Crazy to think about the consequences of a mistake like this. This was sent by a friend to an email list I'm on:
"Well, consider this community hospital fubared.
IT dudes running around pulling out their hair. If it wasn't affecting patient care it would be a humorous scene-but I can't check xray's, or labs or anything.
Took out a horrendously bloody gallbladder this morning, and I can't tell (labwise) if she's still bleeding...not good."
Wow. Kinda makes me wonder if we should be using general-purpose computers for so many things. The anti-virus is kind of a major single point of failure for machines that need to do just a few specific things.
I don't think we need to move to special machines, we just need to move to sensibility in choices. Why do these need to be running Windows? Even if they're running Windows, why do they need an antivirus? Are you letting people on attachments from their email or browse the internet on the same box that you're using to read X-rays and other medical imagery? Kind of weird to do that, right?
I need to think about how to exploit this to promote the installation of *nix-based systems and get people to hire my company to do it.
Doc here: do you run a subversion client or an IDE on the same machine you check email or browse the web with? kind of weird to do that, right?
I'm all for nix-based systems. Please, oh please, convince these people to go to nix and web app (that aren't slaved to IE: eg, AHLTA, or Fuji's Synapse imaging software). I will give you their numbers.
I actually freelance with a group that is making a web app for viewing medical imagery. Has a Flex-based frontend, though.
I guess I don't understand the use case -- I had assumed that the computers needed to tell if a patient was bleeding or not were connected to a machine that did some kind of image-taking or internal measurement, and that that machine was the stationary "is patient bleeding machine" computer. Do doctors generally perform analyses like that one on personal computers or normal workstations? I guess I just got a false impression from medical dramas or something.
What if the doctor reading the scan is in another city/country? That's becoming increasingly more common.
Though on the AV front it doesn't make sense to have all of your organization's computers running critical software to update at the same time (no matter what software, it just happened to be the anti-virus this time).
Absolutely not. I use a virtual instance of windows for that stuff. I'd never do web browsing like activities (or much network connectivity at all) on a machine that was about to compile a binary that might be duplicated thousands of times to thousands of places.
The Parallels windows pc on my mac was hit by this very problem. I had to restore to a 3 day old snapshot just to get it running again. I feel bad for those who were running windows bare-metal who can't just press a button and go back.
It'll all move to thin clients and the cloud. Just watch.
Not saying it's better, and in fact it'll be worse. The net goes down way more than the AntiVirus gets a bogus config file. But you'll see cash-strapped facilities get sold on the idea of cheaper clients on-site and a large server with a juicy maintenance package behind it.
Best Practices, n.: Making the same mistakes everyone else
does.
However, what are the odds of someone being able to make special-purpose machines to do everything COTS boxes are used for, and making those machines as fast, cheap, and reliable as COTS systems are now? Some things seem obvious (x-ray machines, lab machines) but accounting and record-keeping? Going back to adding machines and purely manual filing is not an option in a large hospital, especially if it has to maintain modern standards of patient care over a large patient population.
I think virtualization takes you a long way towards the solution to this issue. With Win7 I've gotten into the habit of routinely working on virtual instances using the boot from .vhd feature. This means that if something goes wrong my host is not impacted and I can revert to an earlier version of my .vhd to solve problems like this one. The standard IT "wait and see" policy makes this something that will take awhile to become common but I think it is the way to go for pretty much any critical path task you do on a Windows PC (other OSes such as OS X have similar features as well but I only use OS X for "media" stuff).
I don't have time to counter all the misinformation here. Just a couple quick points:
- McAfee has been crap for a long time now; they're not much better than Norton's products from the last few years.
- Corporate networks are running McAfee because McAfee (and TrendMicro, and other garbage a/v vendors) provide incentives to VARs, consultants, resellers, etc.
- However, this is a far cry from "all antivirus is bad". There are plenty of good products available, some of them are free, and they don't have serious negative impacts on system performance. The on-demand catch rating of some of these products exceeds 97% in independent lab testing, which is pretty damn good.
- If you use a company computer, and you have disabled antivirus on your system because you don't like it, you are putting not just your company's computer, but your company's network at risk. In most "serious" companies, this would be grounds for termination, and I don't blame them. I would also like to emphasize that the workstation you use belongs to your employer, not you.
