Responding to industry criticism, some antivirus vendors are changing the way they distribute automated virus alerts, tightening the audience to include only those that request them. IT managers complain that an inordinate amount of time is wasted by viruses and worms that spoof the e-mail's sender, bogging down e-mail systems and creating an onslaught of false infection reports from users.
"All these notifications do is confuse and frustrate most people," said Paul Schmehl, an information security officer for the University of Texas at Dallas and a founding member of the Anti-Virus Information Exchange Network (AVIEN). "Software companies should work diligently to correct their products so that alerts only go out to those who need to know."
At issue is antivirus software that e-mails notifications to users en mass when a problem is detected. While IT administrators use the alerts to root out malware, the messages also flood the inboxes of people who have nothing to do with network security. The alerts alarm them, and they respond to their IT department with e-mails asking what actions they need to take. The result: an e-mail traffic jam. Meanwhile, hackers and spammers have found that disguising their messages as virus alerts is a great way to extend their assaults. When opened, fake notifications can infect the computer and spread spam and malicious code to everyone in the user's address book, creating even more traffic.
Schmehl said AVIEN stopped sending out virus alerts more than a year ago because the organization determined they do more harm than good. In many cases, he said, the alerts are nothing more than shameless advertisements for new antivirus software. In the end, he said, "it's an IT administrator's job to be on top of threats. They need to subscribe to whatever alerts they feel they need."
Software security vendors like McAfee and Symantec have seen a fierce reaction from customers and have either tweaked their products so notifications will only reach those who ask for them or are in the process of doing so.
"The reality is that most mass-mailers spoof where they come from," said Greg Day, solutions architect for McAfee Security of Santa Clara, Calif. "This creates two problems -- networks get flooded with traffic, and you confront the wrong person whose address was used but didn't send it. You want to keep traffic down. You don't want to add to the problem by alerting everyone to a possible virus."
Day said McAfee's e-mail scanning products now have the ability to direct these notifications only to those who can use them. The goal, he said, is to have a response that solves the situation and helps IT administrators. "We don't want to exacerbate the problem," he said.
Carl Banzhos, chief technology officer for Dallas-based Citadel Security Software Inc., said vendors have to keep sending out notices when problems are found; otherwise, there will be a big attack. But, he said, "You need to target it and have systems in place to identify what is most important."
He said his company has escaped the backlash bigger vendors have suffered because his clients are more targeted. "Our customers aren't home-based," he said. "We're more of an enterprise security solution." Even so, he acknowledged, "IT managers can still get inundated with alerts."
Banzhos said Citadel's automated vulnerability detection program, Hercules, is designed to minimize that by weeding out all the warnings, determining which are most important to each client. That way, customers only see the warnings that directly apply to them instead of being flooded with every notice, he said.
He shares the growing industry view that customers won't put up with the alert deluge for long.
"People don't have time to open 80 notifications and spend three hours picking through them to see what they need to do," he said.