On the Soapbox

As reported by C|Net and Slashdot, a recent goof in the virus definitions for McAfee anti-virus resulted in a massive number of false positives and the quarantine or deletion of critical files used by software such as Microsoft Excel, Java, GTK-based applications, Sendmail, et al.

This gaffe neatly illustrates one of the problems with anti-virus software and one of the reasons why, for the past decade, I have not used one (and except for the one time when I accidentally executed a virus that I was examining, I have remained infection-free while using Windows). Ultimately, the key to computer security is user education and continuing to update software as security holes are patched up--and yes, Linux/UNIX need security patches too. These solutions are neither easy nor perfect, and as such, it makes perfect sense to have a safety-net solution in the form of anti-virus software.

While this safety-net concept makes sense and is a good idea on paper, it suffers in execution. First, there are many who eschew user education in favor of relying on anti-virus, which is certainly understandable given the difficulty of educating the average computer user. Of course, this would not be such a problem if anti-virus is effective, but it often is not. Anti-virus is ultimately a reactionary tool. New viruses and worms are initially unhampered by anti-virus tools because anti-viral definitions are updated to cope with the new virus only after the virus has been discovered and examined. While this works for most people, for those who are hit by a virus before their software viral definitions are updated (and before they download and install the new definitions), this would be akin to building flood levees after the flood had already hit. Furthermore, well-written viruses and malware can often disable anti-virus software, and viral mutations require that anti-virus software receive frequent updates (which not all users do). Finally, anti-virus software often carry undesirable side-effects. While events of the magnitude of the recent goof with McAfee are rare, stability and software compatibility issues are quite common (although this applies to anti-virus in general, it is especially true with Norton AntiVirus); ever wondered why some software require that anti-virus be disabled during installation? In addition, there is also a noticeable crimp on system performance as anti-virus software scans files as they are loaded into memory and as anti-virus software do their routine drive scans. The ironic end result of these side effects is that anti-virus software can sometimes cause more problems than they solve.