I'm Protected. Right?, an essay by Dr. Richard Ford

I'm Protected. Right?

Originally published at AntiVirus Online.

A funny thing happened to me this weekend. While out shopping with my wife, Sarah, we stopped for some lunch and to pick up some bits and pieces from a well-known office supply store. It was in this store where I received a timely and important reminder about the way many people end up choosing their anti-virus software.

Wandering down the aisles, I decided to sneak out of the filing-things section of the store and investigate the computer software section in the vague hope that I could find something to buy. This is where I met the computer sales assistant, whom I shall refer to as "Bill" for the remainder of this article. Bill was a salesperson at our unnamed store; his job was to assist customers who wanted to buy computer hardware or software. In many ways, Bill's knowledge of computers was his job.

"Hey, man," he said, pointing to my T-shirt, "do you know about that virus stuff?" Momentarily confused, I looked down to see what I could possibly be wearing that would give away my profession so clearly, and discovered I had spent the morning as a walking advertisement for an anti-virus product. With a certain amount of trepidation I confirmed that, yes, I did know something about viruses.

Dwelling in darkness

We then spent the next 10 minutes or so in conversation about viruses. During this conversation, Bill asked some questions, and told me a little he knew about viruses. First, he wanted to know where viruses came from, and was surprised to learn that they were deliberately written by people. Then he told me about a virus he had heard of that "puts all your RAM on your Hard Drive, until it overheats and blows up." I explained why this wasn't possible, and we moved on to the next myth.

After a few minutes of discussion and storytelling along the lines of "I know a virus which did..." Bill made a statement which shed a great deal of light on a very important issue for anyone involved in protecting computers from viruses. It's very important, so I am going to put it on a line all by itself:

"I got some anti-virus software, so I'm protected, right?"

I must admit to being a little surprised by this comment; at security trade shows I attend, the most common question is which product is best. Not for Bill though; to him, the expert in this shop, all one had to do was to buy and install any anti-virus product. Then, just like it says on the box, you are protected from all viruses: past, present, and future. How old was Bill's product? A year, maybe 18 months. But to Bill, this was enough protection. You see, he had bought and faithfully used anti-virus software. He was safe.

We talked some more about this, and I began to explain to him that anti-virus software needs to be updated. New viruses come out all the time, and as a product sits on a shelf, it's ability to protect you tends to go slowly down. While some vendors claim that their solution requires no updating, every now and then a virus appears which breaks what we tend to think of as the rules, and everyone has to scurry to cope with the change. A good example of such a virus would be Concept, the first Word macro virus: suddenly, the rules changed. When I asked Bill if his software protect him from macro viruses, he said no. In fact, his shock that a document could be infected was, well, shocking.

Bill wasn't stupid. Indeed, in many ways, I am absolutely sure he knew a lot more about computers than I do. But he was still there happily selling protection which was woefully out of date, happily propagating myths about virus protection, and happily believing that he was safe because of the precautions he had taken. He wasn't.

Enlightenment

Currently, a lot of research and work are conducted on how to test anti-virus software, as well as how to choose the best type of protection for yourself. Plenty of erudite works on threat tracking and testing criteria have been published. ITSEC, TCSEC, Rainbow Book, Checkmark, and the NCSA Certification Mark are a few examples. Well, there are more acronyms than YCSASA (you can shake a stick at). However, for most users, all of this is completely irrelevant. If it says it "stops viruses""on the package, than it does, right? All those awards can't be wrong, can they? The smiling salesperson said it would protect the computer. So, it does!

Sadly, that's not true. As every vendor will be happy to tell you, all anti-virus software is not created equal. Sometimes, the trade-offs are very subtle indeed (maybe product x does a slightly more elegant repair of some arcane field in the NE file header); but in other cases the differences can be downright basic: some products are of little or no use preventing certain types of viruses. Some can be downright harmful to your productivity. Some I wouldn't even recommend to my worst enemy.

Unfortunately, you can't tell the good from the bad products just by looking, and, as I discovered on this trip to the store, no matter how well-intentioned the salesperson (and remember, you're likely to trust him because he's the expert), his advice may be completely wrong. In fact, unless you have been keeping up with what's really a very fast-moving field, your ideas about what's a good product may be wrong too!

Now, I hope that I've made it clear that I'm not criticizing Bill. He had many, many different products to look after, and he couldn't be expected to know them all well. He was certainly helpful and his overall computing knowledge was sound. But had I listened to him, I would be running an ancient product on my computer, and very possibly wondering why the word "wazzu" kept appearing in my Word documents. Put bluntly, had I not known about viruses myself, I would not be protected. Just like Bill, I would think I was safe.