Title inspired by ‘Fear Factory’
If you successfully preached the necessity of antivirus to your boss, organization or customers and happen to have suggested a deployment of BitDefender the last few days were probably not very enjoyable. As seen on e.g. PC World “Bad BitDefender Update Clobbers Windows PCs” the update files from 20th march caused some issues with legitimate files (aka false positive detection) on Windows 64bit systems. As you would expect a public outrage followed and BitDefender took some serious heat from their customers. Some of it was probably deserved as you would expect this to be one of the most scrutinized areas during quality and release testing but let’s step back a second and think again.
25. April 2005 – Trend Micro Antivirus Update Slows PCs
30. July 2006 – Faulty Update Stymies Norton Users
12. November 2008 – AVG bug leaves Windows unbootable
9. July 2009 – CA antivirus trashing Windows system files
Looking at news reports during the last few years we notice that most of the major antivirus vendors struggled with similar issues so it shouldn’t be a big surprise that this might happen again at some point. It seems the solid job antivirus vendors do with their release management caused them a bit of a disadvantage as customers get too comfortable with the update reliability and do not perceive pattern updates to be a risk factor. This is understandable considering the low rate of occurrence and the high workload proper pattern testing would incur but this does not mean that the pattern release process should be totally neglected. Without any statistical data to prove my assumption I would assume that most environments out there do not need the latest and greatest pattern updates on their end points right away. An organizations antivirus pattern update policy might be as simple as following the principle “let the others go first and see if they survive”; instead of actively testing daily pattern updates (yeah, right) simply deferring the deployment by 24 hours should sort out most of the false positive issues. A basic policy might dictate to download pattern updates from the vendor every day at 11am but to not make them available to the end points before 8am the next morning and limit the update period to 2 hours. To be flexible enough to cope with outbreaks a separate process should be defined to ensure the end points can be forced to immediately call in and acquire an updated pattern file.
Antivirus tends to have a reputation to be a boring operational function and not the most exciting security technology to play with so IT and security staff tends to treat it in a set-and-forget way. As long as the planning and design was done properly and the basics are covered this should be fine and ultimately leaves more time to play with innovative technologies.