Educause Security Discussion mailing list archives
Re: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors
From: "Bridges, Robert A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 22 May 2019 14:51:39 +0000
All, thanks for your suggestions! We’ll look into those resources, especially Eicar! @John McCabe<mailto:john.mccabe01 () MANHATTAN EDU>, I think your insight is really interesting—I’m not a SOC operator, but false positives seem to be a recurring Achilles’ heel for them. Appreciate your warnings about use download.com<http://download.com>, cnet.com<http://cnet.com>, sourceforge, etc. Likely we’ll scrape some files from on-network computers. v/r, bb Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of John McCabe <john.mccabe01 () MANHATTAN EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, May 20, 2019 at 6:07 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors Hi Bobby, I googled your name as I was not sure I understood your purpose. I see that you're an antivirus researcher so I wish you success in making AV better. AV is an example of a computation that does its best to ignore the Halting Problem. I'm of the mindset that false positive are fine as long as the user can report false positive back to the AV company and the AV company does its best to improve. To answer your question, I'm not sure if a dataset meant to measure the false positive rate of AV exists. It is too bad that spec.org<http://spec.org> does not have a specific dataset for this purpose. Others have mentioned that EICAR is technically a false positive but that's by design, which is uninteresting if you want to measure & compare the false positive rate of AV solutions. RHEL software should be easy to find from CentOS package repositories. You can always use yum to download the source RPM (SRPM) & compile with different optimization levels, to gather "extra" programs. See if https://chocolatey.org/ and https://ninite.com/ can give you enough executables for your testing. In my experience, they are virus-free. Don't use download.com<http://download.com>, cnet.com<http://cnet.com>, sourceforge, etc. Regards, John On Mon, May 20, 2019 at 4:39 PM Bridges, Robert A. <0000008d8011d045-dmarc-request () listserv educause edu<mailto:0000008d8011d045-dmarc-request () listserv educause edu>> wrote: Hi, we’re planning on testing some AV vendors products. Is there a good way to collect or download known benign files for many different OSes, specifically Windows 7, 10, and RHET distros? Thanks Bobby Robert A. Bridges, PhD, Oak Ridge National Laboratory -- John McCabe Senior Information Security Manager & Data Protection Officer Information Technology Services [Image removed by sender. Manhattan College Logo/Shield] Riverdale, NY 10471 Phone: 718-862-6217 john.mccabe01 () manhattan edu<mailto:john.mccabe01 () manhattan edu> www.manhattan.edu<http://www.manhattan.edu/>
Current thread:
- Benign samples for testing AV vendors Bridges, Robert A. (May 20)
- Re: Benign samples for testing AV vendors Frank Barton (May 20)
- Re: Benign samples for testing AV vendors Kevin Wilcox (May 20)
- Re: Benign samples for testing AV vendors John McCabe (May 20)
- Re: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors Bridges, Robert A. (May 22)