Imagine that your office is in an area where a sudden increase in the level of burglary is occurring. The thieves have found a way of getting into buildings that circumvents the primitive security alarms that everyone uses. Naturally, you phone your security adviser and provider, to whom you pay a handsome retainer, and he tells you, “Unfortunately, at the moment there aren’t any security alarms that work for this kind of burglar. But don’t you worry none, we have researchers with astronomic IQs working on the problem right now and when one of them comes up with something we’ll be sure to send someone in to fit a better alarm.”

Pathetic, isn’t it? That’s anti-virus software for you.

The AVID (Anti-Virus Is Dysfunctional) campaign has the single goal of destroying (or at least seriously diminishing) the $3.7 billion AV industry. The point is that there is excellent technology, which completely prevents viruses, worms, Trojans and other malware, 100 percent, and it is available now from a clutch of vendors (Bit9, Securewave and AppSense). Some of the companies that have adopted such technology no longer deploy AV technology and none of them need to. The problem is cured. If this technology were adopted across the board it would significantly diminish digital crime.

While I’m writing this, Symantec is desperately trying to recover from a stack overflow vulnerability discovered by independent security firm eEye. Far be it from me to kick an AV vendor when it’s down, or exaggerate a security threat. Truth to tell, this high profile stack overflow never became a zero-day threat. No virus writers got anything going to exploit the threat before it got fixed. However, it was a zero day PR threat, especially as Symantec is about to launch some new product or other (called Norton 360). Symantec responded at lightning speed issuing the PR news that it had issued a patch on Sunday. It issued the patch two days later, on Tuesday (according to TGDaily.com). This behaviour by Symantec echoes the subject of this week’s AVID posting in spooky way.

A correspondent wrote to criticize my last few AVID postings, pointing out that I had missed a crucial point about the length of time you are at risk, if you are foolish enough to depend on AV software. My correspondent referred to this as the AV distribution problem. I ‘fess up. He was right. He pointed out correctly that the fix times I published in the League of Shame only give the time that it takes the AV vendor to post the new AV signature for download. The truth of the matter is that the AV software actually has to download the new signature before the user has any protection.

Thus, if a fix is available, you don’t actually get the fix until your AV software does an automatic download of it (unless you initiate the job manually). AV companies vary as to how frequently their software updates the AV signatures. With some products, automatic updates happen only once a week. Yes, hard to believe isn’t it? The most frequent is Kaspersky Labs (8 times a day).

So get this; your AV vendor may take two days (i.e. pathetically long) to get a fix ready, but you could be exposed for a further 7 days to some horribly expensive (for you or your company) virus that the AV vendor was supposed to be protecting you against.

It’s a racket isn’t it? A lack-of-protection racket.