Last year, infamous names like Melissa or Chernobyl (also known as CIH) made the headlines, but according to the UK-based Virus Bulletin, as many as 300 to 400 new viruses appear every month.
Ranged against this threat are the antivirus software manufacturers which analyst International Data Corp (IDC) estimates will take the largest share of the Internet security market, with revenues approaching $US3 billion by 2002.
A few years ago, when antivirus protection was something that took place exclusively on the desktop, a much larger number of vendors were competing for the market.
In recent years, the increasing number and complexity of viruses has favoured those companies large enough to maintain laboratories to analyse the latest strains and keep their packages up to date. The leading vendors all provide remote updating services to ensure their users are equipped with the latest virus definitions or detection methods.
Symantec, for example, maintains labs in the US, Europe, Japan and Australia, and the signatures of new viruses it discovers are delivered to users of packages such as Norton anti-virus over the Net using a feature called Live Update. McAfee, owned by Network Associates, has a similar facility it calls McAfee AVERT (Anti-Virus Emergency Response Team) and Trend Micro has also switched to a central server-based virus definition system in the past two years.
Meanwhile, the ICSA's latest Virus Prevalence Survey found that the likelihood of a company experiencing a computer virus has more than doubled for each for the past four years: about 43 per cent of respondents had experienced a "virus disaster", defined as 25 or more PCs or servers infected at the same time.
Reports flood in
The Sydney-based regional manager of the Symantec AntiVirus Research Centre (SARC), David Banes, says he receives thousands of virus incidence reports from users each month. Of these, about 150 to 200 end up being classified as new viruses, but Banes considers that at any given time "only a handful, a couple of dozen perhaps" are dangerous.
SARC is about to begin classifying viruses according to the threat they pose, ranging from category 5 (minimal) to category 1 (very severe). The classic example of a category 1 virus, one which is found in the wild, causes damage and is easily spread, was Melissa.A.
Melissa sent 50 copies of infected files to names gleaned from the user's contacts in Microsoft Outlook Express. Intel, which to its credit admitted it was one of the companies affected, reported its network was temporarily brought to its knees as multiple copies of 3MB files were sent to and from its offices around the world.
To cure Melissa most companies had to shut down their e-mail servers, but in some cases longer-lasting damage was difficult or impossible to repair. The infected file sent by Melissa could be anything from a confidential document to a pornographic image or video clip, and it would arrive at the recipient with the message: "Here is that document you asked for . . . don't show anyone else ;-)".
But Symantec's Banes describes Melissa as "more of a wake-up call for users rather than vendors.
"Melissa was just another ordinary macro virus," he maintains, which like the trojans that launched the distributed denial-of-service (DOS) attacks against Yahoo and other sites recently, would be detected by most packages as long as the virus definitions were up to date.
One positive result of Melissa has been that users have developed a healthy fear of e-mail attachments, but viruses are now spreading in HTML e-mails that call Visual Basic scripts running the same sort of routines as Melissa.
"You don't even have to load an attachment. It's scary, really," said Banes.
He recommends that, where possible, users should set their Internet security options to high, but he realises this isn't always practical as this stops Java applets which are necessary to run some sites, including Symantec's.
Some antivirus vendors find it difficult to conceal their glee when a new harmful virus appears, but Banes says he tries to focus on the research.
"We have been accused of being like panel beaters standing at a bad intersection, but when a virus like Melissa hits I am the one who gets woken up at 5am, and then I find I'm working 16-hour days for the next few weeks."
Banes also points out that Melissa affected antivirus vendors in other ways.
"SARC's Live Update servers were completely hammered," as panicking users rushed to update their software. "We had to double our capacity, and it was a similar story on our Web site - we'd never hit such a peak in traffic before."
The threat from Melissa has faded but variants are still active, as is CIH, especially in the Asia-Pacific region where it originated.
According to Banes, only the old DOS viruses are finally beginning to fade away. Current threats are the Happy99.Worm and W97M.Marker.
"There are some interesting NT viruses which get around the security by modifying the kernel," he said. While Symantec has reported a virus that runs on Windows 2000, Banes says he has not seen anything aimed at this operating system, yet.
"I think we are still in a bit of a lull after the New Year".
The business development manager at Auckland-based distributor Soft Solutions, Paul Leslie, says the pace of virus development underlines the need for remotely updateable software.
"It's only any good if it's right up to date. Antivirus protection that might have done the job three years ago certainly won't be doing it now."
As a distributor of Trend Micro products in New Zealand, Leslie says he is amazed at the number of users who continue to run outdated software or fail to deploy it properly.
"I don't know if the channel is really aware of the problem and hence the business opportunities, but there are some good ones out there. Time and time again we come across users who are locked into decisions made three years ago which don't apply any more," he says.
For example, Leslie says that he is encountering sites with a mixed environment of competing antivirus brands, which were installed on the premise that if one package doesn't catch a virus then another one will.
But Leslie says that virus detection rates is not an issue. Trend Micro asserts that its software, as well as competing packages from the major vendors, is now delivering a 100 per cent detection rate.
