Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Ethics and Virus Testing



 By: Larry Seltzer
2006-08-20
Article Rating:starstarstarstarstar / 2


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: How come discovering vulnerabilities and writing exploits is "research," but viruses for testing is a crime against humanity?

The anti-virus community is abuzz in controversy over the tests performed recently by Consumer Reports on anti-virus products.

CR went out and did what many of us have considered in the past, but not actually done: With the help of consultants at ISE (Independent Security Evaluators), they created a test bed of 5,500 new viruses in order to test the products.

Theres an old joke about Consumer Reports, that nobody respects their work for their own field, just for others. So a carpenter will scoff at their review of circular saws, but trust them for gas grills and washing machines. Ive heard a lot of this in the discussions about virus testing.

Symantecs veteran virus-hunter Vincent "Vinny" Gullotto recently joined Microsoft to head its Security Research and Response team. Click here to read more.

Many in the anti-malware community are adamant that creating viruses is always a bad thing, and never necessary in order to test anti-virus software. In fact, they argue that its not as good a methodology as the alternatives. You can find some good links to opinion on the matter in this blog entry by Sunbelt Softwares Alex Eckelberry.

Ive been involved in many tests of anti-virus products, and its always tough. There are many ways you can go about the testing and they all have their strengths and weaknesses. The biggest problem is testing of heuristic protection, or protection against unknown viruses.

Resource Library:

I have no specific opinion on the work by Consumer Reports; not being a subscriber I havent read the actual test results, just the methodology linked to above. But it seems to me that the abhorrence of virus creation that many are expressing is an overreaction.

Lets take what seem to me to be the two main arguments against it: 1) If you create malware, theres a chance it could escape and cause damage to innocent third parties, and 2) its not a good way to test AV.

Yes, theres a chance that malware could be released if youre not very careful. All kinds of bad things can happen if youre not careful.

If you misconfigure your servers you could set them up to be open relays or bots to be used to attack others.

If you write software badly, you could open up the computers of anyone who writes it to attack. I could go on, but the possibility of releasing test malware doesnt seem like an imminent threat, especially since theres no infamous history of such releases.

But what really strikes me in this regard is how it compares to exploit testing; vulnerability research and exploit development are somehow looked upon as honorable and a service to the industry, although there is some disagreement over whether researchers should quietly keep vendors informed.

Anyone who follows this business knows that far more damage has been done to innocent third parties by vulnerability and exploit developers than by malware research. How come everyones so conservative now when it comes to malware?

But is it the best way to test? One person suggested that the better way to do testing of heuristics is to freeze copies of the anti-virus products without updates for some period of time, then apply the malware that came out since the last update.

I actually ran some tests like this for PC Magazine once, and trust me, nobody will be happy with these results either, although I do have to confess we didnt freeze them long enough or have enough malware at the end.

And even if you do it well, all this tells you is how well a product protected against viruses back at the point at which you froze it.

So the longer you freeze, making your test more accurate by giving it a bigger sample, the less accurate you make it by divorcing the results from the actual capabilities of the product at the time you report.

I might very well disagree with the test methodology and analysis in the Consumer Reports review, but the fact that they created viruses in order to do it is no reason to doubt the testing.

