Posted by David Harley on June 24, 2016.
I’ve grown blasé about the way that some sectors of the security industry badmouth mainstream antimalware in a bid to capture some of that market. And, believe it or not, I don’t have a problem with it in principle. While I’m not in marketing myself, I understand perfectly that even good products need to be marketed, and comparing one’s own product to the competition is perfectly legitimate, as long as the comparison isn’t misleading.
Sadly, Steve Gerrard, apparently head of EMEA marketing for Palo Alto’s Advanced Endpoint Security, may well have managed to mislead some people, hopefully not intentionally. I think he’s wrong to say that ‘most conventional endpoint AV systems are impotent and probably do more harm than good’, but that sort of contention is almost standard in some sectors where products are trying to capture marketshare from mainstream anti-malware. Well, maybe a little more extreme than most. But open to discussion.
The problem I have with his blog article Conventional AV Systems Can Actually Harm You, however, is not that he’s wrong – even I can envisage circumstances where any security product (and even software that can’t be described as a security product) might actually cause a serious and unanticipated problem – but that his assertion is based on a very narrow view of a specific event. That is, as described in a report published by the U.S. Food and Drug Administration (FDA). The report indicates that a cardiac catheterization procedure was interrupted – apparently without ill effects, fortunately – because ‘conventional AV software’ started its hourly scan of the system at a critical point. And I agree, that certainly shouldn’t happen.
The FDA report includes a ‘manufacturer’s narrative’ in which it’s claimed that the software was misconfigured: that is, not configured in accordance with “the product security recommendations… Our experience has shown that improper configuration of anti-virus software can have adverse affects including downtime and clinically unusable performance.”
Steve Gerrard states that Palo Alto’s Traps system probably wouldn’t have caused the same problem because it doesn’t rely on system scanning, which may, of course, be the case. Actually, mainstream anti-malware doesn’t generally rely on hourly system scanning, either: while full scans may be scheduled, not necessarily by default, most of the load is taken by on-access scanning of potentially dangerous objects as they are accessed. So maybe the manufacturer’s guidance could have been more precise. It’s not as though a medical device always needs to be continuously networked.
But here’s the thing. Traps seems to be a Windows application, and Merge Hemo seems to run on Microsoft platforms. Microsoft actually has ‘Additional licensing requirements and/or use rights’ that limit preclude the use of its software in embedded systems where ‘the failure of the software could lead to death, serious personal injury or severe physical and environmental damage…High Risk Use also includes Class III devices under the Federal Food, Drug, and Cosmetic Act….’ As far as I can tell, the device in question is a Class 2 device, so that restriction presumably doesn’t apply. Nevertheless, the safe use of medical or other critical devices is clearly a complex issue, and more so as more devices get interconnected, whether they need to be or not. (And it was tricky enough when I was closely engaged with medical informatics, more than a decade ago, long before most people had to worry or even think about the security implications of the Internet of Things.) Perhaps there’s a need for continuous assessment of what constitutes ‘safety’ in the IoT context. And maybe the security industry needs to spend more time engaging stakeholders in the ‘chain of healthcare delivery‘ and less trying to score marketing points.