I have a rather unique perspective on the antivirus industry. I used to work for Microsoft before they were a competitor. Come on, you can’t call MSAV from DOS 6 an antivirus product :)
For over seven years my job at Microsoft was to make sure that Microsoft did not release any infected software. All I had to do the job was antivirus software. If you know how much the best products miss then you understand what a scary job that could be. Still in 7+ years only one got past me and that one was practically inaccessible. Nobody ever accidentally got infected by that one. I also told my management at the start that we would be very lucky to five years without an incident. It was 5.5 years in when the one got by. I showed my bosses the email I had previously sent describing the exact scenario in which it would happen and what I needed to prevent it. I got the support after the fact.
One thing to know about the antivirus industry, as is the case with most industries is that companies are made up of individual people. This is an incredibly important distinction, especially in antivirus.
When I started attending Virus Bulletin conferences in 1997, Microsoft was positively detested by almost every researcher in the antivirus industry. I had to prove my integrity as a person to the researchers to become accepted as a trusted and contributing member of the community. As I learned more about the antivirus industry it was a real eye opener to me. As I watched the marketing departments of antivirus companies fight tooth and nail I saw researchers from a variety of companies working together. I wasn’t around then, but I have heard of the EICAR conference in which several researchers from a variety of companies set up their own little network and worked together to reverse engineer a Microsoft Word document format because Microsoft would not provide file format information. On the research side of things there is little “company” and a ton of “individual”. Antivirus companies do not generally share samples with antivirus companies. Researchers share samples with researchers that they trust from most any company.
As a Microsoft employee I was able to be accepted in the industry because as a person I was inside of Microsoft fighting to get Microsoft to share more information with the antivirus industry so as to have better product for me to use and to protect users. I certainly had no interest in falsifying the abilities of AV products, and still have no such interest.
Now, working for ESET, an antivirus company I often review marketing materials and reject that which is untrue. To their credit, the marketing professionals at ESET are genuinely happy to change material if it is not true. I am sure that this is also the case at most other AV companies as well. The Virus Bulletin tests are real, and they do have some value *if* you understand what the tests mean. That will be another blog though. Bottom line is that the marketing people have a job to do and theirs is to highlight the features and accomplishments of a product. I was asked at a recent press conference in Beijing if a product can succeed without the marketing. It can succeed, but obviously will not be as successful without marketing. There are far too many examples to list of inferior products capturing market share because they have better marketing. To ESET’s credit I have never been asked to change what I say when I tell people that we don’t detect everything and that unless you get educated and learn safe computing practices no product is going to prevent you from getting infected. I’ve often made this statement at trade show presentations. Is that hype?
More often than not it seems that the researchers at the antivirus companies are completely at odds with sales and marketing. What has been fun for me is that when I present at trade shows and other venues and ‘in the wild’ is mentioned I can explain exactly what that means to people. Yes, I actually tell them that a VB100% award does not mean a product detects close to everything that is out there.
So what does all of this have to do with the “Race to Zero” and other such ignorant projects? It is not the antivirus companies who are complaining. It is not the sales or marketing departments who are complaining. The PR firms are silent on this. It is the research community who are complaining. It has nothing to do with “embarrassing” an antivirus company. The people who are complaining are the people who are actually trying to do something about the problem. The people who are complaining are the people who will openly acknowledge the limitations of security products and staunchly promote defense in depth. These people also sign their real names to what they say and do not hide behind pseudonyms. We are proud of what we have to say and will openly say exactly who we are.
Not a single antivirus company is against the “Race to Zero” contest, only the people who are actually trying to help protect consumers are railing against the contest.
If the Race to Zero organizers wanted to do the contest right then here is an approach they could use.
Have the contestants set up honey pots and the winner is the team that collects the most undetected samples. This does not involve creating new malware. This shows the real world problem of real world threats that are actually out there and getting past every antivirus product. That is much more convincing than a simulated scenario that involves creating more of a problem.
Of course they also could have a contest to see who can build a better scanner, but that would require significantly more skill than the contestants possess. It’s easy to tear down. Let’s see them try to build for a change.
I specifically joined an antivirus company when I left Microsoft because I enjoy working with a bunch of very smart and dedicated professionals form a variety of companies who are actually working to help protect consumers.
The comments that “the antivirus companies have their backs against the wall”, or are afraid, etc., are simply ignorant and completely lack substance. The truth is that the only people complaining are the people who are trying to improve the situation and are not pro-hype by their companies or by miscreants creating more malware. The people complaining also will use their real names because they stand behind their views. It took guts to work for Microsoft and stand up and speak at an antivirus conference. It takes guts for the researchers to come out and tell it how it is knowing full well that rather than be acknowledged as the individuals they are they will be cast as a “company” with a marketing department. It takes only a coward to hide behind a pseudonym ignorantly advocating the creation of more problems.
Director of Technical Education
Author ESET Research, We Live Security