I am at work and suffering at the hands of my antivirus scanner. Every time I launch a process it runs through its entire database of virus sigs and does a compare. This is frustratingly slow, so I have disabled it. (Gasp!)

This led me to a little internal rant - not the "antivirus is completely useless" rant that you see often on the web, rather the "antivirus is not effective prevention, rather it's a cleanup tool".

In the good ol' days, if a new virus appeared on the scene, it took weeks, if not months to make its way around the world, which meant that unless you were particularly unlucky, your antivirus defs would be up to date well before you encountered the virus, and the antivirus program would block it. Neat.

Now that the Internet is commonplace, viruses spread much faster than researchers at antivirus companies can create signatures.

Antivirus is essentially a huge blacklist. The problem with a blacklist is it can only block items it knows are problematic. What we really need is a whitelist - only run programs approved for use.

Now if you get infected, and you update your signatures, antivirus software is very good at cleaning up the virus (if not so good at actually repairing data), but they all advertise antivirus as a preventative measure.

The only time antivirus is a preventative measure is if you're in a very security unaware company where the same virus keeps breaking out again and again over the network. In this case, I'd advise you (if allowed) to firewall yourself off and only turn off the firewall when you need to access a network resource. At the very least, disable your administrative shares permanently.

-- Edit-- Just had to add this: The human immune system is amazing. It is a blacklist and a whitelist at the same time. Any unrecognized substances / cells that arrive in the body get attacked, and added to the blacklist for faster recognition and response in future. If only A/V software could do this! (obviously not to programs you were trying to install) ;-)

---

Disclaimer: Batteries not included. Barbie and Ken sold separately. Only effective in conjunction with a kilojoule-controlled diet.

I don't know, it can often take a while for a virus to gain traction. I know they spread rapidly, but i believe that the rapid spread only comes after they hit a tipping point - and if your AV vendor can get in before the tipping point is hit you're alright.

That said I should mention the only virus attacks any organisation I've worked at have suffered from have been OLD in terms of viruses. One workplace got the sasser worm, months after it had hit the news and the patches / cures and sigs had been released. The problem was that we had some legacy "don't touch this system, if it breaks it'll cost thousands" machines and they weren't immune.

I think you'd be surprised how active old viruses can be - in which case AV can be preventative.

On an interesting note, my old 486 had a virus for years and years before we noticed, it had never caused problems because it exploited re-writeable BIOS (or CMOS can't remember) to ruin your PC. Except the 486 didn't have a re-writeable BIOS (or CMOS) so it benignly sat on the PC failing to achieve anything for literally years and years.

---

The one, the only, the undisputed king of the world.

Some good points. I'll concede that A/V is still good prevention for older viruses, and that they are still active.

Obviously the best preventative for viruses is just not to run any unknown programs that arrive via e-mail. This is probably the number one infection method. Almost all clients, friends, and relatives of mine that get infected got the virus this way.

My burning question is, every update to A/V software makes the database bigger. Every program you run gets checked against the *entire* database. What is performance going to be like when virus databases reach 1GB or more? I see a tipping point coming where A/V (at least the current generation) becomes such a performance drain that the cost/benefit ratio no longer justifies using it. In fact, at least for me personally, that tipping point has already come.

I have been using computers since primary school, and the one virus infection I've had was on a work machine, and it got there by spreading via administrative shares (now disabled) from other infected machines on the network. Every few months or so I do a manual scan with updated definitions just to be sure, but the always on scanning option just bugs me.

---

Disclaimer: Batteries not included. Barbie and Ken sold separately. Only effective in conjunction with a kilojoule-controlled diet.