Focus on Virus
RE: Extracting signature snippets from AV databases May 08 2006 09:56PM
Bill Stout (bill stout greenborder com) (2 replies)
Re: Extracting signature snippets from AV databases May 09 2006 07:58PM
Yuri Slobodyanyuk (yurisk inbox ru) (1 replies)
Re: Extracting signature snippets from AV databases May 09 2006 10:53PM
Nick FitzGerald (nick virus-l demon co uk)
Re: Extracting signature snippets from AV databases May 09 2006 03:04PM
Kenneth Bechtel (kbechtel teamanti-virus org)
On Monday 08 May 2006 05:56 pm, Bill Stout wrote:
> Hi Jose,
> I'm familiar with EICAR. However I'd like to trigger signatures across
> the board.
> Ultimately I'd like to run a real malware test, but that can only be
> done in an isolated lab, and that requires a continuous investment of
> time and money to insure the collection is up to date.
> is another possibility, but I have no contacts
> there, and it's somewhat isolated proof (can't touch the environment,
> and it's a run-once deal).

That's been tried before, (R. Utilities, his name shall remain unmentioned).
As was pointed out at the time, since these are not viruses (or Malware),
they should not be detected as such. Any detection of 'strings' would be a
false positive. Additionally, most current products do not rely on strings,
rather incorporate heuristics and strings for better Positive identification
and detection of minor variants. This is why it's important to rely on
testing orgs like V-Tests, Virus Bulletin, ICSALabs, and West Coast Labs.
They all publish free public results, and will do private testing for a fee.
The EICAR and SpyCAR files should be used to validate the product is
installed and properly functioning, independent peer reviewed scientific
tests should be relied upon to verify product efficiency. This is a debate
that goes back to the early to mid 90's, and the arguments have not changed.
The only thing that has changed is the availability of "Virus Collections" on
the web, but like then, what is the quality of those collections, are they
really viruses, are they really the virus name the collector has promised
them to be? Again a bad idea, as you have no control of quality of the zoo,
nor positive identification of the samples or intendeds. Once again we come
full circle to let the professional test orgs/ individuals do what they do
best, and cross reference their tests, to help you be able to say with
authority, that the tests are as unbiased as possible, and not influenced by

Kenneth L. Bechtel, II
Team Anti-Virus
Phone - 717-579-9083                      | WildList Reporter
P.O. Box 635, Palmyra, PA 17078           | Founding member AVIEN
E-mail - kbechtel (at) teamanti-virus (dot) org [email concealed]      | Member AVAR
I can't be an impostor - I don't know what I'm doing!
PGP Footprint: 969E 2A27 3042 EE52 AEFB  6FF0 2711 9467 D38C 5C0F

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus