For many SMEs, the distinction is irrelevant, as a significant number ofI think that the distinction that Nick was making was that any AV that is intended to do gateway scanning should implement this, which is implied by his whole "gateway scanners may have a problem with this..." point.
e-mail servers do *NOT* incorporate antivirus software designed with
gateway scanning in mind - they run desktop scanning tools on e-mail;
thus, for many companies, the distinction between 'gateway' and
'desktop' antivirus software is both, since one scanning engine and set
of definitions play the same role.
Well, this is largely a perception problem. People think that a clean scan means that something is safe and that's wrong. It's not just wrong in AV, it's wrong in all security analysis issues. It's wrong in IDS. It's wrong in forensics. It's wrong in pen-testing.
Antivirus technology is something which even non-technical office staff are very
much aware of, and they base many aspects of their work on assumptions
such as the fact that if an antivirus scanner has not detected 'a virus'
in a file they have sent/downloaded/copied, that it is safe - although
they may not be at risk from a virus in an archive file that their
antivirus software does not detect, other people may.
In what situation can you imagine where a person blindly forwards compressed (unscanned) content to a business partner?Harking back to SMEs, who seem to be at the focus of most of the points that I've made, it's quite possible that the inability to scan an archive file could be extremely damaging to a business's reputation when forwarded to a partner or customer
- since you're obviously sure of yourThis is the wrong way to think about it.
positions on these issues, I shouldn't have to remind you that antivirus
software isn't about being theoretically perfect, it's about preventing
business loss.
It is expressly impossible to determine what the uneducated, untrained, and willfully incapable of reading documentation will do when left to their own devices.Antivirus software is deployed based on many sets of assumptions. Failure to live up to these assumptions is generally what causes the most damage to businesses as protection they thought they had in place fails - this issue is something which falls into this category; antivirus software is, in the majority of SMEs, implemented by staff without extensive experience in antivirus software, and they are highly unlikely to be aware of issues such as this one (especially since in most antivirus software, the option is given to 'scan archive files', not 'scan archive files apart from the ones we don't understand') - not a serious issue, but definitely a significant one, and one which should be fixed upstream by antivirus vendors.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html