Allan Dyer
The AVAR conference featured a number of disagreements between participants, and this is a personal look at some of the issues raised. Despite the title, which derives from certain groups being called stupid or idiots, the discussions were all civilised and they often raised important points. As so often happens, Asian culture inhibited many people from participating, but their later feedback showed they appreciated the exchanges.
To name names, Vesselin Bontchev declared 97% of users to be idiots, and backed this up with statistics of people's reaction to being informed that their computer is infected. As it happened, W32/Goner.A@mm spread worldwide during the conference and, at the start of day two I commented that this confirmed Vesselin's statistics - as such a simple worm that requires the user to actively participate in their own downfall was so successful then there must be a lot of idiots out there. Dennis Longley turned this around and said that we were the idiots for not protecting the users. The users pay us, the IT industry, to provide working, reliable systems but the IT industry has failed to produce the security infrastructure to protect its own operations.
If 97% of users are idiots, then it is a waste of time and resources to educate them, however, education in various forms was a recurring theme of the conference. The Best Practice panel discussion raised the importance of user education and the banquet theme was "Anti-Virus Begins with Education". Between sessions, Randy Abrams showed a small group some of his materials for user training.
Jan Hruska's speech raised a controversial topic: the creation of new viruses by anti-virus researchers. Vesselin Bontchev is well known for his strong opposition to virus creation by anti-virus researchers, but, strangely, Jan and Vesselin reached an unexpected consensus. The issue was the handling of virus creation toolkits. Various virus writers or virus writing groups have released toolkits that make generation of new virus code as simple as point and click. The difficulty for the anti-virus developer is ensuring that their product can detect all possible viruses that could be generated from such a toolkit. A simplistic method would be to generate many viruses and design the anti-virus software to detect them. Vesselin contended that, apart from violating the taboo on virus creation, this approach was inadequate because there could be no guarantee that all possible forms were generated. Instead, the developer should comprehensively analyse the toolkit and predict the possible results of the algorithm used. Jan agreed with this, but pointed out that the developer should run the kit to produce source code to test the detection algorithms derived. Vesselin agreed that it was permissible to generate the source code, and even to compile parts, so long as care was always taken to disable the self-replicating function so that self-replicating executable code was never produced.
It was also clear that there is tension between the anti-virus developers and the users. Representing a large body of users, AVIEN presented its wish list, including a working naming standard for viruses and alternative approaches to anti-virus, including behaviour blockers and a 'whitelist' product that would only allow acceptable programs to run. The list was criticised as unrealistic and self-contradictory, for example, behaviour blocking and integrity checking products have not been commercially successful (which is another measure of user's desires) and Windows XP allows workstations to be locked down to only run approved software, but companies are not rushing to take advantage of this feature.
I think there is no One True Way of anti-virus, and we can all learn from these viewpoints to improve our strategies.