Y2K viruses: running wild - or wildly exaggerated?

Prophets of doom disappointed by the millennium bug's non-appearance will be taking heart this week as some software vendors put clients back on red alert for a barrage of viruses especially created for the season.

But given the millennium flop, there's a danger that security managers could get increasingly cynical about the warnings. At some point people will start to switch off. The question arises: are these virus-fighting companies performing a valuable service, or will this constant flow of hype lead to apathy that could be more dangerous than the viruses themselves?

It is reasonable to advise caution. Not all virus writers will be able to resist such a perfect opportunity to create havoc. There was certainly no shortage of warnings flying around the world's corporate networks as employees returned to their desks after the extended holidays.

On Monday, one of the top anti-virus companies, Network Associates, warned IT managers against adopting a "false sense of security" that might be brought on by the millennium bug non-event. It said that - despite the apparent lack of virus attacks over the holiday period itself - as email systems kick into action this week, problems could start to emerge.

Paul Cronin, product manager at security consultancy, Centurycom, said it's the job of the anti-virus companies to keep awareness levels high. "All the anti-virus vendors really should be pushing forward the threats that are out there. Security issues will always be over-hyped but it's too important to ignore."

But not every anti-virus company was predicting disaster as the first week of 2000 dawned. Sophos issued a notice on the first day employees returned to work declaring the post-millennium situation to be normal. A worldwide round-up of virus sightings and calls to customer support lines found that virus levels were at their usual quotas. So much for the millennium virus chaos.

Graham Cluely, senior technical consultant at Sophos, said the hype isn't just unnecessary - it's dangerous.

"Virus fatigue is going to be a big problem. Anti-virus companies are put on a pedestal as security experts, but at this rate they'll be perceived as nothing more than a nutter on the bus ranting about the end of the world," said Cluely.

Responding to the warnings issued about the New Year dangers, many companies shut their email systems down to block out the threat completely. Cluely said this may have caused even more problems, because companies would be less prepared for incoming missiles when they eventually switched them back on.

He added that the shutdown may have led to a loss of revenue, particularly for companies that use email as a direct communication channel with customers. "If companies did lose revenue for this reason, I think there's a strong argument to say that those anti-virus companies responsible for the hype should be responsible for the lost revenue also," he said.

He further attacked Sophos' rival anti-virus companies, Network Associates and Computer Associates, for warning of viruses that haven't been seen in the wild. One example is the Armagidon virus, which was highlighted by Computer Associates but is, according to Cluely, unlikely to ever hit networks. "This is a clear case of crying wolf," he said.

But Nimrod Vered, director of product management at another security company, Finjan, disagreed, saying that all companies should be made aware of every virus no matter how unlikely they are to experience it.

He believes that it's impossible to be too careful, and that virus fatigue must be risked if increasingly sophisticated hacks and virus attacks are to be averted.

Network Associates also stands by its policy of alerting whenever possible. Product marketing manager, Rob Eatwell, argued that the experience of 1999, which was dominated by fast-spreading viruses like Melissa, justifies this.

But he did admit the danger of fatigue. He claimed that the anti-virus vendors are working to avoid this through learning when to keep quiet and when to shout.

"There is in fact a meeting of minds among most vendors which are starting to agree on the level of alerting and which viruses to warn about. Previously we had to make sure companies weren't being complacent, but that message seems to be slowly sinking in. We're all trying to update this alert process which could meet we're all shouting a bit less in the future."

So it seems that the vendors are at least aware that fatigue could be setting in. This last year has seen a huge change in the virus environment and the result has been far more awareness. Anti-virus vendors say they are taking this into account and are working to tone down their awareness strategies. Let's hope that Y2K and the non-event that followed will help make their warnings even more realistic.