Whether they create their own viruses or use existing ones they need to be careful in the handling of those viruses. Theres no ethical slippery slope here, theres just an attempt to test products aggressively, and thats something to applaud.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Ethics and Virus Testing
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r㶲s\@♵MR%ƶ,xMT(SIVreoP/3mFwh4#ooD.\ݴt͙M5>57߽w s=NN%cjAM&#{Fm_&2z5ܯ3 fE1;&I=Mk9JGD>֥E!m$,oaX|:[Q=,2pYBT!|DJk4ًʏᐨqGO{/ !X]~ꄽ4-j#2]hj:N`Qƞdn= aZ.91rzԽ;@L*: L=TVE;&3Ãtf?Dk N\^ Zˆ螥ɧ5u5I ` 1l{`2E%$7 .lq`=Ķ|h:]Uh?AWuomzV[uw#ϝ9yqL%X䄍ER'>6) |@ɤ:!Zda-}9e̛ f4öCٰ5T:Ԫr\ˇJYTyxx?X>-ip'?_JY4E9^ϯs$(֝;` mKIu]+h0ӛNs#WOw~@.{A~$Vj}& D%\.'I&0h5tt4_Bn,>DFI/j|%rX<,hvd걑f1O=˧0_8rrn򳹥uk\ߴ-kܴ[g>ߘekfy3?b Jw3D~ VgkUs%gl}j ݙGd@M Wh2s N/z O{uH8=|kh2`cRZ: ?4;-2Ǔ)I|[8fIu޻ <--˭%wܻG)H̛cM|I`6L2Tc]NjGo_[ ZSĿ G/<@'X]Y)p3Z&j9T23=jMH5ņ])!ehFSmR—U.(AK/- 5f>]R${3BDȽ`g@3 BDԑ?CC0&pJn.b? [&feٜ҅%]WaMoQ#L .uFV$U.[n} 8^$g 5F8 ,heݴ%!8WG%MGR>MUJPX=.BEPU X@8ʍ??6m!SGñA SM:gvϳ` 0h vz?1>PӚMjqOCGs>H2胎6ml8-" ,70}HG:QI47X0x=cOg6opI}xXOk9LP#wC۠h&r=kIׇ.[?? { G`p\&{ xk=`DMWtC` V< 2/?>an@ }Sx}-{&`sD{ݲeǀxԜ)u%w2J}cn.G))(I.B$(ZȻB!Al~ [$p Xdl+ ~#azGBjK%6Os@PG҅;rjX*τbZ z)0ٜMjL=?j1!^|#'bXr`Y \h+|i)lc ը[6؛Ţri*|:IoBk8 0sҺ<,$ X HS%\Ew,t3AP1!q<=%st0L=Ͱ ̴b֜e4dufB7' ƱeI|B3= IquVNmy^\'1MM\faMv"Wg虅m>`4fs)wdmr)T۪v39n(!+hWY 2cdRU 9:[ȭ,M7)\IYbTড়rH1g0d{Oq=7Rt'ZC+>q^i.;[@Oe]Zrk%fcP*KúJjp ~7Bɶ/^[aa6E]QZRKHD@CR)Ե ŠaY^`(ytM̆Т0iÍ}T}Sk . XTM.r_  }dҶvê%M*ګY3wld tAqFA͔`@ELl5K׳թwN:hzM>]r;67]?C<<fR]?APct @IU5} o _׆gе瓩;°{Z^vԻ~l2ݴZC= 0͉V*a0Z6؋T-{=}:8Hy¤SI_.)UI?O~1:2.eX PY΁5mI]v 'Yw$ EiLRKrf&gրzI4e$]o' ȕaŅ^۬`D 570M LKo=9޻ȦR7Ϗ9(gd%d)'HR-fjheU-UjR=>2~2EjƟRp!< _qOӟo{ѷZpY9[Jֿz}0t.rɵ>gs|z,)``!>6Z0d&QabX[ ⚪T}gf7g)|h#QL ` K{ZCAk2۩\wtV}P@K&nƚ6ʳiLZ޼ ?~Bo˧;3 ^ɴ(1<֐|o D >rWo鸙 y@<sUJ [LbT~\{Rglg]c+o20OwžzXFpaNpgD7fS/ UێI9TZb1Ji?0 6@yz`@ò VZ;zGd!9s=!OR-4spm6=R.R\HǞ1|]ܩe>tgc24NwoUUAS;:&P@hO \k88$D2$Me"٭PSV82V6J\)aoA~V0`Ac#g0(G#O7)~ (zC9m^>RTS(.n$UHU(V $}Uri4rOk,ش/>6W"h ތ-cz; K3["X>DД7Ϩ;dRb  k(Qh>e[,r/ǺRaf~dMٸUzJ0iUI+T Z}̡2b{#і$¾.̓G\\׆hgMD0|7=f#Sj$7 rQӊ5JR'0Lpĵ) rQ-ã,D(d2rY+`W'3Az^%,zF<CMM8qc o?vq-<92=QhZ=w">QP(k㘘ٿ~Ԫ%&b}* NC7{5arR (Jam7{GmUO:k\/> ~?<{o&crj?EijiRxYԾjuDJ5t>^5e}] Gya8dF&Pv4!7=&iO"lK76|v:2SH"V9zKq}%}ڹz}Ւ:ע΃ 7*EˁBV<Mxi)qڎ7M ,$L=\=ֈdS㥑a+"AKٺ̂q ՜$"j ON3dn,ʆqјmj;²VXȬE`&|]7$>T1r,`$X)XAU:^_4>G':KEP^S(+RJ)"4FYO |FϚM3_f| Rt8|UrwۿHעo1Mr!}J_cNfo4~ ɮP=8Y,rh%縵vRt.0?xԾhw ?&i^3_"TS8-ӤN)fTSeoy0;p8쀒N1{LGlOء F]nĖG9^)ŔN yr\ GAGJ脊fye5))eH5NRMLC]OC/D$;kB:z{ gaM.m2μ Kڗwn+ Ó ,Ν-Y+LD$/i\A1ڧp",GDd?V$ݙ8V0i;FXb`/a ;eΫPf|u{B s~ݾCO6r=ICo6FO9S1& s {:`1Tu0؁?O.yrjGGSɭ6sXsZt gaBxa1~hr?쐫N4.zҸ;5LNZ0e,H~ Zн>5?y{l o&<)ǣAg伅a-n^S{20)}?H/K㆟ycPZSϏ%٘NFBEWU-u*lko rYpJUWVr{d,'c,n%P2QY;pGҠco3`̞xqG7׷bR#o=I>]bwP({_bOkmIr_ZDNq5Q {rE(j ȓGDK`#i>Ro14l*z3=}r9[fv?kH>dO#@/lv d6tY ~AXy VorlK9w@rs&8lPfpvn ֔I i#ĠH[SrMs _5DN XW+Oip$|+؊wO_Oo+N{kE|;̔-u\ kM_U_s w2 |kM%%&p$ qIM{fr+ s;~-nɸE'Öx->_'2>Xl2d]ʧGq!FCbpKdy3~Ɵ}m =" ҝytqS);N~UE#~Qm`27|y%v繞]ǩZx 4rҘP2t{<`6?Y&'Lo2O2ZfM-U'D/XOwF ٓ?$Q)eK˜S`( ^S C%mwGzcE c_/qM tr8S*Z!rmn@xb ÙM°{B$( 6R#د?>;RoG)1wm (p}g܂C׽!w9;.ֻшYu$ܼeѕ0>e@jƟc^E9o; &[l,:,kˠidP R]n!6%64q9t:AhӔi)겎\F$&c_أwZ@cuUĦcA~7n wRJ[Y,̡K7*v>oWH_Dz(B0%imHڦ5Otހbioph1,0C c(˺Mo(NX(q0ID+J4Z)1Z/?/:\gTfAyUD H OGj3bT(! )޸oʚ5-77o9_c%UK#”h9G{iʰ\ @dP\~ ]_nA-×` -a8L)DQiF1;""}.*.dQDЏphJp>!vkq{|T%My<1Ӈ:2O]ky)u qP'ҕHM0 懻@GIX'jM1zQ&vUPxq~8tXjs;m[:q'P~ X*VD5.>؄e& ;}ǾSe/c*@1CI2R3@@ ˁ! |]̰5!bY߲\ҋsG݅@V5I'x&RD!I8%&J$b"-- #mI0 yZX@UMuVs% KʥjyѤsm6a8,"`Sw`%j&K!v6aZTb'v9]إ*EU$e i~AuϑwHn EX~FUHEx# t#u)'"$Îw+;[؊w /׸D-BٓɋK8L* IZj]Oz GU - kkVct0p Br{1\'cv3Jr=I#  B ԣtfDa- V+q ZN}-]f@-~7$owFƤk-NW' x(oj}[yZ DW!u0E;<W'%nf[Wu MׅšZP:uLppfdI}5! W;MH?^gؒ1_AmX f5%.^Qw󟣈D8u;[r/oZ:ѭ/l;*aq7q5X\8چv3rcfM%˗w5A3tVfеB sWgg,꙯K:x7777'V*_Ļm\ua7=scw>ðV沮˺f @ܔ!}iek#ŵm/?C\X7ܗs;j[~~ı*aU9Qկo6Dt3vE^ߟnDֽ?QXzD6DG)X-bQ_xMyt/ U ؼ0%JK^׏i`U~꒸'j[ŊlF̟QG[.~OǮn^/qͱ8Ua݌l$o,Ft"ӗNǺmSc%6 'LL -ѬoYހgLe>sjfP3KX]e F7Y ;\u֮Ut}yà{ѷݑۯϑ{v! NHKEpI})rKD%R|ƿ2nrW|kofN`1\ r۞@ΚC-𛷿c d;65奙vm[A˽=V4 mY[`8N4_E _jqONaYm}m-6bĽK)wfegX -]ةuyzc~uP2oO3@84kIY'd` [IHgc;#}+Y8cET0̭| / O'X'~qN?