Kurt Wismer posted a much-to-the-point blog a few days ago about the way that purveyors of scareware (fake/rogue anti-virus/security products) mimic the marketing practices of legitimate security providers. You may remember that a while ago, I commented here about a post by Rob Rosenberger that made some related points.

If you're a regular reader of my blogs here or elsewhere, it won't surprise you that I have a lot of sympathy with these viewpoints, and I hope Kurt will agree that we don't do the "buy our software so that you never have to take responsibility for your own security" message here. And some elements of the AV industry of which I have, in recent years, become a part, have not always done the industry or its customers any favours by hypeing media malware, TOAST marketing (The Only Antivirus Software That you'll ever need... [hat tip to Padgett Peterson]), and other dubious marketing practices that have enthusiastically been picked up by those who rate a Good Story as being something quite different to an Accurate Story.

Well, I've been hearing rumours of marketing that sounds far too close to scareware for comfort. I'm not going to name names on this occasion. It's bad karma for AV researcher to throw stones at another vendor's glass house without hard evidence of unethical practice. So here are some entirely general thoughts.

It would, of course, be a very bad idea for a vendor to try to persuade its own customers to spend money on one of its other products by hypeing a non-existent threat. If a vendor was rash enough to indulge in such scareware tactics, its customers might want to consider whether:

  • the name of the threat in question looked kosher
  • whether they really have confidence in a company that apparently doesn't share major threat samples with other companies so as to maintain a competitive advantage. AV companies share samples because they feel that where a major threat looming, they have a duty of care to the community as a whole, not just their own customers.
  • Whether marketing based on "our product detects this and these other companies can't" can possibly be accurate. Even if the company making the claim didn't share samples (and that would be really bad karma in this industry), and the claim of non-detection held true at a particular point in time, howlikely is it that the other companies wouldn't encounter it and add detection for it, sooner rather than later? (Unless, of course, it was something so esoteric and obscure that its existence made no real difference to anyone anyway.)
  • Whether it's appropriate to claim that a product doesn't detect a given threat on the basis of a Virus Total report. As Kurt, myself, and Virus Total/Hispasec themselves have frequently pointed out in various contexts, the Virus Total service is not suitable or intended as a gauge of the comparative performance of AV products. That's because a Virus Total report doesn't demonstrate dynamic, whole product detection or non-detection of any threat. In many cases, malware that evades an on-demand scan will nevertheless be detected by an on-access scan, but that won't show on a VT snapshot report. Always assuming that the press release (or whatever) actually links to a VT report.

Of course, this is all totally hypothetical. Surely no reputable AV company would make these mistakes, for both ethical and practical reasons (i.e. for fear of damage to its reputation and existing customerbase? I live in hope that these rumours will turn out to be based on some misunderstanding or misconception.

David Harley CITP FBCS CISSP
Senior Research Fellow