From immunology to heuristics


David Harley

Small Blue Green World, UK
Editor: Helen Martin


David Harley looks back over 17 years in the AV industry and describes his life before AV.


David Harley first became involved with the anti-malware world in 1989 – the year Virus Bulletin was conceived. Since then David has provided anti-malware advice to the likes of the Imperial Cancer Research Fund and the UK’s National Health Service (NHS) in official capacities, as well as untold numbers of end users through his various contributions to Internet FAQs and numerous publications. Here, David looks back over 17 years in the AV industry and describes his life before AV.

Once upon a time in the Midlands

I was born in Shropshire, England, close to the town of Shrewsbury – whose more renowned associations include Charles Darwin, Wilfred Owen, and the fictional monk Cadfael. I lived in Shropshire for the first 25 years of my life, with the exception of a couple of years spent at the University of Wales. There, I read social sciences until the point at which I was so convinced that my future lay in rock and roll that I left university, my degree uncompleted.

After several years of supplementing my musical income with bar work and labouring jobs, I realised that I needed to get a 'real' (less transient) job. Eventually I moved to the South of England to work with people with severe learning difficulties. This proved invaluable experience much later on when I came to work with upper management in the public sector, where an inability to build on previous experience is seen as politically expedient. It’s much better to tear everything down and start again every few years, right?

A WordStar is born

In the 1980s, after some years at close quarters with various aspects of the building trade (during which I dedicated part of my right thumb to the quest for a better balustrade in an unequal contest with an overhand planer), I had a sudden brainstorm (which fortunately coincided with a respectably sized redundancy payment) and bought a computer. To be precise, I bought an Amstrad PCW. This was blessed with three-inch (not 3.5-inch) floppy drives, a Z80 processor, CP/M, BASIC, and a strange and unimaginably stately word-processing package called LocoScript, which I swiftly exchanged for WordStar, supplemented with long-forgotten packages like SuperCalc and DataStar. On this machine I learned many of the basics of office (with a lower case 'o') computing and started programming.

Armed with my new-found skills, I joined the Department of Immunology at the Royal Free Hospital, in London. There, I added PCs to my portfolio (DOS and GEM at that point) and lost my UNIX virginity. I also picked up my long-abandoned first degree with the Open University, though this time I chose to concentrate on technology and computer science subjects.

Geeks bearing gifts

In 1989, I was headhunted by the Imperial Cancer Research Fund (ICRF), who were looking for someone who could combine administrative and technical skills for work associated with the Human Genome Mapping Project. It was here, at last, that malware came into my life.

On 19 December 1989, one of my former colleagues at the Royal Free rang to ask my advice on a malware problem. One of the doctors at the hospital had received and looked at Dr. Popp’s infamous AIDS Information Diskette trojan (which was heavily featured in the January 1990 issue of Virus Bulletin [1]), and the PC on which she had been working had become unusable when the trojan triggered. It would be nice to be able to claim that I ran off a quick program to recover the system for them – but at the time I hadn't actually seen the thing, and in any case, I was somewhat preoccupied that day. Instead, I did the next best thing and pointed my former colleague towards Jim Bates, who already had the problem sorted. Why do I recall the date so exactly? Because the 'something else' with which I was preoccupied that day was my daughter Katie, who was born later that afternoon.

From that point on malware became a constant feature of my life (and Katie's: when I became a single parent, she frequently accompanied me to VB and EICAR conferences). I became responsible for configuring PCs for scientific meetings, including setting up anti-virus protection. Since anti-virus technology was pretty rudimentary then, I rigged up a shell with TSRs and batchfiles to counterfeit a rudimentary on-access scanner, and scheduled integrity checking and on-demand scanning. On the whole, it was ridiculously over-engineered for the size of the threat in that environment, but it was a great learning experience.

When my contract with the ICRF expired after two years, I was assimilated into the IT unit as a permanent network/support engineer. My first task was to re-engineer the standard AV installation, and while I worked my way through a series of other functions (Unix/VMS administration, desktop support, helpdesk), I became more and more specialized in security (in particular anti-virus, from incident management, to procurement, to systems and configuration management).

As part of my general trawl for information, I started to haunt newsgroups like comp.virus and alt.comp.virus, and my first widely read work in this field was in Internet FAQs. In fact, the alt.comp.virus FAQ was a major learning experience (and not the easiest thing I’ve ever done). The most important thing I learned was how little I knew – and I’ve been trying to catch up ever since.

