Posts Tagged ‘Virus Bulletin’

Virus Bulletin Seminar Announced

Monday, August 9th, 2010

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

Tags: , , , ,
Posted in Andrew Lee, Anti-Malware, Conferences, Virus Bulletin, data protection, education | No Comments »

Virus Researchers are community outcasts

Friday, July 9th, 2010

Lately I’ve been reading a lot of blogs and articles attacking and defending AMTSO and their attempt at establishing standards for the testing of counter-malware products. Unfortunately I think BOTH sides are missing the larger picture here. AMTSO was formed to address some critical shortcomings in the testing of counter-malware products: some tests were arguably unethical, most unscientific and some just poor from the word go. So where does the dissent come from? It comes from the very people who done or supported those poor non-science based tests. Yet it goes beyond that. The people who are condemning AMTSO and their efforts are in some cases well respected in the general security arena, and are very knowledgeable, and this is the rub. These people, most people in academia, and in management as well do not recognize Malware research and prevention as a specialty niche. They attempt to apply the same rule-set to fighting a malware outbreak as they do a simple intrusion, and see nothing wrong with that solution.

A majority of people not engaged in the Malware field as a profession still feel that the average Security Professional has the same knowledge and skill sets as used by the Counter Malware Professionals. Unfortunately nothing can be further from the truth. It goes beyond the abilities and skills for reverse engineering, programming, and identifying abnormal network traffic. This argument goes back to at least the early 1990′s when in a panel discussion a firewalls specialist attempted to answer a question about a virus. On that panel was Wolfgang Stiller, creator of Integrity Master Anti-Virus, Wolfgang interrupted him saying along the lines of “look I’m here for the virus questions, I would never presume to speak with authority or experience on firewalls issues, but you presume to have the same experience and expertise with viruses that I do, and that is mistaken”. Similar exchanges have happened on other panels with people such as Robert Vibert and Rob Rosenberger, among others. These are also the same people who demand that anti-malware products protect against threats that are not viruses, nor are they specifically malware, but “Potentially unwanted programs”. So this is not a new phenomenon. The question in my mind is why does it still exist?

Anti-Virus ‘Experts’ helped establish the disaster recovery field, and were among the very first to teach classes in th at subject. It was the Anti-Virus Researchers who developed the field of Computer Forensics, in both cases it was the Anti-Virus field that had the necessary expertise and skill set needed to fill the holes and expand the career field. So now that Disaster Recovery, and Computer Forensics are recognized as specialty fields and given a high degree of respect from schools and management, what happened to the Anti-Virus researcher? Their mindset is not of an operational nature, they bore easily, some may even say they have attention deficit disorder (ADD), yet they are anal about doing things the same way every-time. They dwell on minutiae, arguing to the point of splitting hairs. I sometimes think some of my colleagues can SEE the traffic on the wire in their minds eye. Yet with all this contribution to the Computer Security Community they are still (almost purposely) maligned and misunderstood. At a Virus Bulletin Conference, I stated that we as a community must take action or go from the ranks of professional, to the ranks of the tradesmen. I still don’t know what action that is, or how to go about it, but AMTSO is a good step in that direction, and the naysayers need to start looking outside their comfort zone and realize they know enough to be dangerous and not enough to be helpful at this point.

Ken Bechtel
Team Anti-Virus
Virus Researcher and Security pontificator

Tags: , , , , , , , , , , , ,
Posted in AMTSO, Anti-malware Testing, Ken Bechtel | No Comments »

Testing AV: Why VB Tests are still relevant

Tuesday, April 13th, 2010

The latest Virus Bulletin Anti-Malware product test, the largest ever of it’s type (a mammoth 60 product test) demonstrates several things; that testing Anti-Virus products never gets any easier; that discussing (or dissing) the tests never gets any less popular; and that the results of testing are never less than controversial.

Virus Bulletin has been in the testing game a very long time, and their comparative testing and VB Award have been around since early 1998. Before that time, VB was reviewing AV products since its inception in 1989. Their test methodology is well known, and is based on a combination of Wildlist testing, tests for ‘zoo’ viruses (that is, non-wildlist known malware) and False Positive (FP) testing. The full current methodology can be found here.

Despite there being a large number of people decrying this sort of WildList based testing, and indeed some vendors entirely withdrawing from any sort of ‘static’ tests (i.e. based on scanning of predetermined files, rather than live incoming threats), the fact that 60 products participated in a test like this shows that there is still life, and worth, in this type of testing.

The surprising thing is that while many criticize WildList based tests for being limited in scope (the WildList certainly is not a comprehensive list of malware) so many products fail to pass these tests. This perhaps more than anything highlights their usefulness as a baseline. If your product isn’t reasonably consistent in achieving the VB 100 Award, perhaps you should think about a different one. Often the problem is not detection so much as false detection, making the FP part of the test very important. Any product could detect 100% of all viruses very easily, it’s much more difficult to detect ONLY viruses, and nothing else.

The other aspect of the testing, that perhaps is not clear from the results, but is highlighted in the short review written of each product, is that of the experience of the tester in being able to test and use the product.

John Leyden, writing in the register points out that 20 out of the 60 products (1/3 for those of you who still remember how fractions work) failed to achieve the certification. He also quotes John Hawes (VB’s tireless tester) as saying “It was pretty shocking how many crashes, freezes, hangs and errors we encountered in this test” – indeed damning words considering that the test was on Windows XP, a mature platform that has been a standard for many years.

So, while attaining VB 100 Awards is not the be all and end all of testing Anti-Malware products, it’s still a good place to start looking. Congratulations to all those whose products did pass, from someone who knows only too well just how high that particular bar is set.

Tags: , , , ,
Posted in Anti-malware Testing, Virus Bulletin, WildList | 1 Comment »

Twarfing: the not so sweet tweet…

Friday, October 23rd, 2009

There has been a lot of interest recently in the methods used by malicious actors to compromise Social Networking sites for malicious purposes. Indeed, Lysa Myers from WestCoast Labs and I wrote a paper together discussing various issues with SN sites, particularly focussed on Faceboook. However, one very interesting issue has become a hot topic in recent weeks, the posting of malicious URL’s via twitter. The issue here is that often URL shortening services are used (as Tweets are restricted to 140 characters to be compatible with SMS on mobile phones), so the true destination of a URL is easily obscured. Two eminent Anti-malware researchers, Costin Raiu and Morton Swimmer have been particularly involved in examining this threat, and their presentation at Virus Bulletin 2009 in Geneva lasst month was definitely worth seeing, for those who weren’t able to be there, or who missed it, the slides presented by Morton Swimmer of TrendMicro and Costin Raiu of Kaspersky to the conference are available online here http://www.slideshare.net/craiu/twarfing-malicious-tweets.

Andrew Lee CISSP
AVIEN CEO

Tags: , , ,
Posted in Conferences, Twarfing | No Comments »