RE: Extracting signature snippets from AV databases

Hi Jose,

I'm familiar with EICAR.  However I'd like to trigger signatures across
the board.  

Ultimately I'd like to run a real malware test, but that can only be
done in an isolated lab, and that requires a continuous investment of
time and money to insure the collection is up to date.  

http://www.av-test.org/ is another possibility, but I have no contacts
there, and it's somewhat isolated proof (can't touch the environment,
and it's a run-once deal).

Bill Stout

-----Original Message-----
From: Jose Nazario [mailto:jose@monkey.org] 
Sent: Monday, May 08, 2006 2:42 PM
To: Bill Stout
Cc: focus-virus@securityfocus.com
Subject: Re: Extracting signature snippets from AV databases

On Mon, 8 May 2006, Bill Stout wrote:

> Has this been done already?  Are specific signatures a 'secret sauce'?

EICAR.  http://www.eicar.org/anti_virus_test_file.htm
SPYCAR. http://www.spycar.org/Welcome%20to%20Spycar.html

hope that helps.

________
jose nazario, ph.d.                 jose@monkey.org
http://monkey.org/~jose/            http://monkey.org/~jose/secnews.html
                                    http://www.wormblog.com/