The problem, says Leslie, is usually "a failure of management or configuration".
No less than 95 per cent of virus attacks are occurring at sites where there is already some virus protection in place.
Of these attacks, Trend Micro estimates 70 per cent are coming through the firewall, 20 per cent via e-mails and only 5 per cent at the desktop or server.
Leslie says that the desktop or server figure, which refers to viruses borne on floppy disks, occurs largely as a result of people taking work to and from home, but the days of people bringing in shareware games are largely over.
Perhaps the most surprising statistic is the 70 per cent of viruses are entering through the firewall, which you might have imagined was designed to protect user's systems from such threats.
Not so, says Leslie. "A firewall is a security gateway protecting against unsecured entry. It doesn't do content checking. However, by adding an antivirus package, you are able to check for viruses going in or out."
Checking for viruses going out can be just as important as stopping inbound viruses. To be identified as the source of even the most harmless macro virus is embarrassing, but Melissa showed it had the capability to damage business relationships.
Leslie says many companies are taking the opportunity to look at e-mail management and filtering at the same time as they install antivirus software.
"Other things apart from viruses can damage your business," he says.
These include ill-considered e-mails perhaps containing inappropriate language - and some companies are classifying their competitor's names as "dirty" words so that any messages which mention them will be intercepted.
Content scanning One of Trend Micro's most popular packages, based on trial downloads from its Web site, is InterScan Virus Wall, which scans a company's Internet gateway using SMTP, FTP and HTTP protocols; that is, it checks e-mail, file transfers as well as Web traffic. The package also optionally blocks malicious ActiveX code and Java applets.
"We are definitely seeing a merging of these elements into one Internet security space," says Leslie.
The last year has seen most of the major antivirus vendors begin to forge alliances with applications developers or content filtering specialists.
Trend Micro, for example, has entered into an agreement with the content filtering software company Cyber Patrol, and Symantec acquired URLabs, which specialises in screening Web or e-mail content in real-time. This technology is being incorporated into Symantec's Mail-Gear and I-Gear corporate Internet security products.
McAfee's owner, Network Associates, also owns other business units providing firewall, intrusion detection and encryption products, as well as anti-spam and e-mail filtering products.
McAfee is strongly allied with Microsoft and its Active Virus Defense (AVD) range includes GroupShield for Exchange, which the company claims is the first antivirus software to include API-level integration with Microsoft Exchange.
Similarly, Symantec has developed dedicated versions of its Norton anti virus package; for example, for Lotus Notes/Domino users.
Meanwhile, the firewall companies are getting in on the act as well and Check Point Technologies has worked with both Trend Micro and Symantec to develop packages using Check Point's Content Verification Protocol (CVP).
Ofer Reshef, a consultant at Wellington-based Optimation who advises clients on their choice of antivirus software, believes it is important to look at the user's environment as a whole.
He believes that support for distributed environments and the ease of management are now the key questions in comparing products.
"The best package is likely to be the one that is easiest to maintain," says Reshef.
"Some packages require considerable ongoing maintenance, so you want a package with automatic updating mechanisms."
Some packages will download the latest virus definitions and then distribute them to multiple points of presence, which is obviously preferable to multiple downloads from the desktop. The level of reporting and the alerts a package provides are also important considerations, as is, of course, cost.
Reshef says the cheapest and most cost-effective solutions are those installed at the user's mail gateway or Web proxy server.
"This also allows you to do other things, like adding an automatic signature or disclaimer to e-mails or to automatically archive them," he says.
Taking the gateway concept to its logical conclusion would suggest that ISPs may have a part to play in virus protection, but apart from Microsoft, which scans Hotmail messages, most service providers have so far been reluctant to get involved.
Symantec's Banes says he has come across a couple of ISPs in the UK offering virus scanning but there are some privacy issues involved.
"Users are asking, Do I really want my ISP to be stripping out macros from my e-mails?'"But Optimation's Reshef thinks ISPs are more concerned about possible lawsuits if things go wrong.
"How much responsibility are they willing to take?" he asks, pointing out that this is a serious question to ask with any anti virus installation. "If a virus attack succeeds because the virus definitions weren't updated for six months then who is to blame?"
At the end of its annual report, the ICSA warned software vendors that as new forms of malicious software can spread so fast through the Internet, waiting for antivirus vendors to produce updates to signature tables is no longer enough.
"In 2000, the antivirus industry will need to develop better heuristic techniques to identify the abnormal behaviour of such viruses/worms, stopping them even if they aren't immediately identified by their signatures."
But Reshef is sceptical on this point. "We are seeing more and more viruses so it would make sense to stop suspicious activity, but I don't know how you would define suspicious activity'. Installing software already looks suspicious to most antivirus packages and they must be switched off while this takes place.
"There are pros and cons, but at the end of the day you have to rely on scanning various signatures. There's always going to be the poor guy who suffers the first attack and he will pass on the definitions to the vendors."