how-to block ads
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Our unique antivirus testing: How we did it from
»www.consumerreports.org/cro/elec···ting.htm
"...
To pit the software against novel threats not identified on signature lists, we created 5,500 new virus variants derived from six categories of known viruses, the kind you’d most likely encounter in real life.
.."
not everybody thinks that was/is good idea
»sunbeltblog.blogspot.com/
»www.avertlabs.com/research/blog/?p=71
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 | |
|  KyeU
join:2003-12-31
Canada | Re: Our unique antivirus testing: How we did it I hope one day they don't go:
"OH NO! WE CREATED A MONSTER!" | |
| 
SpannerITWks
Premium
join:2005-04-22
| - An open and sincere letter to the AV etc peeps -
I clicked on the avertlabs link - »www.avertlabs.com/research/blog/?p=71 - (you can read an open letter on the AVIEN site about that).
Which gets you to here -
»www.avien.org/publicletter.htm - Public letter concerning the Writing of Viruses & How it Does Not Teach about Virus Prevention. Originally published: May 30th, 2003 Last updated: August 11, 2006 7:14 PM
" The more than 100 signatories of this public letter, all security professionals with years of experience in dealing with computer viruses, and who work in all sectors, wish to express their whole-hearted support of the following principle:
It is not necessary and it is not useful to write computer viruses to learn how to protect against them. "
Signed:
etc -
Among the people signing their names to it are a number of well known figures. Whether ALL of them who originally signed still agree with Everything on there is open to question, but let's say they do for now !
Of course you don't have to be " able " to write nasties to write code to detect them per se. But, i've got a number of nasties in my collection that ALL the vendors listed on Jottis + VirusTotal did NOT detect when i submitted them ? These included Rootkits/Trojans/Exploits/Keyloggers etc.
So how can this be if the signed statement above is Totally correct ? Either they can detect new nasties and variations, or they can't ! And based on my tests they can NOT and did NOT on those occasions.
If they Actually mean detecting whilst being run etc ok. But they do NOT All do that either, whether normally and/or heuristically. If they say don't need to know how to write nasties, and in ALL their variations/conotations, how can they Totally understand and prevent vectors etc being compromised and therfore computers getting infected. If they were 100% right about their claims, then NOBODY would EVER get infected with ANYTHING, but hey guess what, err yes that's right, they DO, and daily with ALL sorts of crap, including brand new stuff and variations.
So what Exactly do they mean when they say " It is not necessary and it is not useful to write computer viruses to learn how to protect against them. " Because if they DO know, they are NOT putting that knowledge into practice ?
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| | 
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
1 edit | Re: Our unique antivirus testing: How we did it I think what they mean is that CU's constructing new variants from 6 categories of known viruses only shows how various AVs will respond to new, unknown virus variants constructed using the same techniques employed by CU. Those techniques were intended by CU to create large numbers of virus variants based on existing virus structures and ideas... they were not created to exploit new-found security holes nor were they created using novel virus-structure techniques. While CU's variants may be "new", they are not necessarily representative of what many actual virus writers will do in creating their malware in the real world. Until now. Now there are 5,500 'new' viruses on CU's lab computers and some (likely) documented recipes in CU's files of how each was created from existing virus categories - all for the script kiddies and other baddies to sniff out as only they can. And we can all hope and pray that CU's internal data/info security is better than was their reasoning in following such a path in the first place.
Thoroughly understanding viruses and how they are written does not equate to actually writing them. Writing them may or may not make one more expert in combating them. One certainly does not need to commit murder (nor many other things in life and the technical world) to understand how it is done and to combat it.
edit: phrasing in middle of para 1
--
If God wanted us to work with electrons, He'd make them big enough to see... | |
| | |
SpannerITWks
Premium
join:2005-04-22
| Re: Our unique antivirus testing: How we did it Blackbird SR
Sure i get your murder analogy Thanx !
But people might be interested in looking @ this thread - »forum.sysinternals.com/forum_pos···003&PN=1 - to see just how cat + mouse actually works in REAL life.
Yes real life, because in there are Real Rootkit coders with Real RK's that are out there right now being used to hide nasties and being used by 3rd parties for crime. Also in there are various well known RK detector guys n girls combatting those and other RK's.
You will see how being able to write RK's and dissasemble them etc, and write detectors enables both sides to have a greater understanding of each others tactics etc. Thereby enabling them to design better RK's + detectors.
So i do believe it's definately worthwhile to as much inside knowledge as possible about how the other side Really works, because that IS what they do, every day !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| | | | 
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Our unique antivirus testing: How we did it said by SpannerITWks  :. . . You will see how being able to write RK's and dissasemble them etc, and write detectors enables both sides to have a greater understanding of each others tactics etc. Thereby enabling them to design better RK's + detectors. So i do believe it's definately worthwhile to as much inside knowledge as possible about how the other side Really works, because that IS what they do, every day ! Sure, knowing how the other half lives, what they do, is good and will help people better understand how to fight the malware more effectively. But ya gotta write 5500 NEW variants to do that? I don't think so!
This is a disaster waiting to happen. Let's hope it won't.
And the first variant found in the wild that can be directly linked back to this research, I hope to see one massive class-action lawsuit.
And btw, is 'Consumer Reports' really the organization we want leading this research? While I understand that this is in fact a consumer issue, I'm just not so sure these are the people I want in the vanguard of this somewhat shaky business. | |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Quoted from Consumer Reports article:
----------------------------------------------------------------------------------
To be safe from online infection, you need protection from current viruses, which number 100,000 . . (sic) . .
To pit the software against novel threats not identified on signature lists, we created 5,500 new virus variants . . .
----------------------------------------------------------------------------------
Cute. Very nice.
In one fell swoop, they have increased the known virus count by 5.5%. That's an excellent day's work there, Dr. Consumerstein.
And you can practically write it in stone that some of these will soon be finding their way OUT of the lab.
If the disease doesn't kill you, the cure will.
Potential quote from a Consumer Reports spokesperson in a couple of months: "Whoops! Sorry!" | |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| 5,500 "new" viruses released to the wild is not even a fraction scary as just one of the biological viruses stored in both civilian and military labs escaping
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 | |
| 
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | said by Sunbelt's blog :
Publications need to use industry-standardized methods for testing. Organizations like Virus Bulletin have been doing this for years. Why can';t publications follow their lead? I don't have any opinion about the particular approach taken or conclusions reached, but this statement is one I can take some exception with.
Consumer Reports has a different constituency than does the A/V industry, and it's not out of the question - in principle - for one to wonder if the A/V industry's tests are there to serve the industry and not the consumer.
Steve
Edit - fixed yucky writing (and not even drinking yet!)
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Our unique antivirus testing: How we did it said by Steve :Consumer Reports has a different constituency than does the A/V industry, and it's not out of the question - in principle - to for one to wonder if if the A/V industry's tests are there to serve the industry and not the consumer. Steve Is that from the article itself? It doesn't sound like a quote with the bad grammar and the repeated words). I can't read the article or comment here because I am not a subscriber to Consumer Reports. If that is from the article, I don't see any particular objection...but I haven't been able to read the article..just other people's comments about it so I can't really comment intelligently until I am able to read the article when my library gets a copy of the September issue.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
| | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by Mele20 : Is that from the article itself? It doesn't sound like a quote with the bad grammar and the repeated words). The blame for the sloppy syntax is with me - long day, eyes getting blurry. My fault.
Industry self-policing (which is what "industry-standard tests" are) can be good or it can be bad, but one can't forget that they have their own constituency.
On one hand, they're going to be the subject-matter experts, which clearly gives them an edge over Consumer Reports, but on the other hand, the industry likely wishes to measure their own products in terms of how they think of the problem. That may or may not be how the consumer looks at it.
It's certainly not out of the question, however, that CR just did a poor job on this; I look forward to seeing the real report when it arrives too.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| |
AB
Premium
join:2006-04-04
Leesburg, VA
| said by Steve :. . Consumer Reports has a different constituency than does the A/V industry, and it's not out of the question - in principle - to for one to wonder if if the A/V industry's tests are there to serve the industry and not the consumer. Steve I don't have any hard facts to put into evidence here, but as I recall it, the A/V industry stats tend to show an average detection rate of about 80-85%. Not too shabby, yet not exactly something to be boasting about, either.
