Slashdot Mirror
Consumer Reports Creates Viruses to Test Software
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.
Consumer Reports destructively tests many things. Why should it matter what they do to their own computers? As long as they don't release these viruses into the wild, there is no problem.
for one of their viruses getting out then by all means I think Consumer Reports should be allowed to continue.
Catching them after they are out is easy. The consumer really has so very little to go on from a "trusted source" in regards to virus scanning that the obscurity benefits the AVG companies. With a little more light on the subject we all benefit, all except the AVG companies. Guarantee that whomever CR picks is going to parade that around regardless of their stance before testing occurs.
Again, if CR is willing to accept liability for one of their tests getting out into the wild then I say go for it! Perhaps they should register their "new toys" with someone for backup? Of course that makes for another hole too.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Be sure to read our other Consumer Reports articles, where we:
- and -
Thanks, Consumer Reports. Thanks bunches.
____
~ |rip/\/\aster /\/\onkey
1) Virus writers will write exactly the same code, unless the boys at Consumer Reports are dedicated enough to come up with truly innovative virus variations. So there's no fear that someone out there will "get ideas."
2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.
Human being (n.): A genetically human, genetically distinct, functioning organism.
Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.
You mean they aren't already doing this internally? If not... what the hell are they doing all day? If they're just being reactive without testing their software against possible variants then their software isn't really useful. Though frankly I find antivirus software to be a cure worse than the disease. A 1/100 chance I'll get a virus that does bad things to my computer, or a 100% chance that my computer will run like crap due to NAV.
Solution? Backup all my documents (mostly pics) to a dvd monthly and trust my Linux box firewall/router/proxy to keep the bad bits out.
rooooar
This is a very good idea, IMO. I mean, for years the major security companies have been using fear tactics to push their software. For an almost equal amount of time, security-concious geeks have been critical of this software. Having a trusted, disinterested third-party like Consumer Reports put it to the test sounds like the perfect solution to this situation.
Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?
CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:
Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.
If they can guarantee containment
How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.
Coding with assembly is like playing with Legos. Coding an application in assembly is like building a car with Legos.
Soon they'll propose testing car safety by doing test crashes! Or testing fire retardants by trying to set them on fire. Damn those Consumer Reports fools!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
The eicar test-virus file is a great way to see how your computer/av-suite will react to a virus. However, it's not an effective test to see how the heuristics systems and such react. It's non-destructive, and every AV vendor makes sure that they can "catch" it. That's nice for making sure that your AV is running, or that your AV on some workstation reports back to the management computer that it caught a virus, but not for testing the ability of AV software to find new viruses that don't necessarily have definitions written for them yet.
----- Connection reset by beer
AV software WILL protect you from new viruses... Just not McAfee and Symantec's crap. Well I suppose I should rephrase: Their software can protect you, but not very well, not as well as others. Bitdefender appears to do the best job at finding viruses that it doesn't have in it's DB. AVG also seems to do a pretty good job.
That's what they are afraid of. Not that it will be revealed their software does nothing, it does work, just that there is cheaper software that works better.
I casually perused CR here and there, but I'd never really known much about them until a relative gifted me with a subscription. Here are a few things I like about them:
/.ers care about, like RFID and general privacy protection; taking strong pro-consumer stances that you don't see in other national publications.
1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that
When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.
Why are you letting these clowns ruin our country?
On the other hand, ever notice the hypnotic patterns made by the Shriners in their little cars? Did you really think that NO CARRIER
Dewey, what part of this looks like authorities should be involved?
From the article: "I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)
Well, that's why Consumer Reports hired computer security professionals to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.
$nice = $webHosting + $domainNames + $sslCerts
Bitdefender doesn't catch all new viruses, updates are still important, it's just very good at finding new variants. That's what CR is testing here. Say a virus comes out that your software knows about but a variant comes along that it doesn't yet: Can it catch that? For some (like Sophos) the answer is no never, they check against a database and if it's not there you are SOL. For some like Bitdefender the answer is usually. They have a heuristic checking that works pretty well.
There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.
Heh, funny. But Consumer Reports does have a bit of a history of being sued by companies after serious problems with products were published by CR. CR also has a history of easily winning the few cases that actually go to court. Actually, the companies usually drop charges, after CR makes it clear that they'd be happy to demonstrate the problems in court. CR also often publishes their communications with such companies, which is not really good for sales.
/. readers should be contacting the companies and encouraging them to sue CR. Think of all the /. articles that this could generate.
It could be fun to watch an anti-virus software company face CR in court. It would be at least as entertaining as the SCO soap opera. Maybe
Those who do study history are doomed to stand helplessly by while everyone else repeats it.