Focus on Virus
RE: Extracting signature snippets from AV databases May 09 2006 04:40PM
Bill Stout (bill stout greenborder com) (1 replies)
Yes, we use EICAR for email testing occasionally. What I'd like to do
is scroll a list of detected signatures as they occur.

The reason why I want to place snippets on text files is to fully
exercise detection engines. For one, it would be interesting to see how
products do/do not flag a warning on specific signatures. For example,
Ad-Aware Pro and McAfee are verbose, Symantec and others are not.

There is a large push towards using virtualization technologies for
anti-virus protection. Intel, AMD, Microsoft, Symantec, and others are
pushing virtualization technologies. Sandboxes and virtual machines are
very harsh ways to isolate the OS from the Internet. However
virtualization at the application layer allows some integration with the
base OS without exposing the OS to modification by Internet content, and
enables confidentiality by controlling areas and objects which the
browser can read. Protection through virtualization does not require
detection, and doesn't care about signatures or patches, since all
processes and temporary files in a virtual environment is cleared out
with a mouse click. Problem is, when a product doesn't detect, it
doesn't identify specifically what it protected you from. Detection
products immunize a computer from a list of specific threats, protection
products shield a computer from general threats. Like latex...gloves.

I can purposely run malware or attempt to install spyware in a
virtualized application environment (IE or Outlook) without infecting
the underlying PC. Although I could open dozens of browser pages known
to contain malware, I can't do that safely in a networked or customer
environment. It's better to open dozens of web pages with harmless
snippets which temporarily place cached files (and possibly processes)
than true malware pages.

Bill Stout

-----Original Message-----
From: Jason Muskat [mailto:Jason (at) TechDude (dot) Ca [email concealed]]
Sent: Monday, May 08, 2006 7:47 PM
To: Bill Stout; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Extracting signature snippets from AV databases


I'm not sure why you would want to do all of that. If you want to do
standard testing take a look at the EICAR virus test file


Jason Muskat | GCUX - de VE3TSJ
e. Jason (at) TechDude (dot) Ca [email concealed]
m. 416 .414 .9934


> From: Bill Stout <bill.stout (at) greenborder (dot) com [email concealed]>
> Date: Mon, 8 May 2006 13:37:24 -0700
> To: <focus-virus (at) securityfocus (dot) com [email concealed]>
> Conversation: Extracting signature snippets from AV databases
> Subject: Extracting signature snippets from AV databases
> I'd like to create a set of test files containing (harmless) virus
> spyware) signatures. Can I extract the signatures from AV databases
> (every PC has one)? I'm thinking open source AV database may be
> to extract signatures from than a commercial AV database. If I can
> automate the extraction and file creation, files won't become stale
> because of lag time due to fluxuating interest of the maintainer (me).
> Has this been done already? Are specific signatures a 'secret sauce'?
> The primary purpose is to create a test that safely verifies that our
> browser protection product absolutely protects a computer from
> intentional infection.
> Thanks,
> Bill Stout

[ reply ]
Re: Extracting signature snippets from AV databases May 09 2006 05:11PM
Robert Sandilands (rsandilands authentium com)


Privacy Statement
Copyright 2010, SecurityFocus