- I don't care how smart you think you are, if you're running Windows, you're at risk. Even current versions of Firefox are vulnerable to remote exploits, and we've been seeing a hell of an uptick recently in website infections. That blog that you've been visiting for years might try to hit your computer with something nasty tomorrow, and you'll never even notice. For that matter, a lot of website administrators don't realize they have a problem for a long time.
- Rootkits are getting very quiet and very sneaky. I think we're starting to see a trend where computers are coming in with a couple of different infections: one is a recent rogue antivirus infection which drives the user to get help, and the other is an older rootkit that's been running quietly in the background for a while.
Speaking as someone who knows something about these things, it is clear that you are not as informed as you are making yourself out to be. There are two reasons why I say that. (1) Your knowledge of the AV industry is outdated. McAfee has actually been trending upwards in recent years. (2) A 97% detection rate is obviously bullshit. If any product achieved a detection rate anywhere close to that number, the false positive count would be through the roof. As this incident makes clear, the cost of a false positive can be astronomically high. Again, any AV product advertising or claiming 97% detection is bullshit. Any AV engine can achieve that number if accepts an unrealistic number of false positives. The fact that you even quoted that number makes me question your qualifications for giving advice about AV.
For non technical people reading this thread, the general sentiment of other commentators is correct. Most AV is garbage. It will protect you from about a 1/3 of what is out there at the cost of computer performance. Make an educated decision about whether to run it at home or not. On your corporate network, do whatever your security guy tells you to do.
Not that I'm all that interested in getting into a pissing contest with Some Guy From The Internet, but:
1. I've been doing virus and malware cleanups for people since -- well, since 1995 or so, at least.
2. I've recently begun presenting seminars on basics for novice computer users.
3. I was among the first to clean up the rather nasty kbiwkm rootkit a while back. One of my clients was infected with it before there had been an a/v response, and before anything could be learned about it anywhere.
4. I've recently begun to get contacted internationally (well, from Canadian individuals, anyway) to clean up websites infected with various sorts of nasty bugs.
5. Most importantly, I follow the results and reports from av-comparatives.org religiously; they're not affiliated with any particular antivirus vendor, product, or group, their tests appear to be very thorough, their methods appear to be fairly rigorous, and they provide reasonable results for a number of different metrics related to antivirus products, all in a regularly-released report that's quite readable.
6. I started a company three years ago to address the various flaws that I saw in the I.T. industry, one of which was the number of people that got hit with viruses over and over again. I have a very, very low rate of repeat virus cleanups for my clients, many of whom are novices that are particularly susceptible to multiple computer virus vectors. You might feel like being snarky and saying that I never hear back from them because they don't care for the service, but then again, I'm currently experiencing my third straight year of 300% growth, and most of my "marketing" comes from word-of-mouth.
But, I don't have a blog, so of course I'm not an expert. Carry on.
edit: ohbtw, two of today's systems that were infected with rogue antivirus also had up-to-date and active McAfee installations, which isn't at all unusual. But, yeah, you're right, it's much better now than it used to be.
First, congratulations on your success with your business. 300% growth over multiple years is very impressive. Second, I didn't mean to be negative or snarky (I can be abrasive sometimes, so sorry about that). It's just that no one experiences detection rates that high in the real world. If AV actually worked that well, it would be incredible. I'd be the first person to publicize it.
In regards to AV Comparatives, I responded to why their tests aren't relevant in in the real world here: http://news.ycombinator.com/item?id=1284321. The bottom line is that detection rates as high as 97% are generally regarded by industry experts as inflated (John Viega says in one of his books that some people estimate actual detection rates to be around 30%). AV companies themselves would never use that number as a part of their marketing campaigns. You'll note that on the product pages of the AV products tested, the numbers aren't listed. If a 99.6% detection rate was actually. valid, don't you think it would be displayed in large and bold letters on the product page?
I'm not saying people shouldn't run AV, but we need to be honest about the actual capabilities of these products. Even if actual detection is only 30%, 30% is better than 0%.
If I'm reading this report right there are several that hit 97% with low false positives. http://www.av-comparatives.org/images/stories/test/ondret/av... The methodology is linked in the document. I mean, it's certainly at least less of a conjecture than your "he doesn't know anything because these things are obviously BS" argument.
