Thought I would ask you a question, to the last comment in your comments to the ISPs recommendations:
'DO update anti-virus applications from time to time
Yes, good, except, lets make that "as often as your anti-virus developer provides updates" - in many cases, this now means daily, or more frequently. OK, ISP, nice to see you making an effort. Try harder next year.'
What do you recommend to your customers if during the period they do not have the new signature available?
Nick Hawkings
MessageLabs
Thanks for the question, Nick - of course, when I'm contacted by a customer in an emergency, I respond with practical advice and help related to the specific virus: any tricks they can use to stop it spreading, what other dangers it presents that they need to protect against (e.g. if it opens a backdoor, which firewall ports should they block?), I might be able to get a virus definition file from the developer more quickly, and send it to them. When an incident happens, the first priority is to deal with it.
However, what can companies do in the planning of their information security? Anti-virus software is not guaranteed to detect all new viruses, and it may take hours or even days for new virus definitions to reach customers - how can companies reduce or eliminate this "detection gap"? Good general security, and good user education will help make the organisation less vulnerable to the latest virus. Outsourcing the problem can provide effective coverage - the large virus outbreaks in recent years have all been caused by email viruses, so getting an expert service to check all your email before it reaches you makes a lot of sense. Of course, Nick, your company provides the most experienced and effective of such services. When email arrives at MessageLabs' Virus Control Centre, it is recursively unpacked and all executable content is scanned using three commercial anti-virus scanners (currently McAfee, F-Secure and VFind, but this is constantly evaluated to ensure the best detection). The centre checks the developer's sites for updates to the scanners every ten minutes. Additionally, the messages are checked by Skeptic, MessageLabs own heuristic (rule-based) scanner, which is optimised for email. Skeptic successfully stopped fast-spreading email viruses, including VBS/LoveLetter and more recently W32/Yaha.K@mm and the Avril Lavigne worm, W32/Lirva.a@MM, in some cases hours before the traditional anti-virus developers had detection ready. The key is to implement defence in depth.
Allan Dyer