%䧺^&=_}#|Mw-<Vӷ.K{~i[ O<[L_Ej* @{0IqC$&pP]}zUcmcn˜OtsIxyq+&TCX<QiH:-FY?_}/ֺa3 ΰ.$o,S.t~fSx\ vf0}PCu&.[y;5X= ? KH)PG%@~&tIwOaR,:'VküDCঀ*P?}oIN ._1u:(B,p=&G6 ͤ<87%d^a8FSYh9.!cbWiP]-OQ/ ]ZX,:~xpqOƌJFSj9.椷 GTGЧrRM` bTy N] g>)fFllz^C `5vX5.ڹ𮛴q yK-y -J4sc51غsʛyrjy&LE8a_#qGKOzAlMᗚkĵD'*t=jh܇DҿJ vjRZA)rx}^ {#WVRѪEr0Rn̈́*^siBO .kXGl7̋1K%XStϞN1` kH1#=kB%.aGN$(b az/13@cbܒ|t|PSz1W-nᮦq*\< g{h $Ra~V{wi/1~J+kѱK:̜i҉ HZ۠[*н"%hP[۫u) +K,vn0̊ےVo5Jۅ]aiJ"%N099ݱX 094:IwJ K LG*%_[G^ 9`V>1miQ.BnΒL+bD )n3FwCˠOc+ӘP1tD!1 \TbЭB1˪M;InP}sY?e=` '2u/xyB G=Nl~#&u}*@4;"n4V|~ }^BKz&`Cq OqtF7\9PĕTsOoF_ 6b^ZGZa!IG)Y>xIU1K= /ϔkgv rF@Yj!ua6H]E# `x7@(zh_mnaC323Cߑ7Ž>'qf>^ˎҠc 'lI<ʊ0W ^I[:3кlŧtS!嘭#!+A1HU+|gZnʡR0F$u*̀ Z=hqIED#ThbGB#Os MˤZ̈́pxXҚ0! YC) Q?\xaϝF$pH1fHG͈ )&8 'lQ;KD ȧN1J \-uC@e=Dqzy< Ĩb)(aU oIYP,(Ϗpk2&H0ZJif`6u"(9&.t>'0]5:PL %NfldaQ(b8M t?3,ȏKlݜ(8Cjq$P!%h$`x=9aaday~XOR  =܇}~PoVR$4 >+>gDdU8V|.ORY,f/cǯ[iBR. ?$-G쌆dS`:>1ƺsןc‚grֹ! rvjǓM\E8a[+|SwN:ϧgMY|j5ۼW6Lg(P]5.[NQʉȸ6#\]drxixɎ(azh,.6qNO|ݻ@)Qd;ʋ QW~4ab_)o47nW˦V\j!h>o?+gg:^XSrZOmj6^V CptYin¸~(hOuitZzhRZl"x!/7fx߁@f+)?] sA\׿o7sv3=?ϴ2C?t3׿a_f%%̠̂%2>ey y(W_}2ޟx /3^eU\]e_O'Ct@t25u\C7?7wn=^G௏ z}Snm{ o3ڿ\'IodYNoT8'KIʠ/W@,!geg ~-2:B @n~ KL+ťW*7YKxM}%kk[Z1nvd}חG{1Pi +{Vl<-t&j\e)ţf(+@J~@o>t>RqFPcnM= !E:I>㣭AփD#iZ#Xnƀ_hxF( /O5"f̆IW"r;3% \ؓJq}l8=;d؆"0 ]ݸ3EK~YxR Hn2 B›o`5svgtIu<,ŃBLr$Ҵ })2#0O]WnBaIg xe 6{Ns̄08B8L򟥕=YIϐ÷a =GcЁ2WSXNՂ[#rF331F#qyU YT8['Ҥvcw[/AI)H[aʹě]q75tK-gX|@ăx!$KWp|"ϷϒeքzLU"zʴ៶;3軉fKN&%}YQ & ]a1ьU$$tfRV\w|7(6؋|%O' ϻyHj(tI`S) ,M,o_vܥeNUhJl;:ƍd2-  M|wخ;Oq^'d9e7 /91$+nvGD g>6'كl2=`6f(Fْ[0?FuoY 965O~0qGĶ2C|R4MepvRv ?93_-rxgsg_(LBe6٠^|:ym랮EOfTaJ8" 7]!Kb +Cc]R>ŔK ]'[٧3й?-{x/ v"],/{ QFbF]9N]Rjã ,c<ԭ}6` <Щ0DM.vjw܄uF.E]hT_ ! *c 9kǺgymE]E>*Ѝ5&igNbkcgb@xVm{~kC'> :y!}đ7,,L[Z']Z!hXr=E"ҁ )Q~)'fK#fE[Rj0gn~ӣf<˜4W6QĶqyuc~ږ10#ŸErN,ɀaKvdzU]Z-12Mo,gkV"KN1G= `5>gvC%=\s&&tصa= χ"@TNENE<<Sf}')VRL_XП_Q>Q*g\%ƕyz@Xqө8Y5u{/ZKc^; <\e$g~V;~v?;ktۿˌ/譸'~}j?x}ڹ`֍;qMUS (Ks(ӹi D>Vl' e={Pw r̳`bhPlM-jez'14mEgl3W'JZR۽wNE^8%ܖmJ@U&s)# MW\e\(M92>d֌V&|ƷZ2cˤ_ +'$