Why antivirus is fighting a losing battle in your office
Whenever I’m called upon to deal with a virus infection inside a business network, I find myself having to swim desperately against a gigantic wave of sheer user incredulity.
Occasionally, I wonder whether I encounter this effect so often because I manage to explain myself more clearly in writing than I do face to face (despite always going into such meetings equipped with the most sophisticated visual aids, such as my Cross fountain pen and a sheet of A4 paper). So here is a handy summary of what happens to your business PC when a virus comes to call, and how this differs from what happens when a similar misfortune befalls your home PC.
Badly behaved business apps want all their users to have admin rights to their local PC, and require all sorts of hacking about
The first and most obviously incredulous reaction I encounter is always “we have antivirus, so that isn’t possible”. I shudder to imagine how many businesses are sitting there wide open as a result of accepting this fallacy (and as for home users, I refuse to imagine at all). If our antivirus program didn’t put up an alert, they say, then there can’t have been a virus attack.
I suspect that where my explanations really run onto the rocks is when I’m groping around for real-world metaphors to illustrate this appalling error of logic, which deludes so many management minds. That old joke about a guy falling off a skyscraper and exclaiming “so far, so good!” to the people he passes on each floor implies a suitable specific degree of complicity in the situation, but clashes with other observations about the nature of infectious processes.
Talking about biological infections doesn’t work very well either, because animals have immune systems and computers don’t, and whoever first thought of deploying such a metaphor clearly didn’t understand much about the nature of the immune response, the crucial role of pain and inflammation, and so on. If I make reference to Carl Zimmer’s utterly fantastic book Parasite Rex – which provides an in-depth look at a vast area of biology that actually makes a better metaphor – then people tend to look a bit uncomfortable and freaked out. “Parasites! Yuck! Guinea worms! Liver flukes! Ewww!”
The devils you know
So let’s go bare and brutally literal about this subject. Certainly your antivirus software knows about existing viruses, and it knows how to prevent certain types of virus infection that arise from files downloaded via your browser, or from traffic over your LAN, or from attachments to emails. There may be a few other types of presentation or infection that various different antivirus products manage to catch too, but I’m sorry to have to tell you that the products most favoured by businesses tend to be rather less all-encompassing with the protection they offer. I’m not intending to blacken the reputation of any particular antivirus software company by saying this, since quite apart from any other factors, the “rule of rubbish applications” trumps all other cards inside a business network.
That’s the rule that says businesses have to put up with incredibly badly coded applications, which would send home users running for a refund. Generally speaking, the more general purpose a piece of software is, the better coded it is likely to be. When did you last hear of an incompatibility or a crash in a zip compression utility? But how about the application that runs your business’ accounts, or operates your stock control system, or the parts-ordering interface to your supplier or manufacturer?
Those are all more specialist applications, so they tend not to suffer many competitors in their sectors, which means they’re insulated from the bracing forces of natural selection, and tend not to evolve very far or fast. One common consequence of this overall flakiness and indifference to progress is that these accursed programs are inclined to ignore all the layers of OS-level user security that Windows has been adding for the last half a dozen revisions.
Badly behaved business apps want all their users to have admin rights to their local PC, and require all sorts of hacking about – time-consuming, annoying and often repetitive hacking about – if this level of access is denied to them. This design decision (although it’s stretching a point to dignify it with the name “decision” at all) is so widespread and so continually rediscovered, because it’s useful and saves coding effort. But unfortunately, it wipes away swathes of sensible and elegant anti-infection measures, and puts antivirus software writers (who by contrast are intensely competitive, massively technical, and by definition must occupy the cutting-edge of their business) at a huge disadvantage.
In the home PC sector they can rely on the presence of fairly basic but highly effective OS-level precautions, but in the business arena these features are sometimes bypassed by various workarounds. Okay, let’s upgrade that “sometimes” to an “almost always”.
This notion, that badly behaved software can be fixed by granting admin rights to everybody, has attained the status of Professional Sacred Cow in the world of corporate IT, and I’m sorry to have to report that nowadays, I find people doing it almost as a reflex action, part of a body of false knowledge that shouldn’t be applied in such an unquestioning way.
The crucial ability that having admin rights confers, the one that fixes so many flaky applications, is the ability to write to directories in the Program Files folder tree. If only this single right were to be conferred, instead of the whole great package of other permissions that go with full “administrator” status, life would become much less tough for the antivirus software that has to keep out the bad guys.