Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PH461A04@VAX1.UMKC.EDU (Jonathan E. Oberg) Newsgroups: comp.virus Subject: Dead vs Live: Commercial Necessity?? Message-ID: <0012.9105201353.AA06044@ubu.cert.sei.cmu.edu> Date: 18 May 91 08:16:00 GMT Sender: Virus Discussion List Lines: 61 Approved: krvw@sei.cmu.edu Without getting into a philosophic discussion about what constitutes life, and whether viruses (biologic or electronic) are alive, let me define a virus that has had limited detection in the public - what has been refered to here as a research virus - as a "dead" virus and a virus that continues to be detected in the public to a signficant degree as a "live" virus. QUESTION: Will new live viruses spread effectively without new techniques?? The observation may be a bit naive, but in regard to the discussion of research viruses vs viruses in the environment, have we not minimized the risk of a new virus propogating by known means (for example, boot sector stealth viruses) with any success?? Few sites do not have *some* protection/ detection available. Further, the infrastructure for distributing notices of new viruses symptoms, detection methods/signitures, et cetera is now well defined and used (this forum for example.) Has anyone studied the rate of introduction of successful viruses?? My guess would be a strict decline. Is this far off others' experiences? On a strickly biological model, viruses must have some time X necessary to propogate from one system to another. We are unconcerned with propogation on one system, as this will be a factor in how long the virus takes to move from system to system. With the increase of scan/resident/other virus programs, and a significant decrease in the time between when a virus is detected and the information on that virus is published, the time a virus has available to spread is shortened, perhaps below the critical level necessary for success. The WDEF virus on the mac, for example, was an example of a new viral technique. It became widespread. Successors however, have faired poorly: CDEF, MDEF, LDEF?? Once the technique is known, detection/prevention effectively kills these viruses. Call this the smallpox syndrome; once we know how to detect, remove, and innoculize against these strains, we effectively erradicate them as successful viruses. Is the stoned virus, for example, so prevelent because it is well designed and/or defeats virus detection, or because it proceded the large increase in sites with virus detection programs. Does not, in fact, a unique (defeats currect programs) and successful (infects "large" number of sites) virus *drive* the acceptance of virus detection/prevention programs. The question is important in considering the commercial aspect of virus protection. Without discarding the deeply appreciated efforts of frisk, et al, virus protection has become big business. I cannot imagine Symantic for example, advertising NAV as "Catches 100% of live viruses." To be commercially competitive, they *have* to advertise they catch *at least* as many viruses as their competitors, even though 99% of these viruses are never seen outside "virus labs." Without a continual influx of successful viruses, that is new techniques, the only marketable force behind upgrades and/or market share are dead viruses. Jonathan Oberg 76100.1254@compuserve.com