Julian said:
If AV companies can share samples with each other, why couldn't they
share some technology or contribute in some other way to an open source
AV, much as the likes of Sun and IBM do to Linux? ...
Well, for starters, all their engines work quite differently. This is
why occasionally some new kind of virus will come along and some vendors
have totally reliable detection available almost immediately and as part
of a normal detection update, whereas others may take weeks to months to
get a properly tested (major) engine revision ready to ship.
When you realize that simple grunt scanning is only a tiny part of a
contemporary virus scanner it should be obvious that there is, in fact,
very little _technology sharing_ possible between developers. What
matters is access to samples and, occasionally, sharing information
about arcane, poorly documented (or undocumented) file formats and the
like...
... It would be in the
interest if the computing community as a whole to have an effective open
source AV. One example: it would help to eradicate viruses altogether if
the low-cost consumer ISPs could run virus scanning on their servers,
which they can't afford to do at the moment because of the prohibitive
"per-user" cost of commercial network virus scanners. Another example:
OEMs producing cheap PCs could afford to install it as standard on every
new computer.
If this actually happened (and it kind of started to happen once, with
MSAV), you would see the "bad guys" deliberately target the standard,
default scanner. All scanners have weaknesses (despite all the marketing
hype, they are all far from perfect and a lot of the "science" of
designing some detection processes is really the art of making good trade-
offs in such a way as to not make it too obvious where the gaps are...) so
a very widely distributed scanner would, in its success, make itself a
target for exploitation. Now, MSAV was not too successful despite being
packaged with DOS (many folk disabled it) but even still, several of its
flaws were quickly exploited by new viruses. If a widely distributed,
high market penetration product was open source as well, it would just be
that much easier for the bad guys to find the holes and weaknesses.
Perhaps it's because they don't want to kill the goose that lays the
golden egg.
It's certainly not in the interests of commercial
anti-virus companies to succeed in effectively eliminating viruses
before they reach the customers.
Of course it is not in their commercial interests, but apparently
"eliminating viruses before they reach the customers" is not what most of
those customers want either! Known virus scanning _CANNOT_ achieve that.
There is known technology (that is very similar to that in most existing
scanners) that can do much better than known virus scanning, but folk
aren't interested in using it (though that may be partly because no-one
actually ships such a product).
Perhaps this is why many of those who have the expert knowledge, who
possibly have some connection with the commercial AV developers, prefer
to criticize rather than help the open source project?
The "experts" at the core of the AV industry would easily find all manner
of other employment, due to their training, intellectual curiosity, skills,
experience, etc, etc, etc. They certainly do not need malware writers to
keep writing viruses to keep themselves in work. Of course, the addictive
update model required by the deeply flawed known virus scanning technology
everyone seems to prefer using does provide a "natural" business model that
keeps AV industry executives (and their shareholders) smiling...
