While reading this thread a thought occured to me. Rather than derail the thread and take it off topic I thought I'd start a new one.

Premise:

Are AntiVirus solutions appropriate in a server environment or are they becoming a "warm, fuzzy feeling" issue for those that implement them? What follows is a discourse aimed at the "professional" world not the home user market.

Viruses and Worms:

The threat today and in the future is from two beasts that are quite distinctly different, (let's not start on "blended threats"), in the way they function and their target "audience". The differences seem to be, (Yes, there are generalizations...):-

1. Viruses, by definition require human interaction where worms do not.

2. While viruses can spread very quickly, worms can spread even faster and in the future are expected to move worldwide in fifteen minutes or less.

3. Worms rely upon exploits in functioning, publicly available services while viruses rely upon user "stupidity"(?)

4. The defense against a worm is to patch the vulnerability it exploits or to close the service until a patch is available... (Yeah, we could packet capture the worm and use a Snort rule to reset the connection at both ends.... But that's another story... and if it polymorphic it won't work).

5. The defense against viruses is to recognize a signature and act accordingly per the user configuration.

The problem as I see it.

There's a reason you need Firewalls, The Cleaner for trojans, Ad-Aware/SpyBot/CWShredder/HiJack This for ASMware and your favorite AV program to keep your precious computer safe from viruses and worms. No single solution can keep up, effectively, with the volume and variations of everything as a whole. Why? Because they are based on different delivery methods, signatures etc. etc.

The Issue

Since the appropriate defense against worms differs from that for the defense against viruses why do the AV companies waste their time working on worms for their "professional" grade products?

My Reasoning

At the server level, (one that is publicly available), the AntiVirus program "protecting" you usually reacts "post" exploit by a worm. But with worms moving through publicly available services the AntiVirus won't be aware of the worm's signature because the signature may not yet be available. Furthermore, with the trend in "attacking" the AV software to disable it, it isn't inconceivable that a worm could disable the AV, alter the signature file to ignore itself, and restart the AV to make the administrator believe he has a good, updated AV and therefore be safe from the very worm he is hosting.

Worms that exploit publicly available servers are best protected against by effective firewalls that block all access to services that are not essential and timely patching of vulnerable services by the administrator.

Viruses aren't generally aimed at the server... They are aimed at the user and the most common form of transmission to the user is email. The mail store can be protected as can the client. But unless you are a totally inadequate administrator a worm should never reach your clients. Should it?

The Question

Is it time for AntiVirus vendors to accept that they cannot properly defend servers with publicly available services from fast moving worms and concentrate on the common vectors of attack used by viruses specifically? Thus, improving their reaction speed to the rapidly mutating viruses that have become all too common.

Thoughts.... Comments.....