I'm familiar with the report. Programs that were detected as false positives include:
* the task manager
* Quicken
* ATI Drivers
* the GIMP
* other antivirus programs (including products from Kaspery, ESET, Avast, and Trend Micro)
* VLC
* Cygwin
* Acrobat reader
* text editors (including Notepad2 and Notepad++)
* TrueCrypt
AV run in the real world on these settings would be disastrous.
Issues with the samples used by AV Comparatives:
* The malware sample size is only around 1 million.
* The sample size of clean programs is far too small.
* The malware samples used aren't public. We don't even know if the malware used by AV Comparatives are found in the wild anymore.
More generally, evaluations like those done by AV Comparatives and similar organizations are misleading. What actually matters is the vulnerability window. This window is generally a week or two and occurs after a piece of malware is released into the wild. It is the amount of time it takes AV vendors to get a signature distributed. Most damage is done during the vulnerability window, during which infected machines will have their AV disabled by the virus. The fact that your AV can detect viruses released years ago actually doesn't have any bearing on your security; it's a meaningless evaluation of the product.
You have to ask yourself, why don't AV vendors report numbers like the percentages found in AV Comparatives? They don't because they know it's bogus. Sure, most AV vendors will list AV Comparatives and others as an "award" or a "certification", but they'll never list the actual number. I think that should tell you something. In the real world no one is experiencing detection rates like those in the report. If they were, you can be sure the numbers would be part of an AV marketing campaign.
First off, I don't claim to be an IT person or know what normal users need to be safe. I can only speak to my personal experience as a programmer. I haven't had a virus in 14 years. I haven't ever run anti-virus software. I have a good feel for all the systems that I use. A little paranoia goes a long way. Not to say that I couldn't be targeted. I'm sure a skilled cracker could break my boxen. But I doubt any antivirus would stop them.
Actually I was the same (while I was running a Windows box). I used to work for an anti-malware company too, and my experiences there pretty much agrees what everyone says about Norton / etc...
I don't open attachments from strangers, I don't have warez on my computer, and I call / confirm when I get a word doc. (It doesn't matter because I do the conversion on googledocs anyway).
I know not everyone is fortunate enough to do all of that, but it is entirely possible to avoid viruses if one really wants to.
Not anymore. If you receive a targeted attack or a 0-day attack vector through a firefox, pdf or even libpng vulnerability, the only real way you can be safe is to unplug your computer from the internet.
I can say the same thing, but I always put in that little caveat at the end. Same for being hacked. I've looked for evidence, and never found any reason to believe otherwise.
I've done too many cleanups for people, for whom I have the upmost respect, who said similar things for me lose my humility on that score.
"- There are plenty of good products available, some of them are free, ..."
Care to list some please? I don't use Windows, but I'm sick of my dad's PC being infected by the "Windows Security" scam application every 4 months. Not to mention the set of other viruses I find when trying to clean it up...
The fact that you're here means your computer is working, but just in case anyone you know needs the instructions to disable McAfee:
Boot the affected client into Windows Safe Mode with Networking (Hit F8 During the system boot phase.)
Disable the McAfee McShield service by opening the Registry Editor (regedit.exe), and set the McAfee McShield service to the Disabled startup type: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\McShield\Start=4.
Once you've rebooted in to normal mode you can rollback definitions from the McAfee gui.
I think it's interesting to consider computer viruses and biological pathogens in terms of "optimum harmfulness."
A cold virus's best strategy, for example, is to keep you awake coughing so your immune system is weak, make you sneeze and cough and have a runny nose so you spread germs, etc. But it shouldn't kill you, especially not before you pass it on. I've heard (did I read it in Guns, Germs and Steel?) that syphillis used to be more deadly, but that it got milder as an adaptive strategy.
Likewise, computer viruses probably have a pain threshold they shouldn't pass. If they can do their masters' bidding without hacking you off so bad that you format the computer, they'll be more successful.
Possibly unwarranted conclusion: computer viruses are now widespread precisely because they're Not That Bad.
So, are they worse than antivirus software? A lot of non-geeks may be asking themselves that question today. "Dang, we got a virus one time, but it didn't keep the computer from BOOTing!"
McAfee has just demonstrated a computer autoimmune disease.
Well, first off, I have bad news for you: the more recent rootkits we've been seeing are doing exactly this. They are very quiet, very sneaky, very hard to remove, and they just love it when you purchase items online.
As far as whether viruses or antivirus software are worse to deal with -- well, I have three systems in the shop so far today for virus infections that were so bad that it rendered the computer unusable. One woman told me she broke down and cried because her brand new laptop got infected yesterday and quit working just before she was supposed to do online college course work.