One might think they would pad those stats up a bit higher if the tests they run were merely of self-serving interest, no? | |
| eburger68
Premium,MVM
join:2001-04-28
1 edit | Steve:
The "real report" is simply table of ranked apps coupled with basic information (price, company) and 10 columns of bubbles to cover features and test results (bubbles can be empty, partially filled-in, entirely filled-in). The rough rankings were posted in this forum very recently:
»Consumer Reports Best Tools Stop Viruses/Spam/Spyware
The issue is on the newsstands now.
quote:
On one hand, they're going to be the subject-matter experts, which clearly gives them an edge over Consumer Reports, but on the other hand, the industry likely wishes to measure their own products in terms of how they think of the problem. That may or may not be how the consumer looks at it.
McAfee and the other AV industry experts that have been quoted so far in news stories (VirusBulletin, Sophos, and Kaspersky) have all offered sound reasons -- methodological, practical, and ethical -- for not relying on lab-created viruses for anti-virus testing. The principles here have been rather settled in the AV community for some time.
For an elaboration on why the creation of viruses for testing is not only methodologically unsound, but practically unnecessary, and ethically dubious, see this this Open Letter from the AV community (authored by Joe Wells) to CNET:
»cybersoft.com/whitepapers/papers···er.shtml
Note that a number of the letter's signatories are not affiliated with any AV company. And the author of the letter has proven himself quite capable of being a fierce critic of the industry's own practices and habits -- see for example:
»vx.netlux.org/lib/ajw01.html
If one is going to speculate that this griping about CR's AV testing is just the AV industry covering its own backside, then we'll really need just a bit more than the speculation -- the arguments against the creation and use of lab viruses have been on the table for some time now. What would be the arguments in favor of lab viruses? In what way did consumers benefit from Consumer Reports' creation of 5500 new virus variants, none of which was an actual "in the wild" virus?
For those who are wondering, "If not for the use of lab-created viruses, how could researchers test the ability of AV products to handle new and hitherto unknown viruses?", McAfee's complaint contains the answer: retrospective testing, a procedure that is well established and has the advantage of testing against "in the wild" viruses, not lab-created viruses:
»www.avertlabs.com/research/blog/?p=71
Best,
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | 
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| Re: Our unique antivirus testing: How we did it What's done has been done & there's no turning the clock back regardless of whether one agrees or disagrees with the bonehead methodology.
What I'm not sure of is would CR be acting responsibly if they gave every AV/whatever vendor a copy of each & every file they created? If some or all were to go ITW, wouldn't the AV/whatever vendors be in a better position to minimize the damage by already having the definitions covered? On the other hand, the more who have access, the more chance of leaks. Opinions? | |
| | | | | eburger68
Premium,MVM
join:2001-04-28
1 edit | Re: Our unique antivirus testing: How we did it Funchords:
You wrote:
said by funchords :What has been conventional wisdom in past years may not necessarily apply to strategies for combatting today's 0-day malware. Maybe, maybe not. But it's not enough just to suggest in the abstract that conventional wisdom may be wrong -- anyone can do that. The challenge here is to offer concrete, logical reasons why the 0-day malware landscape of today would somehow invalidate the principles agreed upon by the AV industry -- principles based on hard-won experience with malware.
So far I haven't heard any that directly address the arguments offered by experienced AV experts.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
|
SpannerITWks
Premium
join:2005-04-22
| eburger68 gave some links, Thanx, which i read, and the following in " " are quotes from them.
Re - Open Letter
" If a product does not report a simulated virus as being infected, it's right. And if a program does report a simulated virus as being infected, it's wrong. Thus, using simulated viruses in a product review inverts the test results. It grossly misrepresents the truth of the matter because:
* It rewards the product that incorrectly reports a non-virus as infected. * It penalizes a product that correctly recognizes the non-virus as not infected.
Competent, credible antivirus product reviewers today recognize the need to reflect the real world in their testing. To do so, they focus detection testing on the real-world threat, using real viruses. They focus on viruses reported by the WildList Organization International. True, some may also include other viruses in testing, but they still use real viruses, not simulated ones. "
»cybersoft.com/whitepapers/papers···er.shtml
So REAL Malware is obviously Totally acceptable for testing purposes ! Even if the vendors don't yet have a sample of it/them, non the less a NEW real as yet undiscovered nasty by them is 100% valid.
-
Joe Wells = The WildList
A Radical New Approach to Virus Scanning
Don't expect this paper to be about a virus problem. To the contrary, it's actually about your having an antivirus problem.
-
" unless otherwise stated, virus scanning specifically refers to methods of detecting known viruses - as, for example, by using signatures.
-
Of course not, the virus problem has been getting progressively worse. What it does mean is that the number of "all known viruses" is far outstripping the number of wild viruses. It means the increase is almost entirely in zoo viruses.
-
What I theorized and IBM proved about trends in DOS file virus extinction effects you directly. Members of an endangered species are becoming increasingly rare in the wild. No wonder nearly all of them are found only in zoos - they simply can't cut it anymore.
-
Zoo detection, in particular a large polymorphic library, is not required for a good certification scheme. Rather, a threat library which determines whether the product is capable of providing protection from all types of self-replicating code should be used.
-
So why are we discussing zoo viruses if they're not a threat? What's the point?
The point is this: There are tens of thousands of viruses you'll never get. There should be no reason for us to discuss them. But we must discuss them. Because, whether you realize it or not, those tens of thousands of viruses do affect you. They do have a direct impact on you. And their effect is detrimental.
-
In the real world, zoo viruses are not a problem. Wild viruses are.
-
But even if you haven't dealt with viruses at all, you don't have to be an expert to intelligently evaluate evidence.
Let me illustrate. Suppose you served on a jury. The trial involves complex medical issues. Would you have to be a neurosurgeon to weigh the evidence presented? Of course not. You would listen to the evidence presented, and evaluate it fairly. You might have to ask for clarifications (I certainly would.), but that does not make you unqualified.
-
Of course, many experts think they are authorities. They actually believe that their expert opinion is more than just opinion-it is truth. Similarly, many people do view experts as being authorities.
( Paraphrasing by me ) Many experts who do testing have doctorate degrees. Others don't have any degrees at all. Who should you believe, others or real experts?
-
Making someone else appear inferior, somehow make you appear superior. "
»vx.netlux.org/lib/ajw01.html
OK so zoo are off limits fine, but appear, or did @ one time, to outnumber real Malware. So why did/do they waste so much time on testing them then ?
" In the real world, zoo viruses are not a problem. Wild viruses are. "
Absolutely, and not just viruses of course, but All forms of Malware. And Real Wild = REAL even if the vendors don't have them yet. If they are out there then the potential for infiltration/infection and/or damage is also Very REAL.
Re the earlier link - Public letter concerning the Writing of Viruses & How it Does Not Teach about Virus Prevention.
" It is not necessary and it is not useful to write computer viruses to learn how to protect against them. " So why bother with writing ALL those zoos ?
-
" cannot know what viruses we are going to face in future "
»www.avertlabs.com/research/blog/?p=71
Exactly !
-
Naturally no AV without heuristics etc is going to going to detect something that is not in it's defs !
I still believe that coding New workable Malware of all various types can definately help the vendors design better Stiffer more resistant products, why wouldn't it ? And it certainly ain't gonna do any harm is it, unlike the Real Malware that's already been released before you read this, and later on today, and tomorrow etc etc, that the vendors don't know about yet, which means neither does your AV hence you !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| HMS1
join:2006-01-14
Austin, TX
| I don't see any problem with CR having created a bunch of new viruses. Obviously the bad guys can do the same whenever they want (the Bagle guys were cranking out the variations for a while, for example). CR's action did not increase this ability of malicious actors, nor would refraining have restrained the malicious actors.
Retrospective testing is fine for anti-virus. But if you're working on heuristic detection, you may have good reason to write some new malware to test against. There may be some preexisting program that fits the description of what you want, or there may not be, or it may be too much trouble to find one.
There is an underlying contradiction in the rhetoric against virus-writing. If lab-created viruses are ineffective for testing, then they must be harmless when released. If they are harmful when released, then they are good for testing. If the real-world virus writers haven't taken a particular approach, but you can think of it, then they have thought of it too, or will soon. It is contradictory - and suspicious - to maintain that lab-created viruses are so dangerous that they must not be created, yet so unrepresentative that they are no good for crafting defenses.
