Focus on Virus
RE: Extracting signature snippets from AV databases May 11 2006 03:59PM
Bill Stout (bill stout greenborder com)

That's now my plan.

Based on the feedback I've received here, I'll contact the test labs,
and for show and tell purposes, consider a mobile malware lab. However
I'll use two computers back-to-back, since I'm testing browser
protection. I have to determine what malware I can't carry around in
case of theft, loss, or accidental reuse. I've also talked to 'Dror'
about an online browser test, unfortunately those seem to be limited to
configuration and patch checks.

I didn't realize the root of the objections until I googled and found
the infamous CNet AV test of 2000 using the 'Rosenthal Virus Simulator',
and the open letter by Joe Wells, signed by some of the very same people
who replied to my post. Sorry for digging up bad memories.

Bill Stout

-----Original Message-----
From: Christian Stankevitz [mailto:christian (at) neohapsis (dot) com [email concealed]]
Sent: Thursday, May 11, 2006 6:53 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]; Bill Stout
Subject: RE: Extracting signature snippets from AV databases


Have you considered third party testing? ForeScout had the same problem
with customers so they engaged to perform an independent
validation test. ITSLabs used both real worms and a custom developed
unknown "zero day" worm to demonstrate ForeScout's ability to contain
the multiple threats.


-----Original Message-----
From: Nick FitzGerald [mailto:nick (at) (dot) uk [email concealed]]
Sent: Wednesday, May 10, 2006 8:58 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Extracting signature snippets from AV databases

Bill Stout wrote:

> For internal testing we run publicly sourced live viruses and other
> malware in an isolated locked room, where the only media that comes
> is shredded.
> What I'm trying to figure out is how to 'smoke test' new builds, and
> ethically and fully demonstrate (to the CEO, to outsiders) that the
> protection works. We're in alpha test, and beta is approaching fast.

VMWare on a beefy laptop with no writable media drives and its
ethernet, USB, FireWire, etc ports bunged up to ensure there were no

You'd want a machine with a removable drive bay so you could insert
floppy/optical drives for reconfiguration, etc in the lab, or a machine
with easily removable HDD that you could drop into a suitable chassis
and connect to another machine in the lab as a slave drive...

That should give you a relatively safe, isolated multi-machine network
with the carry-around convenience of a laptop. You can then use _real_
samples so there should be no question that you may be faking something
with your "demonstration malware".


Nick FitzGerald

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus