Focus on Virus
RE: Extracting signature snippets from AV databases May 09 2006 03:55PM
Hayes, Bill (Bill Hayes owh com)

I'd suggest you look at behavior rather than just signatures. You'll
always be playing catch-up if you base your defensive abilities solely
on signatures.

That being said, AV companies have long been willing to share their
malware collections with one another. Spyware companies on the other
hand, regard their signatures as intellectual property. Also, I suspect
many folks will NOT be happy with you if you reverse-engineer their
software to extract meaningful information.

For spyware behavior, take a look at the SPYCAR test suite, named in
honor of the EICAR test program. The Ed Skoudis and Tom Liston of
Inteliguardians ( cooked up a test suite
of spyware-like programs to review spyware detection abilities of
certain AV products for Infomation Security magazine. Anyway, it's now


-----Original Message-----
From: Bill Stout [mailto:bill.stout (at) greenborder (dot) com [email concealed]]
Sent: Monday, May 08, 2006 3:37 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Extracting signature snippets from AV databases

I'd like to create a set of test files containing (harmless) virus (and
spyware) signatures. Can I extract the signatures from AV databases
(every PC has one)? I'm thinking open source AV database may be easier
to extract signatures from than a commercial AV database. If I can
automate the extraction and file creation, files won't become stale
because of lag time due to fluxuating interest of the maintainer (me).

Has this been done already? Are specific signatures a 'secret sauce'?

The primary purpose is to create a test that safely verifies that our
browser protection product absolutely protects a computer from
intentional infection.

Bill Stout

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus