I attended a Symantec endpoint security