The Web    Google
How Long Must You Wait for an Anti-Virus Fix?

How Long Must You Wait for an Anti-Virus Fix?
February 23, 2004
Brian LivingstonBy

Imagine that your office building was on fire, and you called the fire department, only to be told, "Please wait there while we invent a new method to fight the kind of fire you have."

You'd be furious! You'd expect the firefighters to rush to your building immediately, ready to fight whatever kind of fire they found.

Unfortunately, anti-virus services are forced into a scenario that no firefighter would accept: "We have to invent new defenses every day." Anti-virus software can predict and prevent some never-before-seen viruses. But all too often, a new virus can spread unchecked while software vendors develop and distribute a new "signature" file that can match the virus and kill it.

The Time Lag Between Discovery and Disinfection

Just how long is the period between a new virus getting "into the wild" and an effective antidote getting into your company's anti-virus arsenal?

To answer that question, I turned to, a group of researchers which has studied anti-virus technology for years.

AV-Test is not as well-known in the United States as it should be, possibly because the group is located in Germany at the Otto von Guericke University Magdeburg. Many of the organization's articles have been published in German computer magazines that have no English editions ! but I hope that'll change.

I interviewed by telephone Andreas Marx, manager of AV-Test, to get his view of anti-virus response times. He provided me with test results showing how long it took 23 major anti-virus programs worldwide to come up with new signature files during the past several weeks.

"I hope this will decrease the time it takes updates to get released," Marx told me, explaining why he feels sharing the information is important.

Finding ! and Fighting ! New Virus Threats

The new signature files involved in this horse race were developed to fight four novel viruses that weren't being caught by the preventive or "heuristic" techniques of most anti-virus programs. These four new viruses are known as Dumaru.Y, MyDoom.A, Bagle.A and Bagle.B.

AV-Test uses special scripts to check the servers at anti-virus companies every five minutes, looking for new signature files. It then calculates the time between each virus being first spotted somewhere in the world by the MessageLabs consulting group and the time when each anti-virus service has a working fix available to the public (not counting beta versions available only to testers).

According to the organization's data, these are the average lag times, in hours and minutes, for each program during the test period:

   H:M     Anti-Virus Program
  06:51   Kaspersky
  08:21   Bitdefender
  08:45   Virusbuster
  09:08   F-Secure
  09:16   F-Prot
  09:16   RAV
  09:24   AntiVir
  10:31   Quickheal
  10:52   InoculateIT-CA
  11:30   Ikarus
  12:00   AVG
  12:17   Avast
  12:22   Sophos
  12:31   Dr. Web
  13:06   Trend Micro
  13:10   Norman
  13:59   Command
  14:04   Panda
  17:16   Esafe
  24:12   A2
  26:11   McAfee
  27:10   Symantec
  29:45   InoculateIT-VET

The averages vary from about 7 hours per virus to more than one full day (almost 30 hours).

It's important to note two things about the figures in the table above:

? Some of the programs were able to detect some of the viruses in the testing period heuristically ! without needing an update. Ikarus, Quickheal, and Virusbuster were able to do this with the Dumaru.Y virus, whereas Norman and RAV were able to do it with Bagle.B. In those cases, the anti-virus program was assigned a response time of zero for that one virus. This reduced those vendors' average response times.

? On the other hand, A2 had not posted a signature for the Bagle.B virus within three days, when the test period ended. This program, therefore, was assigned a response time of 35 hours in this instance. If this virus had not been considered in the statistics, A2's average response time would have been reduced to 15:26 rather than 24:12.

Distributing the Fix Is As Important As Developing It

Aside from the immediate problem of developing signature files that can detect new viruses, there's another element to a good anti-virus service. The new signatures must be distributed to corporate and individual customers across the Internet, using the infrastructure the provider has built.

In a PDF white paper released in February and entitled "Outbreak Response Times," AV-Test shows that the frequency with which anti-virus companies update their software online varies widely. Although new signatures are sometimes posted very quickly in special cases, many major anti-virus services schedule regular online updates only once or twice a week, AV-Test says. Other providers, such as F-Secure, schedule updates seven times a week, while Kaspersky Labs schedules them 20 times a week, according to AV-Test's figures.

Updating Anti-Virus Signatures Around the Clock

Actually, says Antony Holdsworth, technical consultant for Kaspersky Labs' United Kingdom office, his company recently started posting a new signature file on its servers every three hours.

"We're seeing about 300 new viruses a week," Holdsworth explains. "There are always new anti-virus signatures to post," even with updates scheduled eight times a day, he adds.

Kaspersky schedules new signature files the most often ! and earned the fastest average response times in AV-Test's real-time trials, shown above ! because the company has a large number of people around the world analyzing viruses and developing cures, Holdsworth says.


Your company may not feel it has a virus problem. Some corporations think they can prevent viruses by stripping all attachments out of incoming e-mail. "But people use workarounds like Hotmail to get attachments," AV-Test's Marx says.

If you do find yourself coping with new viruses all too often, the response time of your anti-virus service may be a factor you'll want to take a good, hard look at.

Want to discuss the issues raised in this column? Take it over to our IT Management Forum.

  • AT&T on DoS: Early Detection Equals Prevention
  • DNSSEC: For When a Spoof Isn't a Comedy
  • 9/20: Mydoom-Y Worm Connects To URL
  • Sun Plays New Security Card with VeriSign
  • 12/9: Setclo-A Worm Carries Executable
  • 3/25: Clunk-A a Password-Stealing Worm
  • 4/29: Bropia-AJ Worm Messages IM Users
  • WiFi Security Concerns Easing
  • Virus Update: Lovgate Worm Still Out
  • Hackers After Patched WINS Servers
  • Time to Remind Users of Security Responsibilities
  • Security Camera Product