Re: Anti-Virus Testing and Consumer Reports

[Drsolly <drsollyp () drsolly com>]

> I'll argue that our new wheel is "rounder than the old wheels",
> because:
>
>   a) The repository will not sell AV samples/feeds.  Some
>      security companies do this; we will not.

I don't actually know of any international cooperating body that sells 
viruses. The one I know of, doesn't charge.
 
>   b) To make sure we don't buckle on point a, we will have no
>      commercial interest in the collection; (the entity taking
>      ownership of the submitted samples is a 501(c)(3) non-profit
>      organization).  All the code used by the repository will have a
>      bsd-style license.  (We of course do not want
>      $RANDOM_VIRUS_WRITER to use these resources, however, as is
>      the unavoidable case with many commercial AV offerings.)

There is actually no way that any AV company can stop $RANDOM_VIRUS_WRITER 
from buying their antivirus product. But I guess you're talking about 
$RANDOM_VIRUS_WRITER buying a virus collection - in that case, i'd repeat 
that I don't know of any international cooperating body that sells    
viruses.
 
>   c) Users are encouraged, but not required, to share their own
>      samples.  Unlike many repositories, there are no up/down
>      quotas.

Cooperation must be in two directions, otherwise the people who are giving 
will eventually feel that they're being abused, and will pull out. But I 
agree no "quotas".

>   d) We will take great pains to NOT have our honeyfarms and
>      sensors illuminated.  Blackhats have their own (highly
>      sophisticated) IP reputation system, and know where many
>      of the world's honey* collection systems are found.
>      (E.g., mazafaka had listed many security company's sensors.  
>      The problem is *so* extensive that even academics are writing
>      papers on this topic. Surely that's another symptom
>      of a problem!)

That's a different issue from a repository. Obviously, no-one in their 
right mind, would connect such a repository to the the internet
     
>    2.  A second difference is the service-oriented nature of the
> repository.  We'll analyze and unpack samples, and let (properly
> vetted) members use the analysis.  (In a paper to appear at the
> upcoming ACSAC conference, we've found a tremendous lift in AV
> detection.  I.e., AV tools green light the packed samples, but can
> recognize malware in the unpacked versions.)

All that says is that some AV tools do some sorts of unpacking and not 
others.
 
> I take Drsolly's point to be a reminder that I need to properly
> acknowledge the other good work that people are doing.
 
I'd support that. 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.