Yes, we use EICAR for email testing occasionally. What I'd like to do
is scroll a list of detected signatures as they occur.
The reason why I want to place snippets on text files is to fully
exercise detection engines. For one, it would be interesting to see how
products do/do not flag a warning on specific signatures. For example,
Ad-Aware Pro and McAfee are verbose, Symantec and others are not.
There is a large push towards using virtualization technologies for
anti-virus protection. Intel, AMD, Microsoft, Symantec, and others are
pushing virtualization technologies. Sandboxes and virtual machines are
very harsh ways to isolate the OS from the Internet. However
virtualization at the application layer allows some integration with the
base OS without exposing the OS to modification by Internet content, and
enables confidentiality by controlling areas and objects which the
browser can read. Protection through virtualization does not require
detection, and doesn't care about signatures or patches, since all
processes and temporary files in a virtual environment is cleared out
with a mouse click. Problem is, when a product doesn't detect, it
doesn't identify specifically what it protected you from. Detection
products immunize a computer from a list of specific threats, protection
products shield a computer from general threats. Like latex...gloves.
I can purposely run malware or attempt to install spyware in a
virtualized application environment (IE or Outlook) without infecting
the underlying PC. Although I could open dozens of browser pages known
to contain malware, I can't do that safely in a networked or customer
environment. It's better to open dozens of web pages with harmless
snippets which temporarily place cached files (and possibly processes)
than true malware pages.
Bill Stout
-----Original Message-----
From: Jason Muskat [mailto:Jason@TechDude.Ca]
Sent: Monday, May 08, 2006 7:47 PM
To: Bill Stout; focus-virus@securityfocus.com
Subject: Re: Extracting signature snippets from AV databases
Hello,
I'm not sure why you would want to do all of that. If you want to do
standard testing take a look at the EICAR virus test file
(http://www.eicar.org/anti_virus_test_file.htm).
Regards,
--
Jason Muskat | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
From: Bill Stout <bill.stout@greenborder.com>
Date: Mon, 8 May 2006 13:37:24 -0700
To: <focus-virus@securityfocus.com>
Conversation: Extracting signature snippets from AV databases
Subject: Extracting signature snippets from AV databases
I'd like to create a set of test files containing (harmless) virus
(and
spyware) signatures. Can I extract the signatures from AV databases
(every PC has one)? I'm thinking open source AV database may be
easier
to extract signatures from than a commercial AV database. If I can
automate the extraction and file creation, files won't become stale
because of lag time due to fluxuating interest of the maintainer (me).
Has this been done already? Are specific signatures a 'secret sauce'?
The primary purpose is to create a test that safely verifies that our
browser protection product absolutely protects a computer from
intentional infection.
Thanks,
Bill Stout
www.greenborder.com
