Antivirus Design and Usability

Developers of software tend to be surprisingly out of touch with users. Even technical ones like me get thrown for a loop sometimes.

Set aside the problems I have with antivirus in general...eat up resources, give users false sense of security, are a band-aid and not a fix (although users feel otherwise)...and there's still one area that some AV software falls short in but could fix. Just being "user friendly".

I just had a user contact us about a message of a virus on her computer. I checked on her system and sure enough, the software we're using for virus protection had a window popped up saying she had "JS.shellcode.AD" infecting her system.

The name tells me that it was most likely a browse-by attack of javascript downloaded to her cache. In other words, probably minor...antivirus software likes to make the littlest things appear on par with nuclear disaster, probably because it helps justify cost from their users in keeping a subscription renewed. But again that's part of another issue.

My problem was that this notification window told me, quote,
"Killing Method: Not Removed."

Huh? Is that like saying you killed a bug by letting it run away?

"File Access: denied."

Does that mean the antivirus was denied access, or the AV software is denying the user access to protect them?

"Proposed method: open file"

Are you suggesting it to me as an action to take? Or are you telling me what the user was trying to do? Because as a program continuously monitoring system activity, chances are pretty good you caught the problem because the system was trying to open a file that it didn't like. I assume when reading about an accident that a car struck another car because of something stemming from driving, not because the driver was flying around and landed on the other vehicle. So why are you reporting it to me unless this was actually trying to tell me something else?

The wording just plain sucks.

I then tried finding the file in question to see if I could delete it...after all, the AV is saying that it was "Not Removed". I couldn't find it.

I tried browsing from a remote computer into the root share. Windows nowadays likes to dynamically reformat the way it presents information to the user to "protect" them. While I understand the (simple) concept of a directory and file structure and have no problem navigating to folder X in Y inside Z to find file A, Windows will hide certain folders and combine them together in Explorer. For example, your Temporary Internet files are actually a series of subfolders with names like EROF43D. When you view your temporary files in Explorer on the local machine, you see a huge list of cookies and cached files in one big list. If you pull them up on a remote computer, you can actually navigate into individual cache directories with goofy names to find what the machine is actually seeing (or if you boot with a Linux boot disk you can actually navigate the folders the way they really are).

I hate Windows hiding this crap.

OS X's Finder does something similar to make the disk more "user friendly".

Anyway, browsed to that location. The file wasn't there.

Huh?

Is it quarantined? Sometimes AV software will take a file it can't "fix" and put it into a "protected" folder, so you don't access it again but can, theoretically, restore it if it was a false positive. But the error the AV popped up with and the log in the program didn't say anything about moving or quarantining the file.

ARGH!

In the course of repairing a second "virus infected" system here, I copied some tools from the Sysinternals Suite (free! Wonderful tools for sysadmins!) from a network share to the local system to help with some diagnosis. That same antivirus programmed deemed one of the applications to be a threat. And deleted it.

I tried copying remotely over to that system. The AV deleted it.

@#$#$!@# piece of @#!

This same system on which the AV protected me so vigilantly still has problems appearing...among them Virtumondo (remember the problem with them? Or at least the suspected problem? Yup, that same system...) and was confirmed with Spybot Search and Destroy. Undetected by the antivirus. Thank you so much! It had hit one small component while leaving other parts active from registry! Yay!

What's my point? My point in this particular post, aside from the side trips into Rantville, is that I wouldn't have been quite so frustrated had the messages been clear and the ability to work on the system isn't thwarted by the interface. The antivirus started it...but Windows also has some of this built in by trying to be user-friendly with barriers to actually getting to the problems to work on it. I have to find ways to work "around" the friendliness just to get the job done!

I mean, c'mon...who thought it would be a good idea to tell you the "kill method" on an infected file is "not removed"? That's not a method. That could be an action taken, but then why can't I find the #$$% file afterwards? You obviously did something to the file in question! WHERE IS IT!?

What happens when you throw these types of obstacles in front of the users? You're being counterproductive. Like I said above, I spend time finding ways to work around these issues when in reality the developers should just fix the problems. Read this blog entry from a developer back in '05...users will find ways to make it usable even if it means simply not using your product (and in the process screwing themselves over or breaking your viciously stupid policies). It also fosters the attitude of resenting your company, your product, or your department, depending on whether you're a vendor or an IT department in charge of helping the user.

You can't make all users happy and I won't pretend you can. My problem is that I am a technically inclined person and one of the people usually called on to help sort out the issues users have when they don't want to or cannot figure out why their computer isn't working...and you're making it hard for me to work with your products. That is crossing a usability line. Would you purchase another car from a company after finding that your mechanic can't work on it or that he can work on it, but because of the way the company designed the engine it takes your mechanic an extra three or four hours (with an hourly fee to go with it) to do the job that on another brand would have taken one-third the time?

Usability testing...look into it.