Every few months we all go into a blind panic because some teenager has created a new bit of code that brings the world's email systems to a grinding halt. This week we have been updating our anti-virus software in an attempt to stop the spread of myDoom but, if we all put our thinking heads on, we shouldn't have to go through this repeated process at all.
Anti-virus control is a big part of day-to-day management for most individuals. It is not a discipline that is restricted to business because we all know that it is the emails and instant messages that come to us in our homes as well as our offices that fuel these attacks. As a result, each individual desktop needs to be protected, creating a market of millions for anti-virus products.
Suppliers of such products need to maximise their opportunity and so we have a situation where the initial product purchase is relatively expensive (0 to 0 times several million results in a big profit) and then we may have to pay to get the updates we need. Automatic updating always comes at a premium so we have to choose between manual downloading of virus signatures (easily forgotten) and paying for the service (more expensive).
The justification for this level of cost is the amount of work that the anti-virus solution provider has to put in to keep up with virus technology and to deal with new outbreaks such as this week's. My provider, for example, usually supplies a weekly update but in the last fortnight I have had four new signature downloads. Clearly, the research labs have been busy but the question that keeps coming into my mind is why they do it in the first place.
The answer seems to be very simple. Anti-virus suppliers like to give each new outbreak a name. From the user perspective, this would not seem to be an important aspect of virus control. Apart from the fact that giving them names endows the authors with some kind of credibility, I don't care what it is called. I just want my IT environment to spot that something untoward is happening and to deal with it appropriately.
This is where, I believe, the anti-virus suppliers have got it wrong. They insist that they have to look for specific instances of known attacks. Therefore we get a new file to download every time somebody thinks up a new one.
Surely, a better approach would be for me to take my clean system and to create some kind of baseline. From this known state, I would like my anti-virus software to monitor incoming files and to spot types of behaviour that are associated with virus attacks and for modifications that affect my baseline. By seeking out behaviour patterns rather than specific actions, I shouldn't have the management problem of checking and downloading new solutions every day and I shouldn't have to pay for ongoing maintenance in the same way.
Pie in the sky? Idealistic? There is stuff out there that works this way and when my anti-virus supplier next asks me for money to keep up the service ...
