Call to change PC security tools

An initiative has been kicked off that hopes to improve the way PC users are protected from viruses.

It will create and distribute a small program that will gather statistics on how quickly security companies find and remove malicious code.

The figures will reveal if users are being left vulnerable and for how long as well as rank response times.

But some experts say such simple tools could give a false impression and may prove hard to develop.

"In the last two to three years we have seen more individual pieces of malware than in the entire 30 years before that time," said Mr Chris Bolin, a former chief technology officer at McAfee who is now head of UK security firm Prevx, which is trying to start the initiative.

The typical way that anti-virus companies work, said Mr Bolin, was by analysing novel threats, creating a signature file for it and then distributing that to customers to spot when the novel threat turns up.

But, said Mr Bolin, the sheer number of viruses was threatening to overwhelm this system.

Estimates suggest that hi-tech criminals are pumping out about 60,000 individual pieces of malware every day. The number of daily variants was only going to grow, said Mr Bolin, and current methods were rapidly going to be overwhelmed.

As the gap between the variants and fixes grew, users were increasingly going to be at risk.

"No other industry would tolerate that level of failure," he said.

In the face of the tidal wave of malware, said Mr Bolin, PC users need a better way to find out how well they are being protected and how long they have been at risk.

Mr Bolin believes the way to get a better sense of the performance of security companies is via a small program that sits on a PC and logs when files are installed.

The program would lie dormant most of the time but would alert a user if it noticed that a fix had been created for a particular virus or trojan it had spotted on a PC.

It would tell a PC owner how long a virus had been known about and when it was first fixed. Mr Bolin said the small program would be ready by November.

"Innovation needs to occur on the anti-malware side because it's growing exponentially on the malware side," he said. "We need to bring about change in an industry that is not changing."

Statistics generated by the tool being used across thousands of PCs would help consumers and corporates get a better sense of which firms react and fix viruses fastest.

This would be preferable to the current situation, he suggested, in which firms are measured on how well they perform against a fixed list of malicious programs.

"We need a fundamental sea level change," he said. "Using the old yardstick does not work."

Rik Ferguson, senior security advisor at Trend Micro, said logging response times was too crude a measure of what anti-virus companies did.

"If you concentrate on just looking for malicious files then you are only looking at part of the story," he said.

Most contemporary infections, he said, began with a victim visiting a booby-trapped website or clicking a link in an e-mail that takes them to a poisoned site. From there a victim could be re-directed and only then vulnerabilities in code might be exploited to place a malicious file on a PC.

"Any good security system should block that process from ever getting started," said Mr Ferguson.

Logging only when a virus was fixed would ignore all that other useful work, he said.

Graham Cluley, senior technology consultant at Sophos, said privacy might limit the numbers of people who download and install the tool as they may have fears about what was being done with the data being gathered.

He added that the ways that security companies seek out malware on PCs was changing to cope with the growth of malicious programs.

Mr Cluley said the testing of anti-virus products was developing and improving thanks to initiatives such as the Anti-Malware Testing Standards Organisation.

"There's always room for improvement," he said. "But most security companies these days are pretty good at being pro-active. They do not just rely on signatures to spot malware."