[funsec] Consumer Reports Slammed for Creating 'Test' Viruses

Drsolly drsollyp at drsolly.com
Thu Aug 17 15:20:16 CDT 2006


On Thu, 17 Aug 2006, Blue Boar wrote:

> Blanchard_Michael at emc.com wrote:
> >  Certainly is my opinion, I can't give anyone else's ;-)
> 
> I say that because you assert it like it's a provable fact.
> 
> >   When is it appropriate to write a new virus that the rest of us get stuck cleaning up?
> 
> For one, I agree with Jericho (apologies if I'm putting words in his 
> mouth) that generating a new virus is probably the best way to test a 
> virus scanner that is expected to detect new viruses.  

No, it's one of the worst ways, about on a par with throwing dice.

> I'm pretty sure I 
> already know what the answer would be before I even tried, but if I were 
> trying to test it, that would be how I would want to do it.
> 
> If I were trying to see how quickly AV companies could write a signature 
> for a new virus, there's one obvious way to do that.
 
No, there isn't, actually. Because how long it takes to "write a 
signature" depends very much on chance. You can write a new virus that is 
already covered by an existing signature, or you could write an intensely 
polymorphic virus that some companies could handle quite quickly because 
they have one sort of engine (while others couldn't), or vice versa.

But the big thing that all this loses sight of, is that virus writing
isn't a stochastic process, or even evolutionary. In this case,
Intelligent Design is the appropriate theory. A new virus is designed by
someone, and if they want to make it beat the heuristics of any one (or
several) AV products, then they will.

I agree - the only test method that comes anywhere near being able to 
work, is to run a three-month-old product against the current crop of 
viruses (and even that isn't as easy as it sounds).

AV product testing is extremely difficult; the fist difficulty, is getting 
people to understand what the problems are, when what they actually want 
to do is something that takes an hour, and they don't really care what.

The testing of {AV product testing}, tends to be easier, because there
are so many appallingly bad AV product tests.




More information about the funsec mailing list