[Mimedefang] for mcafee lovers
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Tue Mar 22 16:28:00 EST 2005
Kevin A. McGrail wrote:
> Finally, while I appreciate the security notice, I think we can all
> agree that virus scanning is only useful if you are running the
> latest engine and signatures regardless of the software used. So for
> the benefit of others using McAfee, the McAfee 4440 engine patched
> the LHA exploit Secunia found like Oct/Nov of last year.
I have heard people ask, "how many AV scanners should I run"?
Some say "one" - some say "as many as you can get".
The McAfee exploit leads me to say "two" - why?
The same question was asked of the aerospace industry, in different words - "how many engines should we put on planes?"
The answer is "two".
Why?
There are two kinds of airplane engine failure:
Passive: the engine stops producing thrust
Active: the engine explodes
Similarly, there are two kinds of AV engine failure:
Passive: a virus is not detected (old definitions, say)
Active: a buffer overflow allows arbitrary code execution
Thankfully, active failures are much rarer than passive failures.
If you only have one engine, the two failures both have the same result - system failure (crash, or infection.)
If you have two engines, you can be reasonably sure that the passive failures in both engines will not coincide (although AV is a little different in this scenario), so you greatly reduce the risk due to passive failures (assuming independence, you multiply the two error rates). You double the risk of active failures - but the net result is still a risk reduction, because active failures are so rare.
If you add any more engines beyond two, you're not significantly reducing the risk of passive failures... that's pretty low already with two (assuming the engines are from different vendors) - but you ARE still increasing the risk of an active failure.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
More information about the MIMEDefang
mailing list