Opinion: It's time to fix AV warning messages

By Richi Jennings, Contributor 11 Apr 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Ever received e-mail from your company's antivirus filter, telling you that someone you've never heard of has sent you a virus? I'm betting you have. If not ... well, consider yourself lucky.

These AV warning messages have become nearly as frequent and as burdensome as run-of-the-mill spam. They're certainly not doing the job they were intended to do. In fact, it's reached a point where AV vendors must do something about it.

Now that we've stopped using the "sneakernet" method of walking floppy disks around the office, the No. 1 way for viruses to spread is our old friend, e-mail. These days, an indecent chunk of unwanted e-mail traffic is viruses, worms, and other malware trying to propagate themselves.

Here's the problem: these days, most virus-infected e-mail isn't sent by unknowing individuals. It's sent by other viruses. It's effectively spam, except the motivation is to take over your computer.

Many AV products or services will warn customers if a virus is detected in an incoming message. Some sort of "virus alert" notification lands in an end-user's inbox. It'll either include the original message with the attachment stripped out, or consist of a simple notification that "so-and-so sent you a virus, and click here to read the message in the quarantine." The intention is that you can notify the sender that there's a virus on their PC.

Here's the problem: these days, most virus-infected e-mail isn't sent by unknowing individuals. It's sent by other viruses. It's effectively spam, except the motivation is to take over your computer, not to sell you herbal enhancements, fake watches, or the latest small cap. In fact, the viruses will often use the same lists of recipients as spammers do. And there's no point in contacting the "sender" of the message -- it's probably forged.

Yes, these virus-alert messages are now just as bad as spam. People quickly learn that these warning messages are just a waste of space, often tuning them out. Savvier mail recipients will set up rules to delete them. Unfortunately, the AV filter will occasionally tell you about a virus in a legitimate message -- one that you actually wanted to know about. Shame you're now ignoring those warnings, isn't it?

Not only that, but it could be your e-mail address being used to forge the message sender. If that happens, you'll probably start getting non-delivery replies from people you've never heard of, telling you that you've sent a virus or that their mailbox no longer exists. Still, only a tiny proportion of these messages are of any use. Let's not mention any names, but some AV solutions should be more selective in which messages they warn about.

The interpretation of these messages could and should be handled by e-mail authentication technologies. Technologies like Sender Policy Framework (SPF), its proprietary Microsoft buddy Sender ID, and DomainKeys Identified Mail (DKIM), created by Yahoo and Cisco Systems Inc. If the supposed sender of the infected message used one of these technologies, the AV filter would have a better idea of whether the e-mail address were forged or not.

Similarly, AV filters could get smarter about looking at the reputation of the message's source. I don't just mean whether the sending IP address is on a blacklist (or "blocklist" if you insist), but also the fuzzier criteria. For instance, does the sending IP belong to a block of consumer DSL connections? You wouldn't expect legitimate e-mail to be sent directly from one of those; it would normally go via a mail server.

So, AV vendors: Is your house in order? Or are you a spammer?

Richi Jennings is practice leader for spam and boundary services at San Francisco-based Ferris Research. He lives in Berkshire, in the United Kingdom. You can find his blog at www.richi.co.uk.

Tags: Malware, Viruses, Trojans and Spyware,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary