Tim Bolton simply wants software that blocks and eliminates viruses, with no side effects.
As network administrator for the Little Rock-based Arkansas State Medical Board, which uses Symantec Corp.'s AntiVirus Corporate Edition version 10.2 on its PCs and servers, he has experienced more than his share of side effects.
"Corrupt files coming down during the automated updates, servers running extremely slow, PCs running extremely slow," Bolton said. "An example: we would set up the full scans to run at 3:00 in the morning, when no one is here, and they'd run at one in the afternoon, three in the afternoon, eight in the morning," slowing down nearly every system at virtually any given time.
One day recently he arrived at work to find 70% of his Windows 2000 boxes facing the infamous blue screen of death.
"It was something to do with Symantec," he said. "As soon as I got rid of the Symantec software, the boxes booted up fine."
Ironically, Bolton noted, his antivirus software, which is supposed to keep his systems incident-free and running smoothly, was working against him. "They're becoming more of a problem than a help," he said of antivirus vendors. "They're becoming as bad as a virus."
Bolton's story is just one example of why security industry experts say it's time for companies to hold their antivirus vendors' feet to the fire. As Arabella Hallawell, a research vice president at Gartner Inc. in Stamford, Conn., noted in a recent research report,
The signature-quality question is far from academic. On May 31, Cupertino, Calif.-based Symantec pushed an antivirus update that incorrectly identified two Windows management products from ScriptLogic Corp. as adware variants, resulting in mass quarantines or file deletions. While Symantec released a corrected signature file the next day, that didn't erase many companies' need to un-quarantine or reinstall deleted files.
In March 2006, a flawed antivirus signature from McAfee Inc. crashed PCs in North America. Last year, a flawed Trend Micro Inc. signature caused widespread outages in Japan. Over the past year, those three vendors -- the leading antivirus providers -- have also all announced vulnerabilities in their products that opened PCs to remote exploits.
The antivirus commodity paradox
In the past, companies weren't so beholden to antivirus signature quality. Organizations rigorously tested signature updates before pushing them onto production machines. Yet with virus signature and application updates appearing sometimes multiple times per day, such in-depth testing is no longer feasible.
Interestingly, analysts peg the antivirus market as highly commoditized; virus-stopping power arguably differs little among the major vendors. Yet Hallawell said that's not reflected in today's antivirus pricing.
"The prices have gone up every year even as the value has, arguably, gone down," she said. "Maintenance is typically an annual 40% of the initial license price, and many companies pay an additional $20,000 to $40,000 per year for dedicated support."
With corporate customers paying more and getting less, Hallawell recommended that organizations should "start to extract more value again by better risk-sharing with their vendors." Enter the SLA, which might, for example, promise a 10% rebate on cost of annual maintenance should any signature update cause a user-stability issues or when the vendor has to re-release a signature.
The accountability question
Bruce Schneier, the chief technology officer of Counterpane Internet Security Inc., based in Mountain View, Calif., also thinks it's reasonable to hold antivirus vendors accountable, as he relayed in an email interview.
"If an AV company produces a signature that doesn't behave as advertised," Schneier said, "I think they should be held liable for those ill effects."
To date, however, no antivirus provider offers -- or would reveal it offers -- an SLA for antivirus signature quality. (None of the antivirus vendors approached for this story -- Symantec, McAfee, Trend Micro, CA Inc., F-Secure Corp. or Kaspersky Labs -- chose to comment on SLAs.) Trend Micro, however, does have an SLA for responding to customer-submitted samples within two hours, and Hallawell said other antivirus vendors offer similar agreements, at least for their largest customers.
In other words, don't hold your breath for SLAs. "Vendors have absolutely no incentive to accept liabilities," said Schneier. "They have every incentive to lobby Congress to make sure they are not held liable. But capitalism fails in a world where companies are not liable for their actions."
Voting with his wallet
At the Arkansas State Medical Board, Bolton isn't holding out for a signature-quality SLA. "I can hardly get a hold of good customer service, never mind someone sitting down and saying we'll be liable if this doesn't work."
Symantec, in an email response, said it couldn't pinpoint exactly what went wrong in Bolton's case, but noted that its customers typically engage in more than 83 million LiveUpdate signature downloads daily, the vast majority of which proceed without incident.
Still, the margin for error is too great for Bolton, and that's why he's trying to opt out of the desktop antivirus paradigm altogether. For starters, the State Medical Board implemented two products from Luxembourg-based SecureWave S.A., Sanctuary Application Control and Device Control. They maintain a white list of the applications, processes, and devices allowed to run on any of the organization's 40 PCs -- verified against hashes for authenticity -- and block the rest, including viruses. Soon, Bolton plans to extend the technology to his servers.
His organization will still rely on antivirus software to eliminate any viruses found on client machines, but is planning to abandon Symantec in favor of Trend Micro or Sophos.
Even without an SLA, when it comes to antivirus product quality, he's voting with his feet. Said Bolton, "The best way you can hold them accountable is the bottom line."
Mathew Schwartz is a freelance writer, editor and photographer based in Cambridge, Mass.