Macs factor

Working with phalanxes of Mac-loving scientists gave me an uncomfortably close view of one of the lesser-known plagues of the 1990s, when academic sites in the UK were overwhelmed by floods of macro viruses passed from Mac users (secure in the 'knowledge' that there were 'no Mac viruses' – some things don't change…) to the rest of the world. I put in a lot of unpaid overtime and in some cases, I found three or four different viruses on the same Mac.

Out of that phase came the 'Viruses and the Mac' FAQ, and my first VB conference paper, presented in 1997 to about seven people in San Francisco. I had terrible stage fright (perhaps I'd have managed better with a guitar to hide behind), totally mistimed the presentation, and was about a quarter of the way through when I ran out of time.

By the end of the decade, I was writing quite a few articles (and managing to convince people that it wasn't only Macs I knew something about!), and by the time I left ICRF in 2001, I had a couple of books in process, including Viruses Revealed [2] (co-authored with Robert Slade and Urs Gattiker). This may not have been the best book ever written on the subject, but might well be the bulkiest.

Good for my health

This time, I moved from an organization with less than 2,000 end-users to one with 1.25 million – the UK's National Health Service (NHS). Here, I ran something that became the Threat Assessment Centre – a sort of one-man CERT. At its peak, the Centre comprised an unimpressively sized virtual team of a full-time manager (me, operating from home first in Shropshire, then the Hampshire/Surrey borders), an alerts/advisories/FAQ author (me), a malware/spam management specialist (me), about one quarter of an administrator (operating from Exeter), up to half a junior analyst (operating from Birmingham), and some specialists who floated in and out during crises. And I was still getting reports of macro viruses disseminated via Mac users.

In spring 2006, after five years with the NHS, I accepted a redundancy package in preference over relocation and regression to an office-bound, entirely hands-off role.

Don't forget to write

So now, masquerading as a consultant (I do consult for AV companies et al. occasionally), I concentrate on writing. I'm currently working on an exciting publishing project with other members of AVIEN and AVIEWS [3], and I am convinced that this will offer a uniquely blended view of malcode management and security from the points of view of industry researchers and skilled administrators (watch this space!).

Howdy pardner

I firmly believe that partnerships between the industry, other security sectors, government and law enforcement, and the technically savvy customers so well represented in AVIEN will continue to contribute massively to our knowledge, not only of changes in the threatscape, but of evolving methods of countering them. I frequently find myself depressed by the fact that our community remains mistrusted and undervalued – not least by some groups and individuals involved in countering phishing and other fraud, as well as spyware and other threats that we are also working against.

Some of these groups still seem fixated on the idea that anti-virus research is an ivory tower somewhere beyond the horizon where people foster an outmoded technology which is applicable only to viruses and effective only against known malware. (How I've learned to loathe the word 'signature'!)

On the other hand, I am heartened by the knowledge that despite all the preconceptions, there are people joining up the dots and fighting the good fight. I'm proud to be, in a small way, part of a community – indeed, several communities – including so many able researchers, developers and all-round good guys of all genders.


[1] Virus Bulletin, January 1990. See

[2] Harley, D.; Slade, R.; Gattiker, U. Viruses Revealed. McGraw-Hill, 2001.

[3] AVIEN and AVIEWS, and, respectively.



Latest articles:

Throwback Thursday: CARO: a personal view

As a founding member of CARO (Computer Antivirus Research Organization), Fridrik Skulason was well placed, in August 1994, to shed some light on what might have seemed something of an elitist organisation, and to explain CARO's activities and…

VB2016 paper: Uncovering the secrets of malvertising

Malicious advertising, a.k.a. malvertising, has evolved tremendously over the past few years to take a central place in some of today’s largest web-based attacks. It is by far the tool of choice for attackers to reach the masses but also to target…

VB2016 paper: Building a local passive DNS capability for malware incident response

Many security operations teams struggle with obtaining useful passive DNS data post security breach, and existing well-known external passive DNS collections lack complete visibility to aid analysts in conducting incident response and malware…

Throwback Thursday: Tools of the DDoS Trade

In September 2000, Aleksander Czarnowski took a look at the DDoS tools of the day.

VB2016 paper: Debugging and monitoring malware network activities with Haka

Malware analysts have an arsenal of tools with which to reverse engineer malware but lack the means to monitor, debug and control malicious network traffic. This VB2016 paper proposes the use of Haka, an open source security-oriented language, to…

Bulletin Archive