Focus on Virus
RE: Extracting signature snippets from AV databases May 11 2006 01:53PM
Christian Stankevitz (christian neohapsis com)

Have you considered third party testing? ForeScout had the same problem
with customers so they engaged to perform an independent
validation test. ITSLabs used both real worms and a custom developed
unknown "zero day" worm to demonstrate ForeScout's ability to contain
the multiple threats.


-----Original Message-----
From: Nick FitzGerald [mailto:nick (at) (dot) uk [email concealed]]
Sent: Wednesday, May 10, 2006 8:58 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Extracting signature snippets from AV databases

Bill Stout wrote:

> For internal testing we run publicly sourced live viruses and other
> malware in an isolated locked room, where the only media that comes
> is shredded.
> What I'm trying to figure out is how to 'smoke test' new builds, and
> ethically and fully demonstrate (to the CEO, to outsiders) that the
> protection works. We're in alpha test, and beta is approaching fast.

VMWare on a beefy laptop with no writable media drives and its
ethernet, USB, FireWire, etc ports bunged up to ensure there were no

You'd want a machine with a removable drive bay so you could insert
floppy/optical drives for reconfiguration, etc in the lab, or a machine
with easily removable HDD that you could drop into a suitable chassis
and connect to another machine in the lab as a slave drive...

That should give you a relatively safe, isolated multi-machine network
with the carry-around convenience of a laptop. You can then use _real_
samples so there should be no question that you may be faking something
with your "demonstration malware".


Nick FitzGerald

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus