Updating anti-virus signatures is important, and we have yet to see an owner/operator consistently and effectively apply the updates manually. So most are now pushing the signature updates out on a periodic and automated basis. [Note the automation is typically restricted to signature updates not to engine updates which cause problems and reboots more often]

Signature updates almost never cause a problem. But almost never means that on occasion they do. An example just occurred with McAfee DAT 5958 update. The SANS Handler Diary discusses the issue:

McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3. The affected systems will enter a reboot loop and loose all network access. We have individual reports of other versions of Windows being affected as well. …

The problem is a false positive which identifies a regular Windows binary, “svchost.exe”, as

“W32/Wecorl.a”, a virus. If you are affected, you will see a message like:

So does this rare occurrence mean owner/operators should not automate updates? Definitely no. However you need to leverage the redundancy in your system and stagger the anti-virus updates. Create at least two groups, maybe more, with redundant systems split up in different groups. Then have the anti-virus stagger the updates of each group. We typically recommend 12 hours apart.

In this McAfee case only half of the systems would be affected, the control system would still be fully operational, and the update could be removed before it was applied to the systems in other groups.

Some owner/operators also delay the automatic deployment of new signature updates 12 or 24 hours. While this leaves the systems more exposed during that short time window, it does give time for other systems to identify the problem.

On a side note, when will the day come when a security professional will be able to recommend anti-virus not be deployed because another control is more effective? The argument can be made today, but I would not want to be the consultant, CISO or other person responsible for that decision after malware hit. AV is easily evaded and has a nasty kluge of a codebase, but it is still considered irresponsible in the mainstream not to use it.