Would you support less malware scanning to improve user performance?
Clarification added October 24, 2008:
Kaspersky recently filed a patent outling a method where they would determine the depth of malware scanning to be performed on a file by measuring it against certain risk factors. The goal is to reduce the amount of effort expended in scanning files that are unlikely to contain malware and provide better performance for users.
The scanning depth will be based on a collection of risk factors that include file origin (more risk from internet), file location (temp directories are higher risk), file size (malware files are smaller not to attract attention to that transfer or attachment), and whether the file is an installer (malware when executed my fetch attachment), and whether the file is an installer (malware when executed my fetch other files through installation).
Note that the purpose of the patent is not to reduce the risk of being infected by malware but to provide (security) risk support for the decision to improve user response times by reducing the overall effort for malware scanning.
But to be clear, we don't get something for nothing, and the likelihood of being infected by malware will actually increase simply because less scanning will be done and the risk factors will not correlate perfectly with the presence of malware.
Would you support the deployment of such an AV product in your organization?
regards Luke
More detail
http://lukenotricks.blogspot.com/2008/10/risk-factors-for-av-scanning.html
Clarification added October 24, 2008:
Sorry for the cut & paste error above on the installer risk factor
Clarification added October 28, 2008:
Thank you everyone for the very interesting answers. The general consensus is "No I would not use this technology", certainly not without further detail. As one respondent indicated in private email, Kaspersky is not a fast AV product, so this patent could be a way to avoid a code overhaul.
Good Answers (9)
Luca S
IT Security specialist
Best Answers in: Internationalization and Localization (1), Information Security (1)
Luke,
let me play with one of Benjamin Franklin's famous quotes:
<< He who would trade security for some faster scanning, deserves neither security nor faster scanning. >>
Despite the fact that I believe users and system administrators should have as much control over their systems as possible, I think that an anti-malware vendor can't lure users into sacrificing their security only to correct or mitigate one of the vendor's faults.
If their anti-malware solution is slow at scanning files, they should focus on optimization techniques to make it faster, rather than offering their customers the option of being less protected.
And whole idea of collecting risk factors is almost useless against an intelligent enemy like the malware writer. We're not dealing against dumb hurricanes or other natural events here, we're facing an enemy who's very quick in adapting his tactics.
Don't get me wrong, I'm all for securing some areas more than others, depending on the situation, but this process should *increase* the protection of those sectors that need it most rather than *decreasing* the protection of those other sectors that are believed to be inherently more secure.
Adam T
Network Architect
Best Answers in: Market Research and Definition (1), Information Storage (1), Software Development (1)
I'd have to say no, I wouldn't deploy that technology in any organization I mange (not even on my own PCs). My thinking is that generally speaking, the more complex the decision-tree process is, the more likely something can slip through the cracks. Also, PC performance is sufficiently high in the general case that primary and secondary program storage (aka RAM & Disk) become the limiting factor on performance, not additional inspection. I'm assuming here that the inspection program will remain loaded into at least primary program storage (RAM) if not largely kept in L2/L3/L(n) cache. If the inspection program starts to devour enormous amounts of program storage requiring parts of the detection engine to be paged in (and out), then this approach might be worthwhile... but until that day (hopefully not anytime soon) I don't see it as being worth the slightly increased risk.
Probably not.
That said, we had a lot of complaints years ago about redundant scanning of large files off network shares and that drove us to put scan engines in front of our NAS devices and to turn off network scanning on clients. So, we moved the AV off the client to improve client and network performance, for network scanning, but we didn't eliminate it.
I wouldn't be the first kid on the block to adopt a new technology like you mention, when AV is so important to the organization. Not that it might not mature and be more broadly adopted. I think there are better ways to deal with the issues.
My first answer is no. While I can and do turn of scanning for performance reasons occasionally, I do that at chosen times with disconnected network conections. I would expect the program to choose the most innopportune moment.
Then I don't understand it. Scanning is done over night and while I access something; both of these times is not exactly where performance matters.
Third as much as I would dislike such a feature, it wouldn't prevent me from using the product if I have other reasons.
Lastly, how do you manage to get a patent on something so trivial?
I'm appreciative of the dedication to security displayed in all of the previous answers.
However, there is no security necessary if there is no business. Corporate Information Security's function is to support the business, not to restrict it. The balance must be found between integrity and availability, or there is no point to the controls being put in place.
Depends... what is the machine doing, who is using it, what the Network Security is like?
Is there a Replacement for Malware Scanning, Sure. Install and configure a UTM Device at the perimeter and play firefighter when someone gets infected.
Everything in IT is a Give/Take, there are plusses and minuses to everything. No One Size fits all.
You have a Cad Worker on a $5,000 CadStation needing all the CPU/Disk Access he can, possible not to put malware scanning on his box, as it would hurt his production speeds.
Accounting Working doing Billing? Yes, even if there is a performance hit.
Orhan B
Entrepreneur Businessman, Partner and General Manager of Issos Enterprises, International Business & Trade Development
Best Answers in: Offshoring and Outsourcing (2), Computers and Software (2), Exporting/Importing (1), Corporate Law (1), Business Development (1), Graphic Design (1), Information Security (1), Wireless (1)
No! Never...
Performance Loss of the computer if one of the main issues in AntiVirus ans AntiSpy Software, even comes before the success of elimination of the risks.
This is totally an amateur point of view and whom has this may be ready to face with a loss of data, time, critical information, business performance and a computer at the end.
Of course, an AV or AS SW must serve with a good performance on the computer. But some of them does not... Mosty in the personal editions.
Therefore, I suggest you try another one but an esteemed / a trusted one or use a corporate version of your AV.
Here are some solutions that I may suggest you to try:
AntiSpy
Lavasoft Ad-Aware 2008 Pro www.lavasoft.com
AntiVirus
ESET Smart Security www.eset.com
Symantec SAV www.symantec.com
Links:
Nicholai R
Senior Technical Consultant at Axial Systems (Security & Optimisation)
I think that the patent has some + & - points. Serious malware writers will know their enemy. It's always a game of cat and mouse!
As mentioned by some other replies there are some large factors involved in the assesment of your fleet of endpoints.:
1 - What is the business cost of malware infection
2 - What is the risk of data loss from infection
3 - Can the risk be dealt with at a perimeter gateway rather than distributed processing
4 - Can users be educated to operate in a lower risk fashion
I think that this product does have a place in enterprise deployments as the way that the internet is evolving the risk is coming closer to front door. I do not see Malware in much of a different light as Virus's - all are uninvited guests to be shown the door!
In Kaspersky's support they do have a good product base and as a more junvenille vendor in the market place invention in the way that scanning is performed is welcomed....... diskspace is always becoming more abundant and OS's are always going to increase in their size and complexity.
Seeing is always believing
Nicholai Roguski
Network Security & Optimisation Consultant
Axial Systems
Links:
Chien Siang Y
Consultant at MHA
Best Answers in: Information Security (2), Conference Planning (1), Organizational Development (1)
There is a clear need to be more flexible when scanning (reducing CPU load), as many corporate PCs are increasingly "armed" with multiple scanners - some controlling the personal firewal, enterprise forensic support, network monitoring like NAC and NAP, or controlling digitally signed objects (DRM and DLP) and devices like flash drives.
They are all scanning files and this loading must be coordinated and organised.
Much of the data is encrypted or packed like docx. Scanning them requires decryption and unpacking, which drives up CPU utilisation so significantly that thin clients could not be deployable. This kind of problems should be solved by object/file change control, i.e. we should not scan everytime and always at the PC.
More Answers (3)
Correctly configured malware scanning shouldn't be that much of a burden on performance.
Partly this is a communication thing. Let your users know why this is essential, when it's going to happen and how long for.
Clarification added October 25, 2008:
Missed your clarification...
No, we wouldn't use that because unfortunately unless you have someone accurately setting the risks on files the whole thing becomes far too random.
The danger of someone saying "Oh, I'll set all my files to low risk so I can work quicker" is just too scary to think about....
A simple payoff - reduced diligence is highly likely to increase risk of infection. Time may be saved in the short term on scanning times, but that would need to be offset against the time and cost incurred as a result of an infection. Naturally the market will dictate what is acceptable.
I would support 'Zero' scanning to improve user performance.
The key to the malware problem is to allow all code to run in a way that does allow both useful and malicious software to be useful while limiting any damage that any software can do to those resources it requires to be useful.
Differentiating between useful and malicious in order to allow an abundance of authority is simply the wrong approach and we need to do better ( some did already: Plash,CapDesk,Polaris). The way to do better is to allow anything (including malware) to run with (dynamic) least authority.
