Virus alerts lack standards

The Klez.E worm, a new variant of a well-known threat, reared its ugly head last week - and fizzled.

But that didn't stop the antivirus vendor community from pelting users with a series of dire warnings and alerts that offered no consensus on the real threat. As a result, users, analysts and even executives in the antivirus industry said it's high time that a standard reporting and risk rating procedure is established.

In an open letter to the Anti-Virus Information Exchange Network, Kenneth Bechtel, an antivirus specialist at Team Anti-Virus, urged the antivirus vendor community to provide a more accurate description of their alert levels.

"While we recognize there is no possibility of having a unified threat scale developed overnight, we would greatly appreciate if you could add a short text description to your alert levels," wrote Bechtel. "Trying to figure out if level 2 is a great danger or low danger can be confusing if you only have the e-mail to go on."

"I disregard [the vendor] classification schemes," said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based content management company. "I go by what I see in the wild."

The lack of consensus and standard threat-rating procedures for virus outbreaks was highlighted last week, when six of the major antivirus vendors issued six different threat levels for the Klez.E worm. All six vendors that issued warnings acknowledged the need for a standard warning system.

"It's very difficult to come up with a single reporting mechanism," said Joe Hartman, director of North American antivirus research at Cupertino, Calif.-based Trend Micro Inc. "It really depends on where your customer base is. It would benefit all of us if we could agree on one way."

"Our [ratings] are customer-centric, because that's who we're protecting," said Vincent Gullotta, a vice president at McAfee Anti-Virus Emergency Response Team, a division of Network Associates Inc. "We look at prevalence - what our customers are reporting to us - which is 60% to 70% of a risk assessment."

"Most vendors use the same criteria, but every vendor has pockets or areas where their customer base is located," said Steven Sundermeier, a product manager at Central Command Inc. in Medina, Ohio.

"Each company has a different view of the world," said Vincent Weafer, senior director of security response at Cupertino-based Symantec Corp. "That's why we try to have ratings based on the virus itself."

But Sophos Inc. in Lynnfield, Mass., has abandoned threat ratings altogether, said Chris Wraight, a technology consultant at the company. "Our style is not to hype it and scare clients into buying more antivirus software," said Wraight. "When we issue an alert, we state explicitly how many reports we've had from our customer base." In the end, "you probably want to sign on to multiple security news lists," said Sundermeier. Having multiple alerts will assure a more accurate picture, he explained.

"When attempting to put a finger on the real risk of a virus, it is important to review at least three major vendors' Web sites," said analyst David Bass at PricewaterhouseCoopers in New York. "A user or administrator should not jump to conclusions based on information on any one vendor's site."

For more enterprise computing news, visit Computerworld online. Story copyright © 20021 Computerworld, Inc. All rights reserved.