funsec mailing list archives
Re: Anti-Virus Testing and Consumer Reports
From: Drsolly <drsollyp () drsolly com>
Date: Wed, 30 Aug 2006 17:50:24 +0100 (BST)
I'll argue that our new wheel is "rounder than the old wheels", because: a) The repository will not sell AV samples/feeds. Some security companies do this; we will not.
I don't actually know of any international cooperating body that sells viruses. The one I know of, doesn't charge.
b) To make sure we don't buckle on point a, we will have no commercial interest in the collection; (the entity taking ownership of the submitted samples is a 501(c)(3) non-profit organization). All the code used by the repository will have a bsd-style license. (We of course do not want $RANDOM_VIRUS_WRITER to use these resources, however, as is the unavoidable case with many commercial AV offerings.)
There is actually no way that any AV company can stop $RANDOM_VIRUS_WRITER from buying their antivirus product. But I guess you're talking about $RANDOM_VIRUS_WRITER buying a virus collection - in that case, i'd repeat that I don't know of any international cooperating body that sells viruses.
c) Users are encouraged, but not required, to share their own samples. Unlike many repositories, there are no up/down quotas.
Cooperation must be in two directions, otherwise the people who are giving will eventually feel that they're being abused, and will pull out. But I agree no "quotas".
d) We will take great pains to NOT have our honeyfarms and sensors illuminated. Blackhats have their own (highly sophisticated) IP reputation system, and know where many of the world's honey* collection systems are found. (E.g., mazafaka had listed many security company's sensors. The problem is *so* extensive that even academics are writing papers on this topic. Surely that's another symptom of a problem!)
That's a different issue from a repository. Obviously, no-one in their right mind, would connect such a repository to the the internet
2. A second difference is the service-oriented nature of the repository. We'll analyze and unpack samples, and let (properly vetted) members use the analysis. (In a paper to appear at the upcoming ACSAC conference, we've found a tremendous lift in AV detection. I.e., AV tools green light the packed samples, but can recognize malware in the unpacked versions.)
All that says is that some AV tools do some sorts of unpacking and not others.
I take Drsolly's point to be a reminder that I need to properly acknowledge the other good work that people are doing.
I'd support that. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Anti-Virus Testing and Consumer Reports Fergie (Aug 29)
- Re: Anti-Virus Testing and Consumer Reports Drsolly (Aug 29)
- Re: Anti-Virus Testing and Consumer Reports Nick FitzGerald (Aug 29)
- Re: Anti-Virus Testing and Consumer Reports Drsolly (Aug 30)
- Re: Anti-Virus Testing and Consumer Reports David Dagon (Aug 30)
- Re: Anti-Virus Testing and Consumer Reports Drsolly (Aug 30)
- Re: Anti-Virus Testing and Consumer Reports Nick FitzGerald (Aug 29)
- <Possible follow-ups>
- Re: Anti-Virus Testing and Consumer Reports Fergie (Aug 29)
- Re: Anti-Virus Testing and Consumer Reports Fergie (Aug 29)
- Re: Anti-Virus Testing and Consumer Reports Drsolly (Aug 29)