As a musician, I can't count the number of times I've been told that 'less is more', and only as I have mellowed with age have I come to realize what a good maxim that is. Musical notes, cake, sunshine, even beer(!) – it's certainly possible to have too much of a good thing.

With that in mind, you can imagine my thoughts when an ad for anti-virus software arrived in the mail one morning. 'Does your current anti-virus solution update HOURLY?', the bold type read. The flyer went on to compare the number of monthly updates (600) offered by one company with that of its competitors. More, apparently, is more – at least in some people's opinion.

While I am not attacking any particular company, I think the marketing gurus who came up with the claim reflect an idea in the industry that is well past its 'sell by' date. Trying to convince consumers that more updates is better only works if we've really lost sight of the goal of anti-malcode software: using our computers, not caring for them.

Back in the day, updates were monthly 'snail mail' care packages that arrived in large 5.25-inch envelopes. Even then, there were often claims by companies who would promise to break the bondage of the update cycle. Updates were evil, or so we were told – 'Snake Oil anti-virus will detect all viruses, past, present and future' was a mantra often heard.

Somewhere between these two extremes, we've lost sight of the real goal. Anti-virus software is not a means in itself (unless you are a vendor). It's a way of making sure you get your real work done. In a perfect world, it would be nice to have no updates at all – more isn't better. However, in the real world it would be nice to have fewer updates.

Pragmatically, counting the number of updates a vendor ships is a silly way of determining how good the product is: it's a one-dimensional metric which means nothing when considered alone. More updates could mean 'latest and greatest', or it could simply mean 'heuristics so bad, we don't handle anything new'. Who's to say which of these is actually the case?

Aside from the lack of utility of the metric – what matters is not how many updates, but the overall level of protection provided for a particular level of customer effort – corporations must walk a treacherous tightrope between updating anti-virus solutions quickly and assuring themselves that the update itself does not cause problems in their own environment. Every change to a production system is a potential threat; balancing that against the risk of infection is difficult. Studies have shown that rolling out updates is expensive – sometimes prohibitively so. The fewer updates one needs to be safe, the better.

Underlying all of this, of course, is the tacit acceptance of anti-virus software that locks users into a rapid update cycle. The software versus software nature of the malcode arms race does seem to make some level of continuing update a fixture (at least for the foreseeable future), but our dependence on rapid update is a world view that we cannot accept. Relying on the network to supply updates to protect the network is a plan which is obviously flawed.

Of course, as long as customers continue to clamour for more rapid update cycles, such insanity will continue. There are ways to protect from rapid malware that are reliable, safe and don’t need 600 updates a month – we need to push toward such solutions quickly. While I am not tolling the death knell for signature-based protection, stealth and speed can both throw a pretty sizeable wrench in the works. Future solutions are likely to be hybrid, borrowing the best from the old and the new.

When a methodology is flawed, doing it more doesn't make sense. However, sometimes we're all so close to the problem that we lose perspective. More really isn't better. Instead, what we need is a concerted effort to move toward solutions which actually make sense and where the user isn't eternally locked into a game of 'fast draw' with an opponent who only has to win once. Less really is more.

 

Latest articles:

Bulletin Archive