Computer viruses. Who needs them?

There is an intellectual debate brewing in the IT industry, the outcome of which could be critical to the future of the virus and anti-virus industry. Quite frankly, out of choice, who wants a future for the virus and anti-virus business?

This is not a debate for virus ‘experts’. Rather, it is one for senior IT and financial management who are capable of understanding the business and technical issues that have been holding our industry to ransom for so many years. The innocent party of computer users is funding the virus/anti-virus business.

There is a very real opportunity at hand to put an end to this most counter-productive computer software and the UK IT industry desperately needs your support and directive.

In order to participate in and contribute to the destruction of this low-life industry, we need to come to terms with the real virus issues and their function, as well as the associated costs.

First of all, we need to remove the fear factor that underwrites the success of the anti-virus business. All the viruses we see on computers are very careful not to cause damage. This allows them to propagate without detection. Very few viruses have a damaging payload. The safer the virus, the more likely you are to see it.

Most importantly, we have to understand that viruses are programs just like any other computer programs we run. The only difference is that their function is to attach themselves to these legitimate programs. There is absolutely nothing mystical about virus cod ‘shareware’. There is nothing extraordinary about being able to detect virus presence. Just like their host DOS PCs, viruses are child’s play.

Virus writers’ kicks

How do virus writers get their kicks? Virus writers are in competition with anti-virus writers. The IT industry is merely footing the bill. And a huge bill it is.

If the viruses we have in the wild are careful about not causing damage, why is so much damage actually caused? Using current scanning technology, viruses are seldom detected in a system on the day it is introduced. We will generally discover a totally infected network when we receive our update at some stage after the infection (maybe twelve months later).

Now and only now are we going to discover how good our anti-virus or disaster recovery programs and methods are. Panic, misinformation and the extremely poor repair capability of anti-virus products we currently use are now going to combine to bring about a potentially disastrous situation.

In more than 90% of instances you would have been better off with the virus!

Today, as we move away from standard DOS machines into a cocktail of operating systems running on all sorts of PCs, anti-virus software as we know it is becoming even less relevant. For example, most boot infecting viruses will stop a Windows NT machine from booting when infected. We do not need an anti-virus to tell us we have just been infected. What we do need is the best hard disk recovery utility we can lay our hands on. We certainly are not going to give the virus to anyone else, which is a good thing.

There are only two options when dealing with viruses. The first produces no end to the problem. It relies on chasing virus writers all over the world for the rest of our computing days. This method is based on scanning from a database of known virus strings looking for the existence of the string. Since all new viruses have a propagation period of between six and 12 months before detection, this method is generally eight months out of date as soon as the software package or update leaves the supplier.

We are lured into a false sense of security. All anti-virus products are based on this philosophy. They come as disk-scanners, memory scanners (TSR and VXD programs), network scanners and even Internet traffic scanners (NLMs). Some companies have the lot. They even have different versions for every operating system type and cough up large amounts of money for updates every month. In the meantime, if they have an active stealth file infecting virus (even one that the scanner knows about), there is a good chance they are not going to know about it anyway. This is how viruses propagate.

These methods represent an immature approach to the problem that costs UK companies around z1.2bn per annum. A company with 1,000 PCs is generally spending around z50,000 a year on virus defence. On average they will find four harmless boot infectors per year. Average cost per anti-boot infector found is around z12,500. Personally I wouldn’t give you 5p for a lousy anti-boot infector.

The second, new alternative is based on generics and addresses all the shortcomings of the old philosophy. For the first time, it puts the IT industry ahead of the virus writers and caters for all virus types. Generic techniques include integrity checking, hard disk disaster recovery, piggy-backing detection, inverse piggy-backing, memory stealing detection, correlation, memory probe and sampling and generic macro virus detection and repair.

In general, generics use the virus to disclose its own presence and assist in its own destruction.

Generic detection

Corporations gain tremendous financial benefits moving to generic virus defence. On average there is a pay-back within six months, without including the real time and cost savings in a disaster recovery situation.

Generic products remove the need for costly monthly updates, they do not consume computer resource and do not intrude on productive computer operations. It is one product that is universal across all operating systems and network types relevant to PCs.

And some useful advice for anyone who feels the need to continue using scanning anti-virus products – don’t run them on your computers.

Richard Macmillan is the managing director of Second Sight UK , a distributor of anti-virus software.