Educause Security Discussion mailing list archives

Re: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors

From: "Bridges, Robert A." <0000008d8011d045-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 22 May 2019 14:51:39 +0000

All, thanks for your suggestions! We’ll look into those resources, especially Eicar!

@John McCabe<mailto:john.mccabe01 () MANHATTAN EDU>, I think your insight is really interesting—I’m not a SOC operator, 
but false positives seem to be a recurring Achilles’ heel for them. Appreciate your warnings about  use 
download.com<http://download.com>, cnet.com<http://cnet.com>, sourceforge, etc.
Likely we’ll scrape some files from on-network computers.

v/r,
bb


Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge National Laboratory

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of John McCabe 
<john.mccabe01 () MANHATTAN EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, May 20, 2019 at 6:07 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors

Hi Bobby,

I googled your name as I was not sure I understood your purpose. I see that you're an antivirus researcher so I wish 
you success in making AV better.

AV is an example of a computation that does its best to ignore the Halting Problem. I'm of the mindset that false 
positive are fine as long as the user can report false positive back to the AV company and the AV company does its best 
to improve.

To answer your question, I'm not sure if a dataset meant to measure the false positive rate of AV exists. It is too bad 
that spec.org<http://spec.org> does not have a specific dataset for this purpose. Others have mentioned that EICAR is 
technically a false positive but that's by design, which is uninteresting if you want to measure & compare the false 
positive rate of AV solutions.

RHEL software should be easy to find from CentOS package repositories. You can always use yum to download the source 
RPM (SRPM) & compile with different optimization levels, to gather "extra" programs.

See if https://chocolatey.org/ and https://ninite.com/ can give you enough executables for your testing. In my 
experience, they are virus-free. Don't use download.com<http://download.com>, cnet.com<http://cnet.com>, sourceforge, 
etc.

Regards,
John



On Mon, May 20, 2019 at 4:39 PM Bridges, Robert A. <0000008d8011d045-dmarc-request () listserv educause 
edu<mailto:0000008d8011d045-dmarc-request () listserv educause edu>> wrote:

Hi, we’re planning on testing some AV vendors products. Is there a good way to collect or download known benign files 
for many different OSes, specifically Windows 7, 10, and RHET distros?

Thanks
Bobby

Robert A. Bridges, PhD, Oak Ridge National Laboratory


--
John McCabe
Senior Information Security Manager & Data Protection Officer
Information Technology Services
[Image removed by sender. Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu<mailto:john.mccabe01 () manhattan edu>
www.manhattan.edu<http://www.manhattan.edu/>

Current thread:

Benign samples for testing AV vendors Bridges, Robert A. (May 20)
- Re: Benign samples for testing AV vendors Frank Barton (May 20)
- Re: Benign samples for testing AV vendors Kevin Wilcox (May 20)
- Re: Benign samples for testing AV vendors John McCabe (May 20)
  - Re: [EXTERNAL] Re: [SECURITY] Benign samples for testing AV vendors Bridges, Robert A. (May 22)