Anti-Malware Testing Working Group

Anti-Malware Testing Working Group is a group of vendors and test organizations that plan to release methodologies for testing security products. Brian Prince, one of my news colleagues, has more on the story here. The question Brian asks, "Why has testing lagged so far behind the threat landscape?" is a

Anti-Malware Testing Working Group is a group of vendors and test organizations that plan to release methodologies for testing security products. Brian Prince, one of my news colleagues, has more on the story here. The question Brian asks, "Why has testing lagged so far behind the threat landscape?" is a good one, but one that's got an easy answer. It's very expensive to do this type of testing.

In many ways it's like testing spam ... you have to have a fresh crop of malware every time you test, so it's practically impossible to repeat the tests. BAD (Behavioral Anomaly Detection) software, which is supposed to be superior to signature-based anti-malware systems because it can catch zero-day attacks, usually requires some type of user interaction (such as signing up for mail lists, interacting with a system or clicking on a call-to-action to activate the malware). At a recent Symantec security reviewers' workshop (Symantec is one of the vendors participating in the Anti-Malware Testing Working Group), there was a debate about whether a threat was a threat if it was just dormant on the system. Symantec officials were of the opinion that a dormant threat couldn't be classified as malware because it wasn't DOING anything bad.

There is some merit to this position. If a piece of spam installs a backdoor for the Eudora e-mail client, but Eudora isn't installed on the system, is the backdoor malware or just useless bits taking up a little space on the hard drive? The super-conscientious could take the position that Eudora might SOMEDAY be installed on the system, provoking the malware into action, and so yes, even dormant, the malware should be detected and removed. The question then is, Should that be the job of a BAD?

I think it should be the job of an endpoint security tool in 2008. Anti-virus/anti-spam/BAD/IPS/firewalls should be combined into a product that doesn't consume all the endpoint resources while protecting users from the numerous and increasingly well-crafted threats that surround them. As well as testing what these products can do, eWEEK Labs will continue to advocate for security products that protect users from the threats facing our audience in whatever form those threats appear.