Slashdot Mirror
Consumer Reports Creates Viruses to Test Software
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
for one of their viruses getting out then by all means I think Consumer Reports should be allowed to continue.
Catching them after they are out is easy. The consumer really has so very little to go on from a "trusted source" in regards to virus scanning that the obscurity benefits the AVG companies. With a little more light on the subject we all benefit, all except the AVG companies. Guarantee that whomever CR picks is going to parade that around regardless of their stance before testing occurs.
Again, if CR is willing to accept liability for one of their tests getting out into the wild then I say go for it! Perhaps they should register their "new toys" with someone for backup? Of course that makes for another hole too.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
(See my Journal entry for the gory details) ... I would sincerely recommend they don't play with fire. There are too many ways that self-replicating programs can go wrong... or too-right, as in my case :-(
If they can guarantee containment, of course, a virus is completely harmless to the rest of the world. The problem comes when containment is breached because of something you didn't think of - and the problem with things you didn't think of, is that you didn't think of them [grin].
Simon (now a thoroughly-reformed character, honest guv)
Physicists get Hadrons!
Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.
You mean they aren't already doing this internally? If not... what the hell are they doing all day? If they're just being reactive without testing their software against possible variants then their software isn't really useful. Though frankly I find antivirus software to be a cure worse than the disease. A 1/100 chance I'll get a virus that does bad things to my computer, or a 100% chance that my computer will run like crap due to NAV.
Solution? Backup all my documents (mostly pics) to a dvd monthly and trust my Linux box firewall/router/proxy to keep the bad bits out.
rooooar
You can use these files to test if your AV program is working
http://www.eicar.org/anti_virus_test_file.htm
AV software WILL protect you from new viruses... Just not McAfee and Symantec's crap. Well I suppose I should rephrase: Their software can protect you, but not very well, not as well as others. Bitdefender appears to do the best job at finding viruses that it doesn't have in it's DB. AVG also seems to do a pretty good job.
That's what they are afraid of. Not that it will be revealed their software does nothing, it does work, just that there is cheaper software that works better.
Do you have any links about this story?
CR's model which provides its independence also means it doesn't tend to have the chummy, early access relationship many other outlets have with manufacturers. Them actually doing really substantial tests also means that they tend to take longer than some other outlets. OTOH, I've rarely been led astray by a CR review on anything, computer related or not, so I'm pretty happy with them despite their limitations.
Even in the latest issue (September 2006), they persist in assessing the rate of Mac OS X spyware and virus infections by conducting a survey, an annual gaffe on their part. Rather than checking around and discovering that no such malware exists in the wild, they assume that computer users are able to judge for themselves the cause of computer difficulties.
This would be like studying the mechanisms of natural selection by way of a survey. Hey, whaddyaknow, turns out there's no such thing as evolution, a survey of Americans would have to conclude.
Consumers Union knows better. I don't know why they keep repeating this mistake.
-Waldo Jaquith
All this crap only applies to Windows XP. While is is true that MS-DOS, 3.1 and 98 can be infected by explicitly running an infected program (rare), XP is the only thing you can install, hook up to the net and expect it to be infected withing hours if not minutes.
For the one machine I have at home that has to use winbloze I use 98 and have since, well, 98. Although it has in typical MS fashion shit itself a few times it has NEVER become infected. Not once.
Other than an ill fated XP experiment here briefly the last virus I saw was when my idiot boss in 1989 said "here you need this new assembler" and it was infected with the stoned virus.
Need Mercedes parts ?
From the article: "I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)
Well, that's why Consumer Reports hired computer security professionals to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.
$nice = $webHosting + $domainNames + $sslCerts
The problem is that AV software at the moment scans for signatures of known malware. Essentially they are reactive.
What they should be doing more heuristic scanning, identifying malware by characteristics rather than looking for particular malware signatures.
This is a fundimental weakness in most existing AV software. Certainly this is harder to because legitimate software can do similar things to malware. That doesn't change the fact that AV companies should be concentrating more on this. This is particularly true as most "successful" worms get modified and re-released. As a result it should be possible for the AV companies to detect the altered worms.
Consumer reports is doing us all a service here by exposing this weakness. Provided they ensure the worms don't get out I'm all for it. This is a perfectly valid way of testing the malware. In addition FTA they are doing what most malware writers do anyway: altering the worm just enough so that it is likely to get past the signature based scanning software.
Shame on you McAfee.
meh