Analysts argue that virus alerts lack standards

From...

By Dan Verton

(IDG) -- The "Klez.E" worm, a new variant of a well-known threat, reared its ugly head last week -- and fizzled.

But that didn't stop the antivirus vendor community from pelting users with a series of dire warnings and alerts that offered no consensus on the real threat (see story). As a result, users, analysts and even executives in the antivirus industry said it's high time that a standard reporting and risk rating procedure is established.

In an open letter to the Anti-Virus Information Exchange Network, Kenneth Bechtel, founder and anti-virus researcher with Team Anti-Virus, urged the antivirus vendor community to provide a more accurate description of their alert levels.

"While we recognize there is no possibility of having a unified threat scale developed overnight, we would greatly appreciate if you could add a short text description to your alert levels," wrote Bechtel. "Trying to figure out if level 2 is a great danger or low danger can be confusing if you only have the e-mail to go on."

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Klez.e worm threat appears to be contained Klez.e worm set to trigger tomorrow Survey: Virus problem grew in 2001, will grow in future Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

"I disregard [the vendor] classification schemes," said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, West Virginia-based content management company. "I go by what I see in the wild."

The lack of consensus and standard threat-rating procedures for virus outbreaks was highlighted last week, when six of the major antivirus vendors issued six different threat levels for the Klez.E worm. All six vendors that issued warnings acknowledged the need for a standard warning system.

"It's very difficult to come up with a single reporting mechanism," said Joe Hartman, director of North American antivirus research at Cupertino, California-based Trend Micro Inc. "It really depends on where your customer base is. It would benefit all of us if we could agree on one way."

"Our [ratings] are customer-centric, because that's who we're protecting," said Vincent Gullotta, a vice president at McAfee Anti-Virus Emergency Response Team, a division of Network Associates Inc. "We look at prevalence -- what our customers are reporting to us -- which is 60 percent to 70 percent of a risk assessment."

"Most vendors use the same criteria, but every vendor has pockets or areas where their customer base is located," said Steven Sundermeier, a product manager at Central Command Inc. in Medina, Ohio.

"Each company has a different view of the world," said Vincent Weafer, senior director of security response at Cupertino-based Symantec Corp. "That's why we try to have ratings based on the virus itself."

But Sophos Inc. in Lynnfield, Massachusetts, has abandoned threat ratings altogether, said Chris Wraight, a technology consultant at the company. "Our style is not to hype it and scare clients into buying more antivirus software," said Wraight. "When we issue an alert, we state explicitly how many reports we've had from our customer base." In the end, "you probably want to sign on to multiple security news lists," said Sundermeier. Having multiple alerts will assure a more accurate picture, he explained.

"When attempting to put a finger on the real risk of a virus, it is important to review at least three major vendors' Web sites," said analyst David Bass at PricewaterhouseCoopers in New York. "A user or administrator should not jump to conclusions based on information on any one vendor's site."