Statements such as the Avien one and the critques of the CR method make me wary of some sort of initiative to get virus-writing outlawed or restricted by licensing. There are hints too of a lobby for legal limits on instruction about malware writing.
Any such laws would be unjust and harmful. There should never be any prohibition on writing any kind of software, at all, ever (only spreading malware to unwilling parties should be illegal). We should be wary of such self-serving proposals which would impair freedom of speech and make computer users dangerously dependent on a privileged industry.
The right approach is to focus on improving the castle walls, not quibbling about how we study the Huns' weapons. | |
| | eburger68
Premium,MVM
join:2001-04-28
2 edits | Re: Our unique antivirus testing: How we did it said by HMS1 :I don't see any problem with CR having created a bunch of new viruses. Obviously the bad guys can do the same whenever they want (the Bagle guys were cranking out the variations for a while, for example). CR's action did not increase this ability of malicious actors, nor would refraining have restrained the malicious actors. The ethical issue doesn't involve "increasing" or "restraining" the ability the ability of bad guys to create viruses or other malware.
No, the issue lies in creating new viruses that could, despite the best efforts of their creators, escape into the wild, and this kind of thing is a regular occurrence in the virus-writing world. The bottom line is, you don't compound the problem by writing these things yourself, even with the best of intentions, because intentions will matter very little if the thing escapes from the lab.
One AV researcher that I know has received source code for viruses that authorities like the FBI and Secret Service have uncovered in raids. This researcher refuses on principle even to compile the code himself for the purpose of lab analysis. The issue for him is just that clear-cut -- just that serious.
said by HMS1 :Retrospective testing is fine for anti-virus. But if you're working on heuristic detection, you may have good reason to write some new malware to test against. There may be some preexisting program that fits the description of what you want, or there may not be, or it may be too much trouble to find one. The beautiful thing is that you already provided all the reasons why it's not even necessary to write new viruses back up in your first paragraph:
quote:
Obviously the bad guys can do the same whenever they want (the Bagle guys were cranking out the variations for a while, for example).
Precisely. There is no shortage of viruses and variants in the wild to analyze -- all the more reason why it's not necessary to create new ones. If researchers are having so many problems finding enough viruses to analyze that they're tempted to start creating them, then those researchers aren't doing a proper job of it.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Our unique antivirus testing: How we did it said by eburger68 :. . . the issue lies in creating new viruses that could, despite the best efforts of their creators, escape into the wild, and this kind of thing is a regular occurrence in the virus-writing world. The bottom line is, you don't compound the problem by writing these things yourself, even with the best of intentions, because intentions will matter very little if the thing escapes from the lab. Eric L. Howes Amen, Brother! | |
| HMS1
join:2006-01-14
Austin, TX
2 edits | Maybe the point in my first paragraph was unclear. What I meant was: adding some new viruses does not make any significant difference to internet (in)security. They don't pose any danger merely by existing. Viruses by definition cannot do anything without user interaction.
If a user runs a virus, the harm done depends on the particular virus. But how would the differences between viruses make any difference in policies or defenses? Policies must be against any/all untrusted code, without knowing in advance what it will be. And defenses must be against any possible virus, not only a "known" list. Signature-based anti-virus is a dead end.
Putting it another way, a user's risk is the same with or without a new batch of viruses being loose. With or without any addition to the virus pool, the potential harm includes whatever can be done on the user's account, and the spectrum of what's in the wild must be assumed to be whatever the authors can, in principle, create. These factors do not change with addition of new viruses.
The problem is users running untrusted code, not whether the range of viruses is (big number) or (big number + small number). | |
| eburger68
Premium,MVM
join:2001-04-28
| HMS:
This is just a variant of the "guns don't kill people, people kill people" argument. This time it's, "viruses don't pose threats; people's executing of viruses poses threats," as if people were some optional, extraneous component of the threat environment.
People being what they are -- which is to say fallible, gullible, ignorant, lazy, and prone to error -- it can be expected that the introduction of new viruses into the environment does increase the risk of people executing those viruses, if even accidentally.
One can blame the people or users for being lazy, ignorant, and all the things that people can tend to be in their more error-prone modes of being, but the fact remains that the introduction of new viruses into an environment where fallible users (and researchers) can access them increases the risk of harm being done.
And, by the way, in making this argument I am most certainly not slighting efforts to reduce the opportunities or chances for users to run untrusted code. We can do both: keep less open gasoline lying around AND keep people away from the gasoline.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Our unique antivirus testing: How we did it said by eburger68 :. . People being what they are -- which is to say fallible, gullible, ignorant, lazy, and prone to error -- Hey! Watch it, buddy! I resemble that remark! 
. . it can be expected that the introduction of new viruses into the environment does increase the risk of people executing those viruses, if even accidentally. (sic)
And, by the way, in making this argument I am most certainly not slighting efforts to reduce the opportunities or chances for users to run untrusted code. We can do both: keep less open gasoline lying around AND keep people away from the gasoline.
Eric L. Howes Again, Amen!
I run a secure PC, I use common sense when I surf. And it is, btw, 'common sense' (as well as mathematics) that says I am much more likely to be exposed to a virus if there are are 105,500 of them out there than I would be if there were only a couple of dozen!
And I believe there is a saying-- "The road to Hell is paved with good intentions."  | |
| | | HMS1
join:2006-01-14
Austin, TX
| Re: Our unique antivirus testing: How we did it said by AB :And it is, btw, 'common sense' (as well as mathematics) that says I am much more likely to be exposed to a virus if there are are 105,500 of them out there than I would be if there were only a couple of dozen!
The danger increases with the number of viruses only if your behavior is careless. Instead focus on the possible ways they can get into the computer and be executed with privileges. The number of ways this can happen is far smaller than the number of viruses, and the list of infection routes remains far more consistent than the spectrum of viruses, and it is much more in your control. | |
| | | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Our unique antivirus testing: How we did it said by HMS1 :The danger increases with the number of viruses only if your behavior is careless. Instead focus on the possible ways they can get into the computer and be executed with privileges. The number of ways this can happen is far smaller than the number of viruses, and the list of infection routes remains far more consistent than the spectrum of viruses, and it is much more in your control. HMS, you may well be correct in what you say. However, I look at this way-- It doesn't matter to me if I live in a secure, gated, guarded, moated castle. When I open the curtains to look outside, my preference is to see green pastures and children playing, not a teeming horde of ne'er-do-wells looking for a way to breach the ramparts!
So when I hear about researchers thinking up 5500 new ways to infect me, I don't like it! Let 'em do their research on the OLD stuff. Now, that may not be very scientific, nor am I saying it's right, but that's my opinion anyway! | |
| |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | said by eburger68 :This is just a variant of the "guns don't kill people, people kill people" argument. No, it really isn't.
Just because it's easy to accidently infect the world with ebola doesn't mean that nobody has the ability to create a virus test environment with proper precautions against leakage: I'm quite sure that both you and I would be able to construct such an environment.
I am not arguing for the value of synthetic viruses like this (I don't know, I'm not an expert), or that CR actually did so in a safe manner, but it's not out of the question that they were aware of this issue and retained the proper experts to make sure that this didn't happen.
It's perfectly fair to object to the testing methodologies on their merits, and to urge others not to play with fire, but this discussion about the "ethics" of this kind of testing smells incredibly self-serving: "We're the only ones who know how to do that"
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | eburger68
Premium,MVM
join:2001-04-28
2 edits | Re: Our unique antivirus testing: How we did it Steve:
You wrote:
said by Steve :Just because it's easy to accidently infect the world with ebola doesn't mean that nobody has the ability to create a virus test environment with proper precautions against leakage: I'm quite sure that both you and I would be able to construct such an environment. And when independent bodies demanded copies of those viruses in order to validate the test bed, which is a basic requirement of scientifically valid testing, what then? If you provide them then you have effectively become a virus distributor. And can you vouch for the safety of the parties to whom you distributed the samples?
If you refuse, then your test's results are invalid. End of story. In which case, just what was the value of creating those viruses in the first place -- esp. given that there is no shortage of viruses and other malware to test against. Nor is there a lack of methodological alternatives to accomplish the same goals with real viruses in the wild.
And, by the way, we haven't even broached the subject of how Consumer Reports internally validated those lab-created viruses? Did they execute them in order to verify that the changes they had made to the pre-existing variants hadn't rendered the synthetic variants non-executable or the payload null? Did they diligently execute every single one of those 5500 new viruses? These are important questions because if CR failed to validate the viruses internally, then they have no reason to know that they weren't testing against non-viruses -- i.e., non-threats, which the tested AV apps would be perfectly justified in NOT detecting becaue the threats weren't real.
said by Steve :I am not arguing for the value of synthetic viruses like this (I don't know, I'm not an expert), or that CR actually did so in a safe manner, but it's not out of the question that they were aware of this issue and retained the proper experts to make sure that this didn't happen. But the point here is that even the recognized experts in the field strongly advise against this type of behavior. And as has been pointed out now, the issue of lab security goes beyond one's own security precautions, but the precautions of those to whom one might be obligated to share these syntethic viruses in order to establish the scientific credibility of the testing.
said by Steve :It's perfectly fair to object to the testing methodologies on their merits, and to urge others not to play with fire, but this discussion about the "ethics" of this kind of testing smells incredibly self-serving: "We're the only ones who know how to do that" This is a bit disappointing, Steve. You've been in these forums as long as I have, and on more than a few occasions you've drawn on your own impressive professional knowledge and experience to argue emphatically that such-and-such action, behavior, process, or decision was muddle-headed, improper, dangerous, or even unethical. And you have been quite justified in doing so, given the depth of experience and expertise that you bring to the table. To so casually dismiss the judgments of recognized experts in the AV field is not what I would have expected. And I don't expect you or the other established security professionals would take kindly to having their own views characterized and dismissed in this manner.
To return to the original issue -- the full issue -- which is whether CR had any justification -- be it practical, methodological, or ethical -- to create 5500 new viruses for testing, I hope that it is becoming clear that even if one considers CR's actions but a minor or negligible transgression, that there simply was no practical or methodological justification for them. Moreover, in order to establish and defend the methodological integrity of the testing, CR would unavoidably risk compounding its ethical lapses. These aren't neatly separable issues.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by eburger68 :And when independent bodies demanded copies of those viruses in order to validate the test bed, which is a basic requirement of scientifically valid testing, what then? If you provide them then you have effectively become a virus distributor. And can you vouch for the safety of the parties to whom you distributed the samples? I am unmoved by this argument: I think it's possible to distinguish between a known virus researcher and Ivan J. Trojanovic - that kind of distinction goes on all the time by those with common sense.
Data point: DSLR has a "Malware Archive" forum where people post samples of badware, but only those on a trusted list can download them for research. I'm on that list, you probably are too. Is Justin "distributing" malware? Or just using his head in an effort at public service?If you refuse, then your test's results are invalid. I agree that reproducible tests are not really valid in the scientific study sense, but the consumer won't care about much of that: many people trust CR to be unbiased (which I believe they are here) and expert (which they may not be), and are happy to just accept their conclusions.
When I'm shopping for a bbq grill or a dishwasher, I usually get what they like without digging in too much to just how they got their answer. They are smart about this, I'm pretty dumb, and am better off in the long run to just defer to their judgement.
But yes: if nobody can reproduce their results, then it really casts doubt on just how they filled in those little circles.But the point here is that even the recognized experts in the field strongly advise against this type of behavior. Sure, but advice that applies generally does not always apply specifically in every possible case.
Example: The recognized experts also strongly urge people to run antivirus software on their desktops, but I never have. I'm very well educated in virus infection vectors, am extraordinarily careful, and have never had an infection in almost 30 years of using a computer. I'm not the only in this forum who believes this.
This doesn't mean that I'm "evidence" against the expert advice, it doesn't mean that I recommend others take this course, and it doesn't mean that I object to the advice (I don't - I urge it strongly of others).
It just means that there are corner cases in most maxims. And as has been pointed out now, the issue of lab security goes beyond one's own security precautions, but the precautions of those to whom one might be obligated to share these synthethic viruses in order to establish the scientific credibility of the testing. The validity of the CR testing will stand or fall on the merits of the methodology, not the ethics. I'm so confident that the smart people like you will point out why they have reached an unwarranted conclusion that I simply do not care about the "ethics" issue. You'll demolish them without it, so to me it's just a distraction.And I don't expect you or the other established security professionals would take kindly to having their own views characterized and dismissed in this manner. I dismiss them because they are unnecessary: you can fully make your case without the self-serving don't-try-this-at-home arguments.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | | | eburger68
Premium,MVM
join:2001-04-28
| Re: Our unique antivirus testing: How we did it said by Steve :I am unmoved by this argument: I think it's possible to distinguish between a known virus researcher and Ivan J. Trojanovic - that kind of distinction goes on all the time by those with common sense. And I, too, would expect CR to be able to make the distinction. But the point is, once they redistribute, those viruses are effectively beyond their control.
said by Steve :Data point: DSLR has a "Malware Archive" forum where people post samples of badware, but only those on a trusted list can download them for research. I'm on that list, you probably are too. Is Justin "distributing" malware? Or just using his head in an effort at public service? Bad comparison. Justin didn't create any malware and isn't re-distributing any malware that wasn't already in the wild -- that's the key difference. If he or anyone else affiliated with DSLR/BBR did start creating malware on their own and re-distributing it for the sake of prodding AV companies to bolster their ability to detect variants (which I wouldn't expect DSLR/BBR to do, obviously) then the same objections would apply.
said by Steve :Sure, but advice that applies generally does not always apply specifically in every possible case. Two points:
1) Here the experts are urging the advice on each other -- the very folks one would expect to be the exceptions to the rule.
2) In order to argue for an exception to the rule, one would have to mount a fairly strong case that the exception was justified on the grounds that the sought-after results were practically obtainable through no other means and that the potential risks were far outweighed by the unique benefits that would incur. In this situation CR can't even come close to making such an argument. Their only possible justification was expedience, to say noting of their own ignorance of established AV testing methodologies.
said by Steve :Example: The recognized experts also strongly urge people to run antivirus software on their desktops, but I never have. I'm very well educated in virus infection vectors, am extraordinarily careful, and have never had an infection in almost 30 years of using a computer. I'm not the only in this forum who believes this. Again, the analogy/comparison doesn't apply, because your example involves general advice given to the general population. In this situation, the recognized authorities came to the conclusions they did regarding the ethical behavior of other experts, not the general population (my dad is an unlikely target for such admonitions, as it's rather unlikely he'd ever feel the urge to pull together a malware zoo and begin experimenting on it).
said by Steve :The validity of the CR testing will stand or fall on the merits of the methodology, not the ethics. I'm so confident that the smart people like you will point out why they have reached an unwarranted conclusion that I simply do not care about the "ethics" issue. You'll demolish them without it, so to me it's just a distraction. And the fact that the creation of 5500 new viruses lacks any practical or methodological justification makes the ethical lapse even more glaring. If they could mount a credible defense that such steps were necssary to allow some unique and innovative testing to proceed -- testing that might shed real light on the capaibilities of the tested AV apps and/or the behavior of malware -- then we might be looking at one of those ethical "corner cases."
But we're not. We're just looking at some run-of-the-mill irresponsible behavior by an otherwise respected testing entity that should have known better -- and all in the name of some rather unimpressive testing that shed light on little of anything except the organization's own ignorance and carelessness.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by eburger68 : And I, too, would expect CR to be able to make the distinction. But the point is, once they redistribute, those viruses are effectively beyond their control. I'm just unmoved. We're not talking about nuclear secrets or actual ebola virus: they're just bits, and we have no evidence that they have gone one walkabout. It's a big "so what?" to me.Bad comparison. Justin didn't create any malware and isn't re-distributing any malware that wasn't already in the wild -- that's the key difference. Yes, this is a difference, but it's not that big of a one to me.1) Here the experts are urging the advice on each other -- the very folks one would expect to be the exceptions to the rule. Industries do this all the time, and it means nothing about the genuine-ness of their motives.
You have to have a barber's license to cut hair in California, and this "imposing a requirement on themselves" was ostensibly done to protect the consumer, but was actually done to increase the barriers of entry into the field and to reduce competition.
Big payroll companies are behind the push for expensive SAS70 audits (technology audits by CPAs, which pretty much fills you in on their utility), mainly to impose costs on the little guys. This is an industry imposing rules on itself in order to increase the barriers of entry into the field and to reduce competition.
I don't believe that this is behind the sentiment going on here — your heroic efforts are informed by motives which are beyond reproach — but industries tend to look at things from their own point of view. They may not be the same as mine.And the fact that the creation of 5500 new viruses lacks any practical or methodological justification makes the ethical lapse even more glaring. If they could mount a credible defense that such steps were necssary to allow some unique and innovative testing to proceed -- testing that might shed real light on the capaibilities of the tested AV apps and/or the behavior of malware -- then we might be looking at one of those ethical "corner cases." Whether you're right or wrong on this, many people see the hue and cry about the ethics as a smokescreen, and it hurts the cause to focus on it. It just smells self serving to me.But we're not. We're just looking at some run-of-the-mill irresponsible behavior by an otherwise respected testing entity that should have known better -- and all in the name of some rather unimpressive testing that shed light on little of anything except the organization's own ignorance and carelessness. ... and whether the objection on ethical grounds is well founded or not, that casts no light on whether CR was actually competent or incompetent in this matter.
I am more than willing to accept that they have received bad advice from their "experts", have gotten in far beyond their competence, and did an all-around bad job.
The "ethics" are just a side show.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | | | | | eburger68
Premium,MVM
join:2001-04-28
1 edit | Re: Our unique antivirus testing: How we did it Steve:
For the sake of clarity, let's narrow the focus of our disagreement to this one statement which, so far as I can tell, motivates and undergirds your entire argument:
quote:
It just smells self serving to me.
How is the demand that entities that presume to do quality, responsible AV testing follow a simple ethical rule that one shalt not create malware onesself "self serving"?
How is the demand that those who would presume to test AV products against "unknown" variants take the safer, saner, and more scientifically valid approach of conducting retrospective testing "self serving"?
"Self serving" in what way? Because to prefer retrospective testing over the creation of lab viruses would impose some kind of onerous burden on prospective new testers so that the AV industry could keep the testing game all to itself? Is retrospective testing really THAT onerous and difficult to conduct?
Because lab-created viruses might produce more valid results that would allow non-standard products not favored by industry insiders to rise to the top of test results? Is Bit Defender not an established player in the AV industry? How about Kaspersky? KAV placed a respectable third in this testing, and even they protested.
The AV industry has an extensive body of literature on testing, and, if anything, the recommendations and admonitions you'll find there-in often make testing easier to perform as well as more reliable. Indeed, CR could have saved itself quite a lot of headache and expense (and given its readers more reliable test results) had they not resorted to synthetic virus creation.
Really and truly I don't get the "self-serving" charge here. If you're going to make it, you ought to at least be able to explain what the industry hopes to gain by insisting on such an ethical standard. Thus far, I haven't seen anything beyond a flip, empty accusation.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | | | | | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by eburger68 :For the sake of clarity, let's narrow the focus of our disagreement to this one statement which, so far as I can tell, motivates and undergirds your entire argument: quote:
It just smells self serving to me.
How is the demand that entities that presume to do quality, responsible AV testing follow a simple ethical rule that one shalt not create malware onesself "self serving"? Agreeing on a set of best practices sounds like the kind of thing an industry ought to do, but the whole aura of "that's unethical" is self-important, high-and-mighty chest puffing, and it just really turns me off.
"Ethics" is about right and wrong, and CR was not unethical in any way, in spite of all the industry wailing. It's not wrong for a responsible, competent party to create test code in a lab environment in order to learn something about A/V coverage.
I certainly agree that it's dangerous, may well agree that it's unnecessary, (which would follow that there are more effective methods), but if this has not harmed anybody else, there's no ethical violation if this was all done in good faith.
Even if they somehow got in the wild accidently, that's about "negligence", not "ethics".
My knee-jerk reaction in a situation like thia is to side with Consumer Reports and not with the industry being reviewed. As a CR reader for many years, I've seen time and time again when the industry in question wailed about the reviews: it was unfair, that's not how you test that kind of thing, etc.
It's just happened before that CR used out-of-the-box thinking to think about an industry differently than the industry has. Sometimes this finds something important, sometimes it doesn't, but wails from the industry sound the same in either case.
The chest-puffing about "ethics" has that same ring to me.
Now, I happen to be much more educated about the A/V industry than the average reader of CR, so I'm actually going to be able to appreciate technical arguments about why they have gone down the wrong road, it's ineffective, it's too dangerous, etc.
But in the back of my mind, I'm still reserving the possibility that they really found a hole in the industry, and the industry doesn't like it.
I just don't know yet.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | | | | | | |
See 7 replies to this post | |
| | | 
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
 ·Skype
1 edit | said by eburger68 :And when independent bodies ... The Consumers Union is an independent body. The assumption up front is that they are objective.
I would be more inclined to ask an independent body to confirm tests that might be subject to bias.
said by eburger68 :...demanded copies of those viruses in order to validate the test bed, which is a basic requirement of scientifically valid testing, what then? If you provide them then you have effectively become a virus distributor. And can you vouch for the safety of the parties to whom you distributed the samples? If you refuse, then your test's results are invalid. End of story. There are plenty of examples in the medical community where high-risk or limited quantity test items are not shared. That fact doesn't make the testing invalid.
Medical and psychological studies involve groups of individual subjects, with a description of why these individuals were interesting from a test perspective. These studies are not invalid.
said by eburger68 :To return to the original issue -- the full issue -- which is whether CR had any justification -- be it practical, methodological, or ethical -- to create 5500 new viruses for testing I say yes, you say no.
The AV Comparitor web-site I visited last night approached the "0 day" threat differently. To summarize, they used a version of the AV product that was several weeks old, and tested it using more recent viruses that could not have been added into definition updates yet.
That's a plausible approach, but does suffer the very same "fortune telling" sin that the Avert Blog was complaining about.
I haven't read the CR article, yet. But if the results are very different than AV Comparitor's results, then hopefully this starts a debate that improves the latter. CR isn't going to review AV products in its next issue, but AV Comparitor will.
said by eburger68 :in order to establish and defend the methodological integrity of the testing, CR would unavoidably risk compounding its ethical lapses Every time I see someone question the ethics of the Consumers Union, I have an emotional response. (And it's not just you, the industry blogs are all doing it.) This is an organization that has decades of behavior beyond reproach. The industry is walking on their customer's holy ground -- they would be well advised to behave themselves.
To me, there is no ethical question here. The question is whether there was an effective methodology. Did they make a mistake?
It is possible to have an ineffective methodology, and to have taken uninformed dangerous risks, and still be ethical.
I think their methodology is plausible and that the "danger" exists but is being overblown. For me, I think it's done and it is interesting. I'm not sure it is the same choice that I would make, had I been CR's tester.
The highly emotional response (ranting) by the AV industry is not serving them at all. I would expect them to recognize that Consumer Reports reviews lawn mowers and hair dryers and everything else, and might not return to a set of products for several years.
As a reader, I expect the Consumers Union to come up with a reasonable way to compare one product against another, describe what they did, and to report what they found. As far as I'm concerned, they did that. I think it's a benefit to everyone that they took a different approach. And I think the jury is out as to whether their method, and their results, turn out to be right.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ | |
| | | | |
See 6 replies to this post | |
HMS1
join:2006-01-14
Austin, TX
| It's not a "blame the user" argument. I'll try to say it another way (and btw I was revising my 2nd post, trying to be clearer, just when you were posting).
The point is, if the addition of a new virus makes a difference in the administrator's or protection vendor's strategy, then the strategy is inadequate in the first place. We already know the outer limits of what viruses can do (viz. what the user account allows), and we already know how they get into the LAN or local system (email, junkware etc.). The only difference a new virus makes is some new variation of what they do to the system once infection is already underway.
Following up on the guns analogy, it's as if the whole approach to prevention of shootings is listing all the various types of bullets, and then complaining if someone makes a new kind of bullet, and saying it increases the risk. Instead you just have to keep the guns out of the courthouse or airport. Then it doesn't matter what kind of bullets they use. | |
| IBK
join:2003-06-20
Austria
| av-test.org and av-comparatives provide retrospective tests to see how well av products protect against new _real-world_ viruses/malware. (and the results etc. can be seen by anyone for free without having to pay a subscription fee).
btw, (something i wanted to tell since long time) remember that the test of CR was done most probably months ago, as usually printed magazines (articles etc.) are prepared around 30 days prior. considering that they engaged other peoples to do the test and that they needed to provide them enough time for doing this and then to write the article, the test must been had done months ago. So they could have - instead of creating new variants of old viruses - making a retrospective test which would deliver valid results. Of course that is more time consuming, but they would not need to create new virus variants.
so they have now those variants on a CD in a safe. ok. AV vendors of course would like to know what kind of files were used in this test, in order to see if the results are true (even if from the method etc. invalid). Now the dilemma: if they do not give the samples to the AV vendors, they can not check if the samples works etc., and if they send the new variants to the AV vendors, the AV vendors are obligated to add those variants to their databases (= and that is not good, because if AV vendors have to add the viruses created for testing reasons, the scanning speed may be affected. So for who is all this of help? Not for the users and not for the vendors. Probably just for CR as they get publicity and new paying subscribers).
sidenote: they state that there are no independent tests to measure how well av software is against new threats, which is absolutly wrong. If they would know a little bit on this materia, they would know or have read about methods to do such tests and would also know or see (by using e.g. google) that such tests exist (like I said before provided by av-test.org which publishes those results on various magazines around the world and av-comparatives which has the results/report publicly available online for free).
p.s.: this is just my opinion. | |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | What's the difference between someone sending a vendor X amount of New REAL nasties that they have discovered, that NO vendor has, and the vendors testing their AntiNasty with them, and then releasing Defs for them, and testing with those Specially written ones ?
Isn't that Exactly what would happen if those Specially written nasties got out somehow ?
Either a nasty IS a Nasty capable of doing whatever it can, or it isn't, then it ain't a nasty is it !
I believe those Specially written nasties are as valid as any others, that are new and discovered for the 1st time. Otherwise let's all pretend that ANY new nasties are completely irrelevent, and therefore we don't need protecting from it/them. Don't think so somehow !
The same goes for some bug etc in software that could be exploitable. What should someone do that discovers it, vendor or otherwise, nothing, or get busy with da fizzy and write some code to fix it, or pass the info on to the vendor if it's not their forte ?
Err not really too difficult to answer is it ! Cos if they don't someone out there will take advantage of it sooner or later, as they continue to do, almost weekly these days. And where would and does that leave MOST users out there, yeah right up **** street without a paddle that's where, as it frequently does !
Spanner
edit typo Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| | eburger68
Premium,MVM
join:2001-04-28
1 edit | Re: Our unique antivirus testing: How we did it SpannerITWks:
You wrote:
said by SpannerITWks :What's the difference between someone sending a vendor X amount of New REAL nasties that they have discovered, that NO vendor has, and the vendors testing their AntiNasty with them, and then releasing Defs for them, and testing with those Specially written ones ? Isn't that Exactly what would happen if those Specially written nasties got out somehow ? Either a nasty IS a Nasty capable of doing whatever it can, or it isn't, then it ain't a nasty is it ! I believe those Specially written nasties are as valid as any others, that are new and discovered for the 1st time. Otherwise let's all pretend that ANY new nasties are completely irrelevent, and therefore we don't need protecting from it/them. Don't think so somehow ! You've essentially elaborated the logic that would cause customers of AV companies to demand that lab viruses be added to AV definitions, and the logic that AV companies might be forced to bow to, if lab viruses became commonplace enough.
So, my question, though, remains: would you personally feel fine shelling out money each year for a subscription to an anti-virus product's definitions when those definitions were in part necessary in order to cover viruses that AV researchers, testers, and companies were themselves cooking up in the lab?
How do you think others would react to the same proposition -- that they had to pay for protection from viruses created by parts of the AV industry itself?
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| 
GeekNJ
Premium
join:2000-09-23
Waldwick, NJ
| I wonder what those folks here that think CR did something irresponsible would think of an individual who finds a vulnerability in an OS or product and then, after contacting the company, doesn't receive an adequate response. They then post their findings "in the wild". I think that's more dangerous then what CR did, yet the latter happens all the time and is typically how some areas of the software industry need to be treated in order to react.
I think CR's testing is fine and will likely (or more appropriately hopefully) result in A/V vendors better addressing potential issues because, like Steve, I think there's a need for those not "in the business" to challenge the business.
And on a bit of a related thought, I've personally always felt that the A/V industry itself was possibly responsible for the scare and even creation of viruses in order to pump up the "We protect you from xxx,000 nasties". Of course, how many of those nasties have never been "in the wild"? 
--
Tweaked your connection? | Mail Parse | Speed Converter | |
| |
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
1 edit | Re: Our unique antivirus testing: How we did it said by GeekNJ :And on a bit of a related thought, I've personally always felt that the A/V industry itself was possibly responsible for the scare and even creation of viruses in order to pump up the "We protect you from xxx,000 nasties". Of course, how many of those nasties have never been "in the wild"? We've all wondered about that at some time or another. We've all heard the true stories of firemen that try to boost their careers by starting fires in order to be the hero that saves a life or building.
But, I think we're pretty safe from that possibility, because:
The industry is both old enough and large enough that, if this were happening, a current or ex-employee whistleblower would have appeared by now.
The number of competitors is large enough to identify one competitor that is constantly adding threats to their definitions that nobody else has ever seen.
In both of the above, such an allegation against a specific company would be a death sentence. Even the allegation of fabricating viruses to sell AV product could kill an AV company. As an example, we can look back to the tainting of anti-adware companies that started to become chummy with certain software companies.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ | |
| | eburger68
Premium,MVM
join:2001-04-28
2 edits | GeekNJ:
You wrote:
said by GeekNJ :And on a bit of a related thought, I've personally always felt that the A/V industry itself was possibly responsible for the scare and even creation of viruses in order to pump up the "We protect you from xxx,000 nasties". Of course, how many of those nasties have never been "in the wild"? Yes, you and a number of other folks, as I noted in an earlier post. If this truly is a concern of yours, then the very last thing you want to encourage is the creation and use of lab viruses by anyone in the industry or even connected with the industry -- and that includes CR, because if a widely respected and influential testing entity like CR begins routinely creating and using lab viruses, then the pressure will only increase on others in the industry to start doing the same. At some point, AV companies could very well be compelled by customers or circumstances to start loading up their definitions (and selling subscriptions to them) with these lab viruses.
And who would benefit from such an eventuality? The only possible beneficiaries that I see are the sales departments of AV companies.
This is one of the quagmires that the "Wild List" was created to forestall -- to compel the industry to focus on, research, test against, and target actual viruses that posed real threats to users "in th wild."
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| eburger68
Premium,MVM
join:2001-04-28
| Hi All:
A quick followup to my last few posts regarding the potential effects of the widespread use of lab viruses on the AV industry. The concerns that I've expressed -- that, in a worst case scenario, the industry and its customers could be drawn into enervating cycle lab virus creation and virus definition building in response to customer demands -- is not an idle one. We've seen these kinds of cycles before.
First, give part of Joe Wells' paper here a read:
"Lies, Damn Lies, and Marketing Perfidious Priorities"
»vx.netlux.org/lib/ajw01.html#p3
Joe rehearses one these cycles from the early years of the AV industry, when it was sucked into a competitive arms race over the number of "all known viruses" and the comparative detection rates of AV products. Bad research and analysis feeds opportunistic, competitive marketing, which feeds user fears and customer demands, which in turn feeds product testing and research, which feeds...
You get the picture.
We've even seen a similar phenomenon in the anti-spyware industry with respect to cookie detection. Having talked to a large number of folks from various anti-spyware companies, I can tell you that none of them (at least that I know of) regards cookies as anywhere near the same kind of threat as executable adware, spyware, or malware. And most that I've talked to have expressed a desire to do something different with the cookie detection in their products. Some would like to drop it altogether. Others would like to handle it differently, so that cookies weren't presented alongside executable malware in a manner that suggested that the two were roughly similar types of threats.
So why don't things change within the anti-spyware industry? Because everyone's afraid of the consequences of being the first to act (beyond Microsoft, which dropped cookie detection from the GIANT product that it acquired). Any anti-spyware company out there can tell you about the angry calls and emails they get from customers that Product A failed to detect a few cookies that Product B detected. In short, fearful customers are demanding cookie protection and frequently see no difference between cookies, viruses, spyware, and adware. And the anti-spyware companies, much as they might gnash their teeth over the detection of cookies, continue to provide it (and even, in some cases, hype it) out of fear that their product will take a hit in sales and reputation should they be perceived as "soft on cookies."
So, my concerns do have a basis in actual situations that we've encountered before.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| |
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| Re: Our unique antivirus testing: How we did it said by eburger68 :First, give part of Joe Wells' paper here a read: "Lies, Damn Lies, and Marketing Perfidious Priorities" » vx.netlux.org/lib/ajw01.html#p3Joe rehearses one these cycles from the early years of the AV industry, when it was sucked into a competitive arms race over the number of "all known viruses" and the comparative detection rates of AV products. Bad research and analysis feeds opportunistic, competitive marketing, which feeds user fears and customer demands, which in turn feeds product testing and research, which feeds... Yep, similar to Processors and MIPS, wireless network theoretical datarates, pharmaceuticals and "restless-knee syndrome," ... the list goes on forever.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ | |
| |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by eburger68 :The concerns that I've expressed -- that, in a worst case scenario, the industry and its customers could be drawn into enervating cycle lab virus creation and virus definition building in response to customer demands -- is not an idle one. We've seen these kinds of cycles before. Ah, so now the fog lifts.
This is not so much an egalitarian "do not hurt others" concern, but a worry that the industry will be unable to restrain itself; that's a different concern that does not speak in any way to the ethical behavior of Consumer Reports.
It would indeed be unethical for an A/V company to create viruses ("for testing") and then include them in a product with a claim that they protected against more stuff than the other guys (who don't have the synthetic tests). This is hyping against threats that do not really exist.
So the objection is not about "creating test viruses" but "creating test viruses and using them for marketing": the latter creates a whole cycle of bad incentives at the expense of the consumer.
That is unethical, and I'm pretty sure that there's essentially 100% agreement on that point.
But since Consumer Reports is not in the A/V industry, they don't have any of those incentives (they're not selling an A/V product), so these reasonable proscriptions on industry behavior do not apply here.
The more I look at this, the more I believe Consumer Reports was not unethical in any way, even remotely.
So putting aside the ethical issue, we're left with something that's somewhat easier for us to talk about: the technical merit of their testing methodology.
But that doesn't make it completely easy: the onlooker must be on the lookout for a circle-the-wagons reaction by the industry — this happens all the time — and I'd be surprised if there were none of that here.
I, like others, am content to evaluate both the evidence and the warrants, sniffing out the good and spurious claims.
But the more I see about "ethics", the more I think it's a circle-the-wagons reaction, and to accept A/V claims with more and more grains of salt.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | eburger68
Premium,MVM
join:2001-04-28
| Re: Our unique antivirus testing: How we did it Steve:
You wrote:
said by Steve :But since Consumer Reports is not in the A/V industry, they don't have any of those incentives (they're not selling an A/V product), so these reasonable proscriptions on industry behavior do not apply here. I'm afraid I have to disagree once again. CR is widely respected and influential -- that we've seen even from some of the posts in this thread. If this testing turns out not to be a one-off situation with CR -- that is, if CR were to start routinely using lab viruses in their widely followed testing -- then pressure on the AV industry itself (including independent researchers, testing bodies, consultants, and the AV vendors themselves) to do the same would inevitably increase. It would likely start with other research entities, but it would likely spread to other parts of the AV industry.
Even if the AV vendors themselves somehow managed to refrain, we could still well wind up in a situation where AV companies were forced to contemplate whether to start adding lab viruses to their defintions. And who would benefit? Surely not ordindary users and consumers.
No, CR is not an island unto itself. Many here have championed CR for having the wherewithal to force industries to think and behave differently. This power can be a benefit in some circumstances. It can also pose dangers if that influence unintentionally forces an industry down a path it has no business going down. One can't celebrate the influence of CR on the one hand and not contemplate the potential consequences of its actions on the other.
So, is the AV industry "circling the wagons." Perhaps only to protect itself from a potential trend that it long ago recognized as dangerous.
Eric L. Howes
--
Microsoft MVP
Sunbelt Software
Spyware Warrior | |
| | | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by eburger68 :Even if the AV vendors themselves somehow managed to refrain, we could still well wind up in a situation where AV companies were forced to contemplate whether to start adding lab viruses to their defintions. And who would benefit? Surely not ordindary users and consumers. This is a fair point, but it's not the argument that was made in the early parts of this thread. It was originally that CR's creation of these was bad in and of itself, but now it's because it might lead to the industry into screwing the consumer. Those aren't the same things!
CR generally thinks outside the box without regard for what the industry being reviewed thinks, and I believe that's good for the consumer. The louder the industry wails, the more I think they may be onto something.
Should we let the lawn-mower industry define the tests for what makes a good lawn mower? How about car companies? etc.
It may well be that CR committed the crime in question, but the A/V industry is doing a terrible job in the witness stand.
Look at all these signatures! Look at how much we're gnashing our teeth! I'm not going to believe CR when they rate a gas grill!
I'm an educated, technical consumer with a reasonable nose for BS, and this all comes off as incredibly disingenuous to me. But I could be wrong.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | | | |
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| Re: Our unique antivirus testing: How we did it said by Steve :It may well be that CR committed the crime in question, but the A/V industry is doing a terrible job in the witness stand. Agreed. I have no beef with the AV industry. So far, McAfee (which ranks about center in the AV Comparitors list) hasn't failed me -- and I'm a rough customer. To me, anyway, mediocracy seems to be pretty damn good. That speaks well of the Industry.
"The industry" (whoever they are) has judged that Consumer Reports made a mistake. Fine. They may even choose to ignore CRs methods and findings. Fine. They may even write a letter to the editor explaining why. Fine. I think that all of those conclusions and actions are rational.
The level of protesting seems too shrill. By getting high-and-mighty, the industry has lowered itself a bit in my eyes.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ | |
| alexeck
join:2004-12-20
Clearwater, FL
1 edit | Folks,
I see arguments supporting CR and against CR.
Here's the simple truth: CR chose to ignore a vast corpus of research, debate and analysis by the academic and security research community. They decided to go their own way and have severely undermined their credibility by making a major error, and possibly others.
It's an established principle in security research that you NEVER create your own antivirus strains for testing purposes. There are a number of reasons which I discuss in my most recent blog posting »tinyurl.com/msclw .
The CORRECT way to test heuristics is extremely simple: Turn off definitions for all the products being tested, and test against new virus strains after a few weeks or months. That's the only honest, correct approach, as it a) tests against the real-world, b) doesn't turn you into a virus creator/distributor and c) actually gets you the right results.
Why CR couldn't simply follow this time-honored approach is a bit confusing.
Arguing that the AV community is biased in this regard is patently false reasoning. The arguments against CR are across the spectrum, from the pure research side to the antivirus community.
If CR had simply followed standard testing methods, all would be fine and no one would care. It would actually be a service to the community.
But the problem is a bigger one: We need standardized testing for all types of security products. This debate should be done in a reasoned, scientific fashion, with broad representation in the community and industry to come out with a clear, comprehensive method of testing. That is the only real way to serve the consumer.
Alex | |
| |
See 7 replies to this post | |
SpannerITWks
Premium
join:2005-04-22
3 edits | Quote bluezanetti -
" However, it is just as easily argued that no matter how controlled their testbed, there's no assurance the test sampling bears any resemblence to emerging malware threats at play today due to the very dynamic nature of the challenge. "
And it's just as easily debated that it does ! Cos you n me both + everybody else don't know do we, it's just speculation after all. If out of 5500 brand new nasties they havn't written some super duper stuff that really challenges AV's, then yes it would be a bit limp, but it's to be hoped they did. We might find out sooner rather than later as the " noise " increases from various sectors. They could open up their secret Treasure Trove to Trusted peeps for evaluation, that would sort it one way or the other, or maybe even inbetween !
I suggest that a group of Interested parties could be invited to bring their testing laptops to a pre determined SECURE location, and under the watchfull eyes of a number of agreed by all parties peeps, conduct their own tests ALL at once ! Then publish the results either as a joint release, and/or individually for all to see. If people Really want it to happen it can and will, so start making connections and make it happen, then they will know and so will we.
