McAfee debacle shows why malware defense must evolve

The flawed McAfee update illustrates why a new model for defending against malware is necessary.

Last week a flawed DAT file from McAfee led to false positives crashing Windows XP systems and leading to a massive cleanup effort. It would be very easy to simply point the finger at McAfee, terminate the employment of a scapegoat security engineer or two, and continue on with the status quo, however the whole incident is an illustration of why the anti-malware industry--not just McAfee--need to embrace the U.S. Marines mantra to improvise, adapt, and overcome.

The current model is like a war where the attacker gets to fire first, and only after some victims are hit can we take action to guard against a similar attack recurring. The reactionary, signature-based model is flawed by nature, and cumbersome to implement and maintain. It's a wonder that situations like the McAfee issue last week don't occur on a regular basis.

According to Symantec's Internet Security Threat Report XV, Symantec created 2,895,802 new malicious code signatures last year alone. This was a 71 percent increase over 2008 and a number representing more than half of all malicious code signatures ever created by Symantec. Furthermore, Symantec identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008.

A Symantec spokesperson stated "Knowing that Symantec produces up to 20,000 new malicious code signature each day, and that other security vendors face similar circumstances, it becomes easier to understand, while not making it any more acceptable, a situation like McAfee faced last week."

Andrew Brandt, lead threat research analyst at Webroot, told me "Being even more proactive, and building signatures based on what you think the malware authors might do with their creations, can also lead to situations where you create more false positives. The key is to be alert and responsive to malware (which is in a constant state of rapid evolution), to build signatures as quickly as possible, and then do thorough testing before releasing them to the wide world. After all, scientists need a sample of the new flu virus strains before they can make a vaccine. The analogy applies here, too."

Fair enough. Or, maybe there are simply too many "flu strains" for the reactionary model of developing a vaccine after the fact to be effective. Perhaps it's time for anti-malware vendors to evolve and adapt new models that can work more efficiently to provide the same level of protection with less effort on their part, and less room for error with impact such as with the McAfee incident.

There are a couple of approaches. One is to stick with the signature-based model, but apply it in the cloud rather than implementing it on an individual system basis. This is the direction Webroot is headed. Brandt explained "Putting the definitions into the cloud, instead of letting them reside on the endpoint has a clear advantage in cases like this. If a definition hosted in the cloud goes horribly, horribly wrong, we can pull that definition from circulation immediately, thereby limiting the scope of the damage, and hopefully containing it to the small number of users who happen to be in the unlucky position to be first to use a defective definition set."

Symantec is working on a different approach. Gerry Egan, director of Symantec Security Response, described it "Symantec's Reputation-Based Security breaks at a fundamental level with the idea that a malicious file has to actually be captured and analyzed in order to protect against it. Instead, Reputation-Based Security works in a way similar to how Google ranks Web pages. Google's PageRank algorithm relies on what might be called the wisdom of the crowds to determine a specific Web page's value."

Egan continued "In its most basic form, it essentially looks at how many other Web pages link to a page and each link is considered a "vote" for that page. However, it looks at more than the sheer volume of votes, or links pointing to a page; it also analyzes how popular the page is that casts the vote. All this information is computed to give a Web page a ranking on Google."

There are other potential benefits to a reputation-based approach as well. There is no need to intercept a sample of malware first in order to defend against it, a lower risk of false positives, and less impact on the speed and performance of the PC. It can also be custom-tailored by IT administrators to implement and enforce policies.

The signature-based model has been the default anti-malware defense for 20 years. It has served us well, and performed admirably in most cases. However, the malware developers are too numerous and agile for such a cumbersome defense to remain effective much longer.

As the threat landscape evolves, so must our defense system improvise, adapt, and overcome.

Tony Bradley is co-author of Unified Communications for Dummies. He tweets as @Tony_BradleyPCW. You can follow him on his Facebook page, or contact him by email at

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymcafee

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?