Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Extracting signature snippets from AV databases

from [Bill Stout] Network Security [Permanent Link]
Subject: RE: Extracting signature snippets from AV databases
Date: Thu, 11 May 2006 08:59:04 -0700 

That's now my plan.  

Based on the feedback I've received here, I'll contact the test labs,
and for show and tell purposes, consider a mobile malware lab.  However
I'll use two computers back-to-back, since I'm testing browser
protection.  I have to determine what malware I can't carry around in
case of theft, loss, or accidental reuse.  I've also talked to 'Dror'
about an online browser test, unfortunately those seem to be limited to
configuration and patch checks.

I didn't realize the root of the objections until I googled and found
the infamous CNet AV test of 2000 using the 'Rosenthal Virus Simulator',
and the open letter by Joe Wells, signed by some of the very same people
who replied to my post.  Sorry for digging up bad memories.

Bill Stout

-----Original Message-----
From: Christian Stankevitz [mailto:christian@neohapsis.com] 
Sent: Thursday, May 11, 2006 6:53 AM
To: focus-virus@securityfocus.com; Bill Stout
Subject: RE: Extracting signature snippets from AV databases

Bill,

Have you considered third party testing?  ForeScout had the same problem
with customers so they engaged ITSLabs.com to perform an independent
validation test.  ITSLabs used both real worms and a custom developed
unknown "zero day" worm to demonstrate ForeScout's ability to contain
the multiple threats.

http://www.itslabs.com/tests/its04001.jhtml

Regards,
Christian 

-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk] 
Sent: Wednesday, May 10, 2006 8:58 PM
To: focus-virus@securityfocus.com
Subject: RE: Extracting signature snippets from AV databases

Bill Stout wrote:


For internal testing we run publicly sourced live viruses and other
malware in an isolated locked room, where the only media that comes

out

is shredded.

What I'm trying to figure out is how to 'smoke test' new builds, and

to

ethically and fully demonstrate (to the CEO, to outsiders) that the
protection works.  We're in alpha test, and beta is approaching fast.


VMWare on a beefy laptop with no writable media drives and its 
ethernet, USB, FireWire, etc ports bunged up to ensure there were no 
accidents??

You'd want a machine with a removable drive bay so you could insert 
floppy/optical drives for reconfiguration, etc in the lab, or a machine 
with easily removable HDD that you could drop into a suitable chassis 
and connect to another machine in the lab as a slave drive...

That should give you a relatively safe, isolated multi-machine network 
with the carry-around convenience of a laptop.  You can then use _real_ 
samples so there should be no question that you may be faking something 
with your "demonstration malware".


Regards,

Nick FitzGerald
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Extracting signature snippets from AV databases, Christian Stankevitz
Next by Date:  RE: RE: McAfee 8.0 crashing Dell D620's, pauls
Previous by Thread:  RE: Extracting signature snippets from AV databases, Christian Stankevitz
Next by Thread:  blocking BHX files with MIME, lsi
Indexes:  [Date] [Thread] [Top] [All Lists]