Why should I report my virus infections?

While this question is usually asked in a corporate environment, it is also asked by end users as well. Many people are under the false impression that if my anti-virus software has detected and eliminated a virus, it's not important to anyone else. Nothing could be further from the truth. I'll start on a global scale and work down to a company level. By the time I get there, I hope that you'll see why each incident report is an important piece of a lager puzzle.

Before we can begin discussing why we should report viruses, we must understand that there is more than one type of virus. For the purpose of simplicity, this paper will discuss the virus type at the most common level. The two most basic (non technical) types of viruses are wild viruses, and zoo viruses. Simply put wild viruses have infected someone in a work or home environment. These differ from viruses that are in collections, or zoos. Zoos are maintained mostly by researchers and developers. While some are maintained by private individuals who trade viruses like baseball cards. The second type of zoo, serves no useful purpose, and actually defeats the ultimate goal of many legitimate researchers, the elimination of computer viruses. Viruses in zoos may come from virus authors who submit their creation to Anti-Virus Companies, or researchers, from samples submitted by end users who've been infected by the virus, or from other researchers or trusted sources. Why is there a difference? Some viruses have not spread far, or been effective at replicating. However, since their technology, and methods exist, Anti-Virus vendors need to protect their clients (users) from these threats. So, now how do we know if a virus is a wild virus or a zoo virus? This is a by product of reporting. If a virus is not reported it can not be determined to be in the wild.

This is the highest level of reporting. There is an organization of researchers and developers who are building on the work of Joe Wells, to produce a monthly report known as the wildlist. The wildlist is contributed to by researchers, developers, and product representatives world wide. This wildlist is utilized by several agencies as a base line as to determine minimal protection standards. These agencies include Secure Computing's Check mark certification, Virus Bulletin's certifications and evaluations, International Computer Security Association (ICSA)'s Certification, and the University of Hamburg's Evaluations. The wildlist is seen as a minimal standard for any Anti-Virus Product, and relied upon by many researchers as the authoritative state of the threat world wide. By using the Wildlist we are able to factor the virus threat into a measurable value within our risk analysis. This also tells home users which viruses possess a larger threat to them.

Right Behind the wildlist group are the developers and researcher who track the virus threat. These individuals directly or indirectly have input to the wildlist, and usually run a personal database of viruses encountered, evaluated and dissected. These are also the individuals who create the cures and have input to the anti-virus products. While it's obvious why these individuals need to know what new or modified viruses are effecting users, it's not so obvious as to why they need to know about the ones that are already known about. Like everyone, Virus researchers do not enjoy working long involved hours, rather they like to try to be proactive and be prepared for the next virus. In order to do that, you need to know what viruses are effecting people, which ones have spread the furthermost, and which are the most technically sound viruses. The last item is done in a lab setting by replicating the viruses and seeing which is the most stable across various platforms and generations. The other two items require user input, which viruses are out there, and where. With this information you can develop a picture and work on a method to predict what techniques future viruses will use, and how to defeat them. With the knowledge of which viruses are most successful in replication, the virus researchers and developers are also able to educate people in the best manner in which to defend themselves.

Taking another step back, there is the company computer security/ LAN Management Team. While these individuals are responsible for the operations and security of the computers of the computers on the network, they also must answer to company management, and to the end users as well. These individuals require accurate information to provide optimum protection for their network. They rely on the Wildlist, and alerts from vendors and colleagues to view the 'large' view of the threat. Larger organizations often have "in's" to the vendors support team and may also get special alerts or closed mailing lists, but again this only helps them see an exterior view. For a direct view these people need to track what threats are on their network. A few companies have taken draconian measures with this information and used it to penalize users, but most use this information to show them where their weakest link is, and then strengthen it. An example would be where the sales department is often caught distributing Macro Viruses. A review of that department shows that a few people are disabling the installed Anti-Virus Package because it hinders operations. This practice is condoned by the departmental manager in spite of company policy. In this case, the department should be given a class on the dangers of computer viruses, and if necessary, upgrade the machines to a point where the AV package will not cause interference. There are individual cases where no matter how powerful a machine a user is given, they will see AV software slowing them down to unacceptable speeds. This again is an education issue. In a larger organization, you run into challenges of multiple servers. What is the optimum method of updating a large number of users and servers in a timely manner. Which server or users should be the priority (physics dictates you can NOT update that many users at once and maintain a useable network). On the down side, if end users and LAN Administrators do not report their infections up the chain, management has been known to pull funding for Anti-Virus Protection. The mind set here was there is no threat, we have not been infected in the last number of months, we do not need to spend money renewing our license. In reality the LAN Staff had set all client software to clean upon detect. Since logging was turned off, management did not see the evidence of the glut of macro viruses, and within a week of removing the Anti-Virus product was heavily reinfested. The Company wound up spending more money to clean up and renew the licenses than if they would have just continued to protect themselves.

At the lowest level of this chain of reporting is the end user or first line support analyst. Who maybe still be asking, so why should I take my time to report to anyone? "I'm only one person, if I have this problem so are others, and they have more time and can or will report, I don't have the time." To you I pose this. You rely on the support of every person, department, organization, company, etc listed above. There have been accounts of poor Anti-Virus products who relied on the Wildlist for their detection base (fortunately, they are no longer in business). Anything not on the wildlist for the last year or so was considered unimportant and their protection rates slipped. Management does not toss away money if they do not see where the expenditure does not turn a profit or offset the projected loss. Without feedback from the field the researchers cannot see a larger picture and anticipate the threat to you, and thus provide a better product or protection to you. You are the foundation. You are the reason that so many people are working on the problem of computer viruses. The world of computer virus protection is a circle. Without reporting the circle is broken. The producers and researchers are blind and can only see a small limited scope. Viewing that small of a region, they will do the best they can to protect you, but the level of protection will not be as good as it could be.

With this knowledge of how your input is put to work, I hope you now understand how the time spent sending an email message, or filling out a report form on a webpage is time well spent in your own self interest. While you may only be one voice, or a small section, that voice may be an important piece of the puzzle to someone else up the line. Your report could make the difference when in comes to the eradication of a virus from your company's network, or in an extreme case, allow a virus to be classified in the wild, or not.

© Kenneth L. Bechtel, II Copyright 1998