Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Newsgroups: comp.virus Subject: re: The Shape of the World (PC) Message-ID: <0002.9105162013.AA02886@ubu.cert.sei.cmu.edu> Date: 15 May 91 21:12:49 GMT Sender: Virus Discussion List Lines: 78 Approved: krvw@sei.cmu.edu >From: microsoft!c-rossgr@uunet.uu.net >Remember that we can't even get the user community (the folks who >spend their hard earned money to buy my products!) to make backups to >protect themselves. Partly our fault: we have never taught good hygene to people. I generally back up my data files as they are created. Since my program disk is fixed, it is backed up as part of my weekly defrag. True, most people who have not had losses do not understand backing up - one reason why we are looking at things like Bernoulli Transportables as part of out weekly maintenance and CD-ROMS for standardised software, and have an annual computer security briefing that emphasizes such things as backups & how to recognize unusual behaviour. >Maximal Protection! That's what the market seems to clamour for. Because part of the education we have failed to provide is what the risks really are. My opinion is that a good regimen (screening & briefings) plus an integrity routine that will detect anomalies is what the general population needs. Detecting intrusion immediately reduces risks to the point that even quarterly updates (as a scanner would require) cannot be justified. A linited number of scanners for the techs and administrators are justifiable both from a maintenance and a training standpoint. For large corporations, the cost of a site license can be lost in the noise compared to the cost of trying to administer several thousand updates (5000 PCs x 10 minutes per update x 4 times per year = 1 2/3 manyears not to mention the distribution nightmare). Much easier to take a one-time installation hit plus automatic installation at the warehouse as part of the distribution process. >And the marketing dudes I work with closely at Microcom tell me what >we can lose a site license because of and where our strong points are: So be the first to offer BIOS level checking & authenticated paths as part of the boot process. >So, when one of our competitors says "Yes, but do you want to risk >even the slightest chance of getting infected with this virus if it >escapes into the wild.", my marketing can respond "Ha! We already >protect you against that nasty virus!". How about "There are only x ways a virus can get into a system, if it is a virus we have seen, we will identify it. If it is something else, we will detect the change and warn the user immediately. Nothing can identify an unknown virus, but its activity can be detected." Of course the biggest problem is elimination of false positives but a dollup of AI should permit the program to learn who is permitted to do odd things. In my experience, most corporate environments are stable enough to make the learning period short. In the last year we installed such a package on many thousands of PCs with nearly every known program and every OS from DOS 2.x to beta versions of DOS 5 and the major problems (development machines, Zeniths writing to boot sectors, word processor quirks) were annoying but relatively easy to solve. Today, when a user gets a warning screen, it is usually a virus or other "anomaly" that we needed to know about anyway. As far as what the user wants, quantum economics applies. There are certain things that are automatic disqualifiers: noticably degraded performance, insufficient free memory to run programs, excessive false alarms, failure to detect well known viruses. Only once these step functions are satisfied will relative merits/demerits such as cost (no. 1), ease of installation, documentation, & support come into play on a linear decision basis. Today, the sheer diversity of anti-viral products demonstrates that, as in pointing devices and user interfaces, the One True Answer has yet to be found. Warmly, Padgett everything herein my own opinion & may or may not have any relation to reality