Running without A/V software is exceptionally stupid at this point, even if you think you're smarter than everyone else.
I never ran anti-virus software, until I was at a friend's house and added his shared printer and Windows helpfully downloaded the virus-infected drivers from his PC...
That's like saying that having sex without a condom is safe as long as you have certain 'usage patterns'.
Chances are you have contracted something, but just don't know about it.
The OS X and linux boxes are pretty safe, but if you use your windows machines online you're bound to have been bitten by drive by malware at least once.
Unless those machines have never been used to surf the web.
Even very reputable sites have had bad cases of advertising injected malware, in some of the most unlikely delivery vehicles.
You don't run AV? I'm going to bet that the last virus you know about was 89-90... Although depending on what you use your computers for your still probably ahead of the rest of us.
Viruses used to be largely statements and annoyances, the sort of thing a rebellious teenager would pursue as a form of computer vandalism.
Then people realized there was money in botnets and password stealing. The goal of those viruses is to get onto your computer and stay there as long as possible. If you notice it, you'll remove it, so it is in their best interest to avoid being noticed.
Unfortunately, a lot of them are so poorly written they are hard not to notice.
To computer viruses and biological pathogens, add virus scanners--that model holds. For example, if this incident causes sufficient negative publicity for McAfee, then perhaps it could disappear.
Does anyone recall the Michelangelo virus? One of the virus detection programs special release for that wiped the boot sector of every drive it was installed on. I think it is fair to say that in that case, the anti caused more monetary loss that the virus.
> McAfee has just demonstrated a computer autoimmune disease.
My goodness, what a fascinating idea. (And a search suggests the you are the first person in all of history to think of that.)
When will the biological parallels end? Will we someday get viral transmission of OS code snippets from one machine to another, leading to improved OSs? The mind boggles ....
Sounds reasonable. Maybe a virus will carry a usable Windows API into *nix so windows viruses can do something? I know this wouldn't work at first glance, but there's probably something along those lines....
With fake SSL certificates signed by "real" CAs, cross-site scripting and other advances in phishing attacks, just educating users may not be as effective as it used to be. Malware is quickly becoming advanced enough that even trained technical users may be fooled. Many attacks don't require user interaction. AV products may be slow to respond and signature matching won't catch everything, but if it catches half of what shows up on corporate networks it can still save a lot of time and money.
not all malware requires user permission to execute -- modern web malware uses a browser exploit to run itself, you and i probably wouldn't realize it.
I don't understand why people install antivirus software on their machines. I read once that their catch rate is something like 20-30% which strikes me as no better than 0% for all the good it does most of their customers. It just seems to slow down computers a lot and yield little benefit other than protection for the IT staff when things go wrong.
I could make antivirus software that does nothing and probably make people happier by virtue of the fact that I'm not taking their system's resources.
You read Hacker News, which means you probably know more about computers than at least 99% of the population, and far more than 98%. Seriously, consider that.
Take something you don't know about. For me it's cars. If prevailing wisdom was that unless you bought some $40 item for your car, it could easily be stolen, you'd probably buy it right?
This is what people are told: Windows is insecure and anyone with a clue can just steal your credit card number. I know that if I just don't install crap from the internet, and have a reasonable firewall, I'm not going to get a virus. I haven't had antivirus in over a decade, though I've run some web-based ones on occasion to check, and have never had a problem. I know that, and you know that. My dad (who is much closer to the other 98% of the population) doesn't know that.
(As for corporate use, you answered your own question. IT staff installs it for no reason other than to be able to prove to their boss that it isn't their fault when stuff goes wrong. )
For the IT staff, the fact that your computer slows down is an externality; it is not their problem. If the anti-virus can catch a few viruses and doesn't result in many help-desk tickets, then it makes their lives easier. Cleaning up a virus is a tedious task, as even a simple re-imaging can take a while, and that's if you can use a standard image.
They also don't know how smart their users are. Some of them are great, and might read HN, but others will go download any game or smiley pack they can find.
If IT staff were paid based on how smoothly the computers run, they might have a different opinion. Their current goal is usually just to make sure it runs at all.
> Their current goal is usually just to make sure it runs at all.
