Awesome Conferences

Meaningless Anti-Virus Software Features Are Profitable

Tavis Ormandy, Google security expert, is getting press for criticizing Meaningless Antivirus Excellence Awards. This is a good opportunity to mention some thoughts I've had about anti-malware software.

I believe that enterprise security defense software (anti-virus, anti-malware, host-based firewall, etc.) should have these qualities:

  • Silent Updating: The software should update silently. It does not need to pop up a window to ask if the new antivirus blacklist should be downloaded and installed. That decision is made by system administrators centrally, not by the user.
  • Hidden from view: The user should be able to determine that the software is activated, but it doesn't need an animated spinning status ball, nor popup windows to announce that updates were done. Such gimmicks slow down the machine and annoy users.
  • Negligible performance impact: Anti-malware software can have a significant impact on the performance of the machine. Examining every block read from disk, or snooping every network packet received, can use a lot of CPU, RAM, and other resources. When selecting anti-malware software, benchmark various products to determine the resource impact.
  • Centralized Control: Security defense software should be configured and controlled from a central point. The user may be able to make some adjustments but not disable the software.
  • Centralized Reporting: There should be a central dashboard that reports the status of all machines. This might include what viruses have been detected, when the last time the machine received its antivirus policy update, and so on. Knowing when the machine last checked in is key to knowing if the software was disabled.

Obviously "consumer" product can drop the last two requirements.

However "consumer" products also tend to violate the other items too! "Consumer" anti-malware products tend to be flashy and noisy. Why is this?

I have a theory.

Anti-malware software sold to the consumer needs to be visible enough so that the user feels like they're getting their money worth. Imagine if the product ran silently, protecting the user flawlessly, only popping up once a year to ask the user to renew for the low, low, price of $39.99? The company would go out of business. Nobody would renew as it appears to have done nothing for the last 12 months.

Profitable anti-malware companies make sure their customers are constantly reminded that they're being protected. Each week their software pops up to say there is a new update downloaded and asks them to click ``protect me'' to activate it. Firewall products constantly asks them to acknowledge that a network attack has been defended, even if it was just an errant ping packet. Yes, the animated desktop tray icon consumes CPU bandwidth and drains laptop batteries but that spinning 3D ball reassures the user and validates their purchase decision.

Would it have been less programming to simply do the update, drop the harmful packet, and not display any popups? Certainly. But it would have reduced brand recognition.

All of this works because there is an information deficit. Bruce Schneier's blog post, ``A Security Marketplace for Lemons'' explains that a typical consumer can not judge the quality of a complex product such as security software, therefore they are vulnerable to these shenanigans.

However you are a system administrator with technical knowledge and experience. It is your job to evaluate the software and determine what works best for your organization. You know that it should rapidly update itself and be as unobtrusive to the users as possible. Whether or not you renew the software will be based on the actionable data made visible by the dashboard, not due to the excitement generated by spinning animations.

Posted by Tom Limoncelli in Security

No TrackBacks

TrackBack URL:

Leave a comment