McAfee debacle shows why malware defense must evolve

The flawed McAfee update illustrates why a new model for defending against malware is necessary.

Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.

The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.

According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.

A Symantec spokesperson stated "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week."

Andrew Brandt, lead threat research analyst at Webroot, told me "Being even more proactive, and building signatures based on what you think the malware authors might do with their creations, can also lead to situations where you create more false positives. The key is to be alert and responsive to malware (which is in a constant state of rapid evolution), to build signatures as quickly as possible, and then do thorough testing before releasing them to the wide world. After all, scientists need a sample of the new flu virus strains before they can make a vaccine. The analogy applies here, too."

Fair enough. Or, maybe there are simply too many "flu strains" for the reactionary model of developing a vaccine after the fact to be effective. Perhaps it's time for anti-malware vendors to evolve and adapt new models that can work more efficiently to provide the same level of protection with less effort on their part, and less room for error with impact such as with the McAfee incident.

There are a couple of approaches. One is to stick with the signature-based model, but apply it in the cloud rather than implementing it on an individual system basis. This is the direction Webroot is headed. Brandt explained "Putting the definitions into the cloud, instead of letting them reside on the endpoint has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set."

Symantec is working on a different approach. Gerry Egan, director of Symantec Security Response, described it "Symantec's Reputation-Based Security breaks at a fundamental level with the idea that a malicious file has to actually be captured and analyzed in order to protect against it. Instead, Reputation-Based Security works in a way similar to how Google ranks Web pages. Google's PageRank algorithm relies on what might be called the wisdom of the crowds to determine a specific Web page's value."

Egan continued "In its most basic form, it essentially looks at how many other Web pages link to a page and each link is considered a "vote" for that page. However, it looks at more than the sheer volume of votes, or links pointing to a page; it also analyzes how popular the page is that casts the vote. All this information is computed to give a Web page a ranking on Google."

There are other potential benefits to a reputation-based approach as well. There is no need to intercept a sample of malware first in order to defend against it, a lower risk of false positives, and less impact on the speed and performance of the PC. It can also be custom-tailored by IT administrators to implement and enforce policies.

The signature-based model has been the default anti-malware defense for 20 years. It has served us well, and performed admirably in most cases. However, the malware developers are too numerous and agile for such a cumbersome defense to remain effective much longer.

As the threat landscape evolves, so must our defense system improvise, adapt, and overcome.

Tony Bradley is co-author of Unified Communications for Dummies. He tweets as @Tony_BradleyPCW. You can follow him on his Facebook page, or contact him by email at

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags mcafeesecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?