Indeed. I'm the lead of the "IT Staff" at a small non-profit (~70 users) running mostly on second-hand desktops. Two-thirds of our staff is unpaid, usually interns who are here a few days a week for 3 months, and then they're gone and someone new takes their place. Training proper computer behavior is hard.
So... we run A/V (not McAffee), because we have to. We also lock down the systems hard, not because I think that's a nice thing to do to your users, but because we have to. Imaging all these different desktop models is difficult, and we have very limited resources for doing re-imaging/re-installs/virus cleaning/whatever.
My goal is to enable you to sit down at your computer and be able to perform your job. A 20% performance hit on all computers is worth it if it means that 20% of the computers aren't down for maintenance. :)
There are a couple of ways to address the virus problem besides installing anti-virus on Windows.
Here's a few things I'd consider if I wanted to run an office with minimal computer support:
- run the LTS Ubuntu instead of Windows
- maybe run OS X, on Mac Minis if buying new hardware
- install one Windows terminal server for critical Windows-only software
- lock down firewall to permit only whitelisted web-sites
- run locally hosted (I believe this is possible) Google Docs as office software
Windows virus problems, people surfing Facebook, porn, you-tube, Twitter etc., will suck away time in an office if you don't get some kind of a handle on it. I hate offices where stuff is super locked-down, but put in charge, I'd want to screw things down pretty tight.
Obviously developers, salespeople might be somewhat of an exception... it's a hard call to make.
Or you could just install the free AVG, the cost is zero (if money is what worries you), the impact on performance is negligible (I do photo and video processing, the antivirus doesn't seem to make Vista slower than it already is), and it's definitely better than nothing (caught a few cockroaches trying to sneak into my system already).
But what do I know, my laptop is running Ubuntu, my primary desktop has always been Linux since 1997.
I don't understand how even having a 20% detection rate isn't better than 0%. Am I missing something? Are there a lot of viruses popping over the net that even the 20% detection is already too late?
Given the cost in equipment purchases, user annoyance, lost productivity and purchasing the software itself it strikes me that you need much higher success rates to be worth all that.
The 20% figure that was "once read" about is pure fiction. Any up to date test figures reveal something closer to 99.8% of a 3 million sample testbase for the better AVs.
It's all a bit moot though as before this happened, McAfee was probably worse than anything a PC can get infected with. Now it's gone and proved it beyond any doubt.
The 99.8% includes a known test set for historic viruses from the 80s and 90s. The stuff you really care about are the new things that sweep the web (Blaster, Slammer, Code Red, etc.). AV is inherently reactive, and that .2% you miss is likely the latest stuff.
Old (meaning a year or two) viruses are still around, and can still do a lot of damage. A large part of the reason they don't is because people run virus scanners that catch them, and stop them from spreading.
Think of it in another way, at any point in time you have x number of virus that you are likely to come across through whatever means. If all those viruses are in the 0.2%, then the catch rate isn't going to be 99.8% it's going to be 0%.
So being able to catch 99.8% of 3 millions viruses when new ones are released all the time is a pointless comparison for efficiency.
If I were a trader, I'd short McAfee right now. This probably means lots of settlements.
EDIT: This could actually be a profitable venture. Somewith with at least basic HN-type knowledge and a daytrading account could make serious money. Finance professionals most probably have no idea how important specific IT news are during the day. One should be able to trade ahead of consensus pretty easily.
You'd be making a trade based on how the market responds to news. Just because you care about this news doesn't mean the market will. Unless the settlements are enormous, the market never will.
I don't know if you're serious or not, but the largest companies are also some of the slowest moving. We had Windows 2000 machines at Merrill Lynch, running Office 2000.
I looked at this sort of thing before for tech sector - MSFT when the European anti-trust stuff came off, etc. - but it never seems to make a difference for some reason.
Seriously though, although there are plenty of algorithms that crawl news all day and trade accordingly, I still think there is money to be made by watching the news with a financial eye. After reading Google's "A New Approach to China" post (which I saw on HN minutes after it was posted), I specifically remember thinking it would be a good time to go long BIDU. And of course, kicked myself after the stock gained ~15% over the next three days. The market responds fast, but consensus is not always reached immediately.
I think the opportunity exists because events like this are like tiny "black swan" events, the lasting effects of which are not immediately perceptible to most people, let alone a computer algorithm. It's easy to write a script to trade on something like "expected earnings were 3c/share, actual earnings 5c/share" but this is complex information. The ability to put the pieces together and realize what a significant outage this is, why it is significant, why there is not an easy fix, and what most companies will do about it (prolly sue 'em or switch to Symantec) is more than a computer can do.
