Declaring War Against Virus Alerts

In January 1999, anti-virus software was a product. By January 2000, anti-virus became a service. Regardless of how solid a product may be, the efforts of the company behind the software are becoming equally as important.

Throughout that one-year period, the words "virus alert" have become similar in effect as the boy who cried wolf.

With viruses like the Melissa attack being sent to well-known companies, corporate America became very tense in 1999, on the lookout for the next virus.

Anti-virus (AV) vendors worked to eradicate the spreading of viruses before a heavy toll was taken, but as the year wore on, vendors came under scrutiny for taking advantage of the fear within IT departments. Every time a new virus emerged, after all, every major AV vendor issued a virus alert or warning in one form or another.

Cynics say AV vendors used the warnings to win new customers and sell more software to existent ones, simply to generate revenue. The Melissa virus, as an example of how profitable a wide-spread virus can be, helped AV companies increase their sales by 60 percent to 70 percent the week immediately following Melissa, according to reports.

Last November, according to Joe Welles, founder of The WildList Organization International (www.wildlist.org), which lists viruses found in the wild, the practice went over the line. AV vendors released a virus alert that was hardly worthy of the moniker.

"It was a horrible press release describing a terrible virus. As a result, a lot of companies were swamped with calls, but nobody had even seen the virus," he says.

To combat such a situation, Welles joined forces with AV vendor Trend Micro Inc. (www.trendmicro.com) to build an independent, public interest risk-assessment organization, known as Warlabs (Welles Anti-virus Research Laboratories, www.warlabs.com).

Although Warlabs is a wholly owned subsidiary of Trend Micro, it remains independent, and all AV vendors have equal access to Warlabs’ information.

"We have our own non-disclosure agreement, so if other AV vendors tell us something that is confidential, we don’t tell Trend Micro," Welles says.

Warlabs doesn’t compete with vendors, but rather compliments their efforts. The Warlabs Web site provides information about and links to all the major AV vendors. Visitors to the site can search simultaneously across all vendor sites. Users also have access to online journals and columns written by anti-virus experts.

More important, the Warlabs Web site provides analysis and risk-assessment on viruses. So when a virus emerges, Warlabs obtains the virus, analyzes it, and provides a product-independent report on the virus.

The analysis is designed to answer base-level questions that are not usually answered: How a company got the virus, where it came from, what the virus did to a company’s systems, and how to get rid of it.

Getting rid of a virus will be an important aspect of this. Often, a virus fix that anti-virus vendors provide does not go out and reset the registry and reset the level of security, so companies can get reinfected by the same virus.

While some vendors run laboratories, such as Symantec Corp.’s (www.symantec.com) SARC, that obtain the virus and work to issue a fix before the virus spreads, Warlabs does not aim to provide any fixes.

"We’ll let the AV vendors get the fix, that’s their work," Welles says. "We want to focus on making sure that if a company issues a virus alert, that virus is really worthy of an alert."