Debate: Anti-virus products just don’t work and vendors are not helping their customers

FOR - Andy Campbell, managing director, Reflex Magnetics

The anti-virus industry is encouraging virus writers by publicising every threat. What other industry offers products that require regular updating by the user at their own cost and then fails to deliver the service it has been bought for?

All computer users have AV software installed on their PCs and networks, yet surveys find that most people suffer virus attacks. It has not happened once, but every year since the earliest days of viruses.

The very nature of their offerings has created the beast that is the virus writer. They have fed his ego. By naming his offspring and identifying them it gave rise to the next generation. If in the early days these wretched authors had spent days over their creations, and were met by silence, they would quickly have become bored.

Ironically, when pundits and experts think of IT security, they think first of AV software. In reality, it has never really been a security tool. It is a useful forensic tool, listing what it has located providing it has prior knowledge of the specimen, but it is lousy at detecting and blocking the unknown.

AGAINST - Kevin Hogan, senior manager, Symantec Security Response

It is security firms' responsibility to alert their customers to new security vulnerabilities and viruses. If vendors did not publicly identify and name viruses, their customers would not know what was affecting their PC or how to deal with it. To ensure that the internet can remain open, safe and secure, vendors must provide customers with strategies to secure critical information while still allowing access.

Fewer virus writers today are kids looking for peer recognition. The impetus is increasingly financial reward. Viruses are now often created to steal specific information though backdoors or keyloggers or to create botnets.

And while security vendors provide regular updates, they only publicise the most prolific threats. If a threat reaches a level that poses a risk to internet users, security firms have a duty to warn their customers about it.

Responsible vendors do not put out information that may encourage virus writers, such as attributing threats to their authors. A vendor that didn't warn customers about new threats would be failing to provide a complete service.