And I'm sure hedge funds are doing the math right now, trying to estimate the possible damages from lawsuits and how it changes the company's value. But remember, you don't have to beat the fastest hedge funds, you just have to beat most of the market, and you'll still make money. Anyway, it will be interesting to see what happens at market open tomorrow :)
By definition itself, you can't predict black swan. As they say, day trading is not about making successful moves. It is about making successful moves even when you account for commissions. Reasons everyone is not doing automated trading is because commissions eat up any profit that you can expect to make.
You can sort of predict some "black swans" (a poor term). But to benefit from them you don't need to predict them, just watch for them so you can see them coming before anyone else.
True, in general principle. In this case, I disagree. MFE was down similar to S&P 500 yesterday. After opening today, not so anymore (-3.6% vs -1%). So market participants clearly did not incorporate the news into their immediate trading yesterday.
Also, whilst market participants watch news feeds, there is a clear difference between following news and trading the tape vs having an actual clue as to what a specific news item means in hard money for a company.
I thought about doing this a while ago, and started watching to see if I could find any way to predict stock prices based on tech news. I saw nothing I would put money behind. The stock price wont change based on news until after that quarters earnings are released, and for a big company one technical glitch won't effect those.
Anyone think that this might be an ingenious hack by a "virus" writer? Instead of targeting the computer, target the manufacturer that makes the code that is supposedly protecting the computer. If so, I'll bet all it took was one line in one list of malicious files.
No one may have thought to protect those back doors...
>Why do IT depts recommend installing this program?
My suspicion is that they need something to spend a lot of money on. That old "more expensive perfume = better" thing, to appease the managers. I could be wrong.
Despite all of its shortcomings, AV is still pretty effective at blocking crap for non-technical users. Perfect? Of course not. But even a 50% catch rate is better than nothing.
At my current job, we see our fair share of 0-day and too-new-to-be-caught-by-AV stuff. However, we also see a great deal of infections from viruses that are at least 1-2 years old. Even stupid AV can catch viruses that old.
The only problem with Avast is enterprise management. Products like Symantec and McAfee suck, but at least provide options for managing 100k+ deployments.
It was the only one I found in my testing to not destroy Windows filesystem performance when real-time scanning was enabled and to have no discernable impact when real-time scanning was disabled. (Symantec, McAfee, AVG and Avast all hurt disk performance quite a bit, EVEN when disabled, merely by being installed. F-secure was the only other I found to not harm disk performance when installed but inactive.)
Sophos also has a decent enterprise management console. No connection, other than as a customer.
The original post you're replying to was deleted, but, this comment interested me enough that I went and looked for the paper. It isn't up yet, but here's a writeup of it from the Boston Globe: http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/....
The paper (Please Continue to Hold: An empirical study on user tolerance of security delays) is by Cormac Herley and a few others. All the other papers on Herley's page (http://research.microsoft.com/en-us/people/cormac/) are up, so, I'm assuming that this one will be too, at some point in the future.
Some virus guy wrote about the problem of the economic model of major antivirus vendors. Corporate profit interest go against making a decent long lasting antivirus and instead benefit from incremental constant updates. That's why they mostly avoid behavioral analysis and localhost security checks. Instead they just use brute force pattern matching and constant updates.
A subscription model is detrimental to users' security. But try to explain that to your PHB who reads websites and magazines making money on advertisements from the industry.
I had this same problem with AVG on my parents' PC some time ago: it deleted an essential system file, making the computer unable to boot even in safe mode. I then did what they said that I should do, thereby fucking Windows up completely. Luckily I was able to recover important files via Ubuntu.
For that matter, why didn't they test this on at least one machine before releasing it? Is it not standard to have a release process that includes testing?
A guess: presumably whatever checksum they invent will have a severe risk that hackers will reverse engineer it and then devote their vast botnets to manufacturing virii that give the same checksum thus handing them even more control.
"Well, consider this community hospital fubared.
IT dudes running around pulling out their hair. If it wasn't affecting patient care it would be a humorous scene-but I can't check xray's, or labs or anything. Took out a horrendously bloody gallbladder this morning, and I can't tell (labwise) if she's still bleeding...not good."