The pros and cons of updating virus detection files on availability
Security Information Week 4, 2000
The high frequency of updates to antivirus packages - weekly or even more often - has come about partly as a result of user demand and partly from the antivirus industry's own assessment of the evolving danger. All producers of antivirus software stress the importance of updating virus detection files regularly in order to have the best possible protection from new viruses.
This situation however, carries its own risks. From time to time we see that the distributed updates have serious errors which may cause "Blue Screen Of Death", but more often program crashes and other minor errors. In rare situation these errors may create major problems in the organizations which are affected.
This has happened to Norman as well as to other major producers in the antivirus business. Anyone interested in more information about some such mishaps, can follow some of the threads in the newsgroup alt.comp.virus.
Why is this so? Should customers be more cautious when downloading and distributing new virus detection files in the corporate network?
The explanation
The antivirus business is unique in the sense that new virus detection files - program updates - are distributed very often. It is not unusual to have weekly updates and sometimes even more often. Occasionally these updates have new functionality, e.g. support for new virus techniques/types. An update frequency of this kind is unheard of in other parts of the software developing business, where new versions/updates may be years apart.
Obviously this must have impact on the time available for testing each new update. Although we at Norman do our utmost to test each new update thoroughly - as we are sure all our competitors also do - it is simply impossible to carry out as thorough testing of programs which are distributed weekly as on those which are distributed say, each year.
One other point to mention in this context is that unlike most other software products, antivirus programs often have to communicate closely with the operating system. This is especially true where real-time scanning is involved, a technique which is being more and more relied upon. An error may then be more serious than a simple program crash - this is unfortunately unavoidable in today's technology.
The dilemma
When new versions of e.g. operating systems are released, some organizations have as a strict policy never to upgrade until the first service packs are released. The reason is that one wants to be sure that the most obvious bugs in the first release version are removed before the new program version is introduced in the organization.
Should users of antivirus software do the same?
This approach is not very appealing with antivirus software. One may be protected against serious bugs in the program by waiting some time before installing the latest version. However, during this time one does not have the best possible protection against new viruses and other malicious programs.
So what should one do?
The perfect solution
Unfortunately this does not exist.
The producers of antivirus software of course do the utmost to quality check the virus detection updates. Errors in these updates as any error in a software program are not good publicity. Therefore it is rare that there are errors which have serious consequences in the virus detection files published by antivirus companies. In most instances one is safe to update with the latest files as they are published.
However if one has critical applications and/or servers which are crucial for an organization, one might, to be on the safer side, wait for some hours to update those computers until the updates are tested internally on other computers.
Norman has recently adopted a new policy acknowledging the fact that errors has occurred and will occur again in our updates of virus detection files: If any error is discovered which is regarded as so serious that the files have to be replaced with new ones, we will inform all our mailing list customers of this, and publish information on the web site if the error is considered serious. We think that this is the best we can do to serve our customers as well as they are entitled to.
Per Olav Førland
