Ironclad Antivirus Protection?


By Alex Salkever In the world of high technology, blanket performance guarantees are rare. In the subsector of Internet security, a 100% guarantee is unheard of. Even the most adept network-security engineers concede that diabolically clever hackers bent on mischief can get through. And no other sector labors under attacks from a steady stream of rapidly evolving digital pathogens and automated probe tools searching for holes in network defenses.

That's why a 100% guarantee from virus watcher MessageLabs is so shocking. The British company swears that not a single virus will ever get through its complex web of scanning software. Not just known viruses, either. MessageLabs boasts it can also handle viruses yet to evolve and emerge. Should the service fail, customers get their monthly premium refunded. Among the customers that have been attracted by the guarantee are publishing giant Conde Nast and the Bank of England. MessageLabs is now making a big push to nab customers Stateside.

True, a month's fee isn't much payback considering a how fast a rapidly spreading virus can bring down corporate computer networks -- and the amount of damage that could be done. Witness the chaos caused in the spring of 2000 by the famed LoveBug virus, which clogged up mail servers around the globe and caused anywhere from hundreds of millions to billions of dollars in damage. Still, no other antivirus company will make a no-fault guarantee. Is it foolhardy, gutsy, or both?

SCRUBBED WITH SCANNERS. To find out, I spoke to the company's chief technology officer, Mark Sunner, about MessageLabs' technology. I admit, it sounded pretty nifty. The antivirus effort started about three years ago at MessageLabs' British parent, Internet service provider Star Technology. According to Sunner, Star announced it would use antivirus software to scan all messages passing through its mail servers. "It was a marketing idea, but as soon as it started growing, we realized we had stumbled into something," he recalls.

The idea was prescient. Today, most ISPs and all corporations scrub e-mail through antivirus scanners. The biggest Internet mail providers, such as Yahoo!, also use antivirus programs to screen attachments to prevent users from downloading digital demons. According to Sunner, the company began to win business away from other ISPs even though Star's fees were higher. As the number of messages MessageLabs processed rose, the number of incoming viruses soared. Some viruses evaded the off-the-shelf antivirus software the company was using. "We learned quickly that at any point a single product can fail," says Sunner.

Over time, it found that, as a general rule, any single virus-protection software program allows approximately 3% of viruses to get through. That sounds like a good track record until you consider that 100% of a system can be attacked "and then you've got a big problem," says Sunner.

BUILDING A BACKUP. MessageLabs tried cycling mail through a succession of different off-the-shelf scanners from F-Secure, Network Associates, and other companies to benchmark results. Due to subtle variations in antivirus software packages, viruses that get snared by one software system might evade another, Sunner explains. The company benchmarked six antivirus programs before settling on three and started processing e-mail through multiple filters.

Over time, MessageLabs' staff pored through logs of which viruses evaded which filters. They built a backstop they claimed could prevent intrusions by unknown viruses that the major antivirus vendors might miss. Dubbed Skeptic, this proprietary software relies less on known virus "signatures" and more on a logical analysis of the text and code cargo of e-mail messages. Does the piece of mail have a strange date field? Check. Does the mail have a seemingly random heading? Check. "Enough checks, and it goes from mail to viral," explains Sunner, who claims Skeptic stops one or two viruses each week that penetrate off-the-shelf antivirus software packages.

That's a pretty bold claim, but not as bold as this one: Since the company launched its multilayered scanning system backed up by Skeptic, it has yet to let through a virus, declares Sunner. And it won't fail in the future, regardless of what new evils the Web throws at MessageLabs, he insists.

BOUND TO FAIL? "This is a case of putting our money where our mouth is rather than trying to make a really brash statement," he says. As proof, Sunner points to Skeptic's performance against the LoveBug. "Not a single one got through to our customers. We were hours ahead of any other antivirus company," he crows.

Antivirus experts say the MessageLabs' system is bound to fail eventually. David Hewitt, principal of tech consultancy Hewitt Research in Britain, says MessageLabs' guarantee will be impossible to maintain. Others are just as, well, skeptical. "When you talk about 100% protection against all unknown virus types, that's an impossible claim," asserts explains Vincent Weafer, the director of Symantec's Antivirus Research Center. "We've seen viruses evolve with technology and exploit new vulnerabilities."

Weafer compares MessageLabs' claim to keeping an effective burglar-alarm system on a house that's constantly under construction. He further points out that Skeptic might have trouble with exotic encrypted viruses, which remain inscrutable in transit and reveal their fangs only when they hit the desktop. For that reason, maintaining antivirus filters on company computers and on mail gateway servers should remain a priority for enterprises. Sunner agrees and urges MessageLabs customers to maintain multiple levels of virus protection.

PROTECTED BACKBONE. What MessageLabs is offering makes a lot of sense. Few companies run mail through multiple antivirus programs, a process that could further stress overtaxed IT staffs already struggling under a massive load of software patch updates and maintenance. Additional filtering can only be a good thing, considering the gaps in any one antivirus program.

Antivirus protection at the network backbone level seems a natural, as the Internet is rapidly evolving toward incorporating these types of vigilance at every layer. As for Skeptic itself, it may be a great piece of software, but I doubt it will stop all viruses into the future. Don't buy the service for the guarantee -- buy it for the concept and ask for customer references to check it out yourself. Salkever covers computer security issues twice a month in his Security Net column, only on BW Online


Ebola Rising
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus