDefense scanned more than 3,000 new malicious codes to see whether Symantec Corp., McAfee Inc. and Kaspersky Labs could detect them or if these leading anti-virus programs are becoming ineffective against new minor variants of code in the wild today.

How does it work?
Hackers and attackers now regularly test new malicious codes against the top anti-virus engines to ensure that their creations are undetectable before releasing them in the wild. Hackers don't care whether or not new signatures are created the next day; they now have a new minor variant, undetected — ready for the next 24-hour period or less.

How can I prevent it?
Well-defended and large corporate networks should consider all different types of hacker techniques and rely on at least two different anti-virus solutions. The programs used should be effective at both the host layer and on the gateway layer. Using lesser known but robust solutions (such as Kaspersky) help lower the risk of attack by malicious code authors that author and test new codes against leading, or more popular, anti-virus products.

Ken Dunham, director of the iDefense Rapid Response Team, VeriSign

prestitial ad