[funsec] Consumer Reports Slammed for Creating 'Test' Viruses

Toralv_Dirro at McAfee.com Toralv_Dirro at McAfee.com
Sat Aug 19 21:03:30 CDT 2006

> Drsolly wrote:
> > No, it's one of the worst ways, about on a par with throwing dice.
> If I were to write a new virus, I'm pretty confident that I 
> could accurately predict the results of throwing it at 30 
> virus scanners.

Especially after running all 30 scanners aginst it and tuning your virus
so long until no scanner detects it. People actually do this, luckily
not everyone.

> For the occasion claim that some AV package can detect new 
> unknown viruses, or that some hueristic package can do so, 
> creating a new virus in lab conditions is certainly a valid 
> test.  It's a crap shoot because that's how (in)effective AV 
> is at spotting new things, not because the test is invalid.

Some AV products do a fairly good job detecting new viruses or new
variants. Creating a new one to test this may appear as a valid way to
test this, but transfering the results of this test to the general case
in the real world is not easy. Read my other post how this invalidates
the test compared to a test with old signatures and new malware that
actually appeared in the world where the results are actually relevant.

> > I agree - the only test method that comes anywhere near 
> being able to 
> > work, is to run a three-month-old product against the 
> current crop of 
> > viruses (and even that isn't as easy as it sounds).
> OK, so if I write a virus today and test today's signature 
> files... it's not a valid test.  However, if I save today's 
> signature files, let *other people* volunteer to write a 
> bunch of viruses, and then test those, it is.

Yes :)

> You're not arguing against the validity of the test method, 
> you're saying that you don't want additional viruses being 
> created, because you don't like it.

I do argue against the validity of the test method. You writing a virus
to test just shows how effective AV is against this new virus and the
particular way you build it.

I'm also saying I absolutely don't like new viruses to be created.


...speaking for myself, noone else.

More information about the funsec mailing list