Electric Mail has seen every major virus outbreak in the last 9 years. That's because the company was one of the first e-mail service providers in 1994, and the first to provide outsourced e-mail virus scanning to businesses in 1996. What has changed over this period of time is the "time to fix" response from the major antivirus vendors, and things are hardly trending in the right direction.

Like any company providing antivirus tools, Electric Mail's reputation rides on the effectiveness of the service provided to customers. The lag time between virus discovery and virus pattern file (signature) update is directly proportional to the number of complaint calls to the company's support group. The antivirus companies tell analysts here that a virus that slips through costs enterprises tens of thousands of dollars, yet they seem to have lost sight of their primary objective: to catch and remove a virus in the shortest amount of time possible.

About three years ago Electric Mail recognized that the protection provided by one virus scanning vendor was not going to cut it for our customers and that we needed a second vendor to ensure faster response times to new virus outbreaks. Since the winner of the "race to the first patch" varies from virus to virus, it was clear that a second layer of protection would add more security.

After adding a second antivirus vendor support calls subsided, but then recently the number of calls began to rise and once more Electric Mail's attention became focused on antivirus response times. We run our systems on Unix and the engineering group suggested evaluating Clam Anti-Virus, an open source ( and free) software product available from www.clamav.net .

Measuring Antivirus Performance

We also wanted to examine evidence about how different antivirus vendors were faring, so the company bought test licenses from the major vendors and watched the results during each virus outbreak. Electric Mail processes more than 10 million e-mail messages day, enabling analysts to see a representative sample of viruses in the wild. The system polls all AV vendors for updates every five minutes--we long ago determined not to rely solely on the update server, and so use scripts to check various locations including the antivirus vendor's own web site for updates.

Our tests have run since the beginning of May and in that time Clam's response time has been equal to or better than the major vendors most of the time, a result we found to be very surprising. However, it is corroborated by the German test site " PC WELT.DE " (http://www.pcwelt.de/news/sicherheit/111012/index2.html).

The PC WELT site results demonstrated that for one Sober variant, Clam Anti-Virus had the first patch in place with well-known Symantec releasing a patch a full nine hours later. Most of the other vendors fared better, but were hours behind Clam. Nine hours of an unchecked virus in the wild could mean 2 or 3 million of our customers' e-mail messages were not protected from this virus, which is totally unacceptable. This was a particularly virulent virus--one measure is that Electric Mail stopped more than a million instances of it and it exhausted a lot of bandwidth.

That was an interesting results for a single virus, but we still looked for more proof of Clam's prowess.

For the last 50 new virus variants received through June 19, which is approximately 2 weeks of data, Electric Mail compared Clam Anti-Virus with two of the top five antivirus vendors in the world. We timed how long it took each vendor (A and B in this example) to release a pattern update from the time the virus was first seen.

A scoring system was devised based on who was first, second, and third to release a virus signature. Anti-Virus outranked the other two antivirus vendors by a wide margin. One key measure is that Clam Anti-Viruscame in first 77% of the time. Kudos to Clam Anti-Virus!

A Dirty Little Secret

I have to share a dirty little secret that some of the antivirus vendors don't want you to know: they sometimes pretend they've caught a virus when they actually haven't. They simply release a fix to an old pattern file without changing the file name, and at first glance it looks like they caught the virus well before they actually did.

That's because their Website lists the original pattern release time and not the date and time for the updated release of the pattern file. While this is typically done with variants of existing viruses, it made direct comparisons like ours much more difficult to research because we have to backtrack and compare time stamps along with file sizes to actually catch them at this shell game.

Someone needs to investigate why all these antivirus labs, with lots of engineering expertise, are so slow to release a patch and why some are playing games with the release date/time for updated pattern files. It makes one wonder why we pay these hefty licensing fees when a free product is doing a better job.

I honestly think that if you want decent antivirus protection, you need at least three different antivirus vendors; and I further think that one should be Clam. It seems that the open source community has more ears on the ground and a faster response mechanism in place when it comes to discovering and protecting against the latest e-mail threat. Happy virus hunting and don't always believe what your antivirus vendor is telling -- or selling -- you.

To find out more about Electric Mail's PerimeterProtect service, visit www.electricmail.com.

---

Adam Hyde is director of product strategy at Electric Mail.