Season of good will goes out of the window (of vulnerability)...
Security appliance vendor IronPort has hit out at some of the biggest names in the security industry, claiming businesses were left exposed to the worst viruses of the year for a total of 56 days while antivirus vendors scrambled to release patches.
It's an accusation which has drawn criticism from those named and shamed in the IronPort report as well as criticism for the methodology used.
IronPort claims businesses were unprotected against Bagle, Goldun, MyDoom, MyTob and Sober and their variants for a total of 1,335 hours - or nearly 56 days.
The company claims CA, Kaspersky Labs, McAfee, Sophos, Symantec and Trend Micro were guilty of leaving their customers unprotected for at least 16 hours in the case of Sober variants and 21 days in the case of MyTob variants.
However, it's a suggestion the vendors have been quick to take issue with.
Kevin Hogan, senior manager for Symantec Security Response EMEA, questioned the relevance of the findings and told silicon.com he believes IronPort isn't measuring security companies on an area where they should now be strongest.
"The type of threat that IronPort refers to - mass mailing worms - are becoming less of a threat with the shift to lower profile, more targeted attacks."
Hogan added he is confident Symantec's heuristics will block mass-mailing worm "straight out of the box".
Simon Perry, VP security strategy at CA, said time taken to release a patch is not an effective measure of security where risk analysis and the prioritisation of patches are weighed up by individual vendors. Very low priority patches may be pushed out with scheduled signature releases, said Perry, who argued such an approach is practical rather than insecure.
Of the viruses named by IronPort, some had dozens, or even hundreds of variants, leading Graham Cluley, senior technology consultant at Sophos, to suggest IronPort's methodology was far from thorough.
Cluley said: "They're not talking about when antivirus products can actually protect you from these kinds of menaces," adding that IronPort's focus on when patches are available ignores the fact many of the named vendors have defences in place such as proactive filtering which can pick up variants without the need for a patch.
He added: "It would be a mistake to think that antivirus companies can only offer the layer of protecting against known specific viruses but unfortunately that appears to be the only part IronPort chose to examine in this test."
Mike Dalton, president EMEA at McAfee, agreed that looking simply at the reactive issuing of patches only scratches the surface of the antivirus offering.
"Measuring vendor performance in the way that they have done fails to reflect the reality of what customers actually need and use," said Dalton.
Raimund Genes, president of European operations at Trend Micro, said: "What IronPort has measured against was the delivery of a virus pattern file. But Trend Micro not only relies on pattern matching solutions, we provide heuristic analysis and flexible security policies within our mail related products as well."
A spokeswoman for Kaspersky told silicon.com: "Ironport's allegations don't correspond to reality, and it is hard to determine what evidence these assertions are based on."
She said Kaspersky releases patches on an hourly basis and claims in urgent cases a patch is issued within 15 minutes.
However, Matt Peachey, MD of IronPort, said even systems which may identify variants proactively based on knowledge of previous iterations are still fundamentally flawed, in common with any content filtering, and he said he absolutely stands by his suggestion that these companies are leaving customers unprotected.
Peachey told silicon.com: "I don't think that's an exaggeration at all," admitting he isn't surprised the AV vendors have taken exception to his company's claims.
Peachey, whose own company identifies anomalies in traffic levels and quarantines emails when any anomaly is flagged up, added: "The reality is that when a new virus comes out somebody is suffering. It's a sad fact."
Sophos' Cluley added that other sensible measures, such as blocking executable files (.exe), will also remove much of the need for patching.
Speaking to silicon.com earlier this year Dr Peter Tippett, an early pioneer of antivirus software, said reactive patching should no longer play any significant part in enterprise level security strategy.