-
As a general observation, comments made towards somebody/thing etc like this for eg " Consumer Reports, better known for reviewing cars, lawn-mowers and appliances " only seem to be posted to demean them in some way/s. Just because they test those things, they also test a range of other things too, and why shouldn't they be ( allowed ) to if they want to. Anybody can test whatever they like, there's no law against it, and as long as the tests are competent and the results are fair, and it's beneficial in some way/s to the users, so what !
For one eg -
I've thrown just every FW test there is going at my FW + Apps, and published the results for all to see, more than once. People were and are free to challenge them and my methods etc, and ask questions etc, which they did, and i was happy to respond. Happy in more ways than 1 too, as i pass 99% of them on my PC. Now am i or others to be disbelieved over tests they do such as those, just because we havn't been given the title " experts " or call ourselves that ?
Spanner
edit typo Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Our unique antivirus testing: How we did it said by SpannerITWks :. . Anybody can test whatever they like, ther's no law against it, and as long as the tests are competent and the results are fair, and it's beneficial in some way/s to the users, so what ! . . just because we havn't been given the title " experts " or call ourselves that ? Spanner Hey, I think I'm starting to see the light here!
All those pimply-faced 17-year-old Russian scriptkiddies are just 'testers', testing what they like! They certainly don't have the title "experts", do they? And it's ultimately beneficial to the community because other so-called 'experts' get to play around with their handiwork to find out how to stop it. Yes! We've been dogging these people, when in reality, we owe them our deepest gratitude!
Please, allow me to be the first--
Thank you, pimply-faced Russian scriptkiddies, for helping to make the computing world a better, safer place! | |
| | bluezanetti
Premium
join:2003-10-04
| said by SpannerITWks :
And it's just as easily debated that it does ! Cos you n me both + everybody else don't know do we, it's just speculation after all.
Quite true. Of course, had CR followed the protocol noted above, debate on this point would be moot, albeit replaced by other points of possible contention.
My overriding point is that the route pursued by CR is one that could inject unintentional bias into the test. Who knows if measures were taken to minimize this eventuality, I certainly have no insight into that point.
Blue | |
|
SpannerITWks
Premium
join:2005-04-22 | How about Trojans + Rootkits etc then, is that OK lol ?
Spanner | |
| |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| Re: Our unique antivirus testing: How we did it said by SpannerITWks :How about Trojans + Rootkits etc then, is that OK lol ? I assume you were replying to me in spite of your Topic Reply.
I don't have any problem creating any software on a test basis for legitimate research and testing purposes as long as one takes precautions that they do not leak. It's harder to do this than it looks, but it's not beyond the ability of mankind to get this right.
Their badness comes from the harm they do to others, not to some inherent badness of the bits themselves.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | |
SpannerITWks
Premium
join:2005-04-22
| Re: Our unique antivirus testing: How we did it No Stevie baby, i was responding to alexeck " Just don't create viruses "
I assumed he did actually mean ALL malware though, as i mentioned earlier on in the thread.
Your right, hysteria won't help anybody, especially the users !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| IBK
join:2003-06-20
Austria
| Hi,
the following is only my opinion as, nothing more:
I think the main point on why CR is currently in the spotlight due what they did is not due the high risk their samples could pose to real world. The main points (I refer now to the points of mcafee blog because i think they were the first to note it) are that 1. the variants they created are NOT variants that you will encounter in real life (its long ago since a saw a scriptkiddie variant of e.g. loveletter and not what goes in daily [much more new malware appears, not so silly varaints], 2. true, writing viruses is generally considered not a good idea (but the AVIEN letter was an example, about a topic were an university wanted to teach how to write viruses to its students to teach how to protect against them - all students failed in real world about this, as no one is working in any av related job), 3. testing methods to measure how good or bad av software is at detecting new malware are discussed since long time and since some years (6?) the retrospective method is considered to give the best real-world results (and that's true, if the test is done accuratly and a bit perfectionated to avoid some influences). It is known that AV-Test.org (Andreas Marx) does retrospective tests and publishes the results in many magazines. And it should be also known that AV-Comparatives does such testing publicly available (still for free - that's more user-friendly). So I can only think that they wanted to make something spectacular, but failed in doing some research about the topic before they acted (well, it is probably also the fault of the peoples they engaged to do the test. They are most probably very good about other security tests in enviroments they provide, but probably not very informed about antivirus testing). The point 4 in the mcafee blog is (for those that did not noticied it) a sarcastic phrase (see ).
Conclusion: there was no need to create that virus variants, as the test based on these self-made variants do not show/tell to the user how good AVs are in detecting new viruses. It only tells about how much of the self-made files created for testing - and that you will never encounter - were detected, making all the test senseless and not useful for anyone. CR will not write that in their article, but even if they would state that, most readers would anyway get to their own conclusion and believe in the printed scores.
AV vendors (also those that scored top) are imo very sad/upset that magazines still make home-made invalid tests and deliver to users wrong information (what happenend since long time and still happens in some magazines) instead of e.g. asking independent organizations like av-test.org, virusbtn, icsa, wcl etc. in helping doing the tests (or performing the tests for them). I do not list av-comparatives because as I publish the results up-to-date for free on the website to the users, I do not think that anyone would want to wait for several months for seeing it published in some magazine when it will be already outdated (usually [but not always] most tests in magazines are at least already some months old). | |
| |
SpannerITWks
Premium
join:2005-04-22
| Re: Our unique antivirus testing: How we did it IBK
Re the Mcafee blog
1 - " It is claimed that created viruses were the kind you’d most likely encounter in real life which is, of course, something the testers cannot know. "
( And something Igor Muttik or anybody outside of the inner sanctum can't know, as they don't know if they don't have access to them )
3 - 4 - ( Already covered those )
Re Conclusion
" there was no need to create that virus variants, as the test based on these self-made variants do not show/tell to the user how good AVs are in detecting new viruses. It only tells about how much of the self-made files created for testing - and that you will never encounter - were detected "
( Why doesn't it help users to determine if an AV can detect, or not new Malware. As i've already said, if it's new then it IS new, and if it could do damage, no matter how small, it's still unwanted and would need sorting. How can anyone say that ALL 5500 were crap, they might be, but we don't know do we, yet ! How can it be stated 100% that nobody will EVER encounter Anything similar.
Why do people deferentiate between those 5500 in a closed lab, and scriddies or worse coding something equally, let's say crap but still capable of damage, or something not crap but lethal ! Why does it matter where they were created, and by whom. If it's new and can do damage then it's fair game for testing AV's detection capabilities.
Any chance of putting a bit more white inbetween the black in future, thanx. )
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks | |
| 
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| Since no one has specifically reviewed the variants created by the CU testers, we really don't know whether or not the variants would be typical of the dozens that are created daily by the "production" malware coders(Per David Emm of Kapersky, quoted in one of the SANS linked articles, Kapersky adds over 200 signatures a day).
However, I'd guess they have sufficient history and have retained the expertise to extrapolate and create reasonable variations in a well secured environment. Until credible experts come up with analyses of the CU variants that discredit CU's tests, I'll give CU the benefit of the doubt based on their past history of providing accurate testing and successful defence of challenges.
That being said, Here's a note from SANS;
said by SANS Newsletter and editorial : --Consumer Reports Creates 5,500 Viruses For Tests (16 August 2006) Consumer Reports is under fire from the anti-virus community for sponsoring the creation of 5,500 new viruses to test anti-virus products. Zone Alarm Internet Security Suite scored high in the test for both virus and spyware. Spybot Search and Destroy scored well for spyware. » www.computerworld.com/action/art···_topic17» cbs4boston.com/consumer/local_st···410.htmlSpecial Tip: A great discussion on Microsoft Office security and vulnerabilities has been posted on SecurityFocus: » www.securityfocus.com/infocus/1874[Editor's Note (Paller): This controversy is especially problematic for the leading AV companies because they have traditionally not done well in finding and blocking new viruses quickly. But for goodness sakes, if they don't do well at finding and blocking new viruses, why ae we buying them? They should stop complaining and instead thank Jeff Fox and the editors at Consumer Reports for helping to do important product improvement research for them.
--
This space for rent | |
| | | |
|
