Consumer Reports Creates Viruses to Test Software 241
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
Of course they are... (Score:5, Insightful)
1st comment?! (Score:5, Insightful)
You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.
It is their property (Score:4, Insightful)
Corporate Honesty (Score:3, Insightful)
There's no good reason to object to this (Score:5, Insightful)
2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.
The horror! Real world testing without pr spin! (Score:2, Insightful)
Not a big deal (Score:3, Insightful)
What's the big deal here? A bunch of Windows computer with antivirus software running in a closed off network as to benchmark some programs. Happens with games, office software etc... nothing to see here, please move along.
Of course this way you also get stories (hoax, urban legends) like the one about Symantec releasing virusses to sell their software...
Good Idea (Score:5, Insightful)
Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?
Re:Hey, if it's good for AV products... (Score:5, Insightful)
How well did they do it? (Score:5, Insightful)
As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?
CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:
Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.
Anti-virus doesn't work (Score:2, Insightful)
Re:Of course they are... (Score:5, Insightful)
Real Engineering (Score:2, Insightful)
It's the duty of every engineer (those that can rightfully call themseleves engineers) to protect the public.
Clearly, classical antivirus software is not protecting us. Kudos to these folks for pointing out what should be the painfully obvious.
Re:Speaking as one who has been burned... (Score:5, Insightful)
How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.
Re:Of course they are... (Score:5, Insightful)
Of course, Consumer Reports is almost certainly responsible enough to address this issue and point out to people that it's really a reason why they need to be updating their virus definitions as frequently as is practical.
Re:Of course they are... (Score:5, Insightful)
Claims shouldn't be verified (Score:5, Insightful)
Re:Of course they are... (Score:5, Insightful)
I also had to quote this sentence because it's so silly. It's generally accepted practice by people who don't create viruses. Obviously a lot of people are creating viruses whether blackhat or whitehat or greyhat. Now where's my MAD magazine?
Re:Of course they are... (Score:5, Insightful)
It was generally accepted practice for 50 years not to crash perfectly good cars. Until we started learning that we could protect the occupants of said cars better by finding out where the weak points were...by crashing perfectly good cars.
What are Symantec. et al afraid of?
Re:Speaking as one who has been burned... (Score:4, Insightful)
So, we had a general routine to write a !boot (an autoexec-on-read-the-media) file, and hadn't considered the sequence of events of:
So, even though we knew exactly what it was capable of, we hadn't considered the actions of one of those infected, and *that* caused us problems. It's not the capabilities that changed, it's the environment. You don't tend to find that out until you've hit the problem, or you would have dealt with it in the source code - that's all I'm saying...
Oh, and I'm sure they'll take a more-responsible attitude than we had, we *were* 1st-year students...
Simon.
Bravo, Consumer Reports (Score:5, Insightful)
1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that
When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.
Re:Of course they are... (Score:1, Insightful)
IMHO this tic for tac will go on forever. Malware writers write virus, trojan horses, worms, etc and the security companies will need to meet and exceed these malware writers. Then malware writer learn the new product and find hole and the security plug thoese hole and on it goes. Security companies like most for-profit companies just want to rest on their laurels and not invest in new development and just rake in the money of the products they sell. However reality always proves otherwise where malware writers and/or other security companies that want to show that company A is not invulnerable or should not be complacent about their products. Security companies, and other companies, should invest in research and development so they are always ahead of the malware writers. What Consumer Reports is doing is okay as long they tell the consumers what they are doing so we and the security companies are allow to respond (without PR-ese) so they can fix their products and we have an way to defend against whatever they have found.
There are limits to this in any civilized society which one should not resort to terrorism or similar means to get an end game. Putting an IED into one hated rear-end will result into something similar to be placed in yours.
Re:Of course they are... (Score:1, Insightful)
Re:Hey, if it's good for AV products... (Score:1, Insightful)
However, I think that CR is stretching a bit and their testing criteria and conclusions could be off. If none of the AV software can catch their viruses, it doesn't mean that they are worthless. If all of the AV software can catch their viruses, they can't conclude that the AV software is going to catch other viruses. Is some works and some done, they also can't conclude that one is better than the other in catching viruses, except in their particular testing scenario (their created viruses). The testing realm is almost infinite. You can't even use statistics to say which AV software is more likely to catch a virus, because of the multitude of possible ways to create a virus.
Not planning. (Score:3, Insightful)
Consumers Reports is the most trusted amoung consumers. They put products through their paces and ensure they work well. With that said, yes Consumer Reports create viruses. They already have done so for testing lastest virus programs. Consumer Reports September 2006 issue has said this. They have rated Bit Defender as the best. The issue specifically said they created new viruses to test how well they did against new viruses not already in the signature lists.
People like Igor Muttik are just scared their crappy anti-virus software sucks. Mcafee ranked #6 in the Sept 2006 issue. And even if a CR virus got loose, CR can release the viruses details to venders immediately. The virus wouldn't last more than couple days.
Because it's not 100% (Score:5, Insightful)
There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.
Re:Of course they are... (Score:4, Insightful)
The vulnerabilities do exist; they're just not being exploited nearly as much. Of course, run-of-the-mill signature-based antivirus software is equally flawed, as Consumer Reports has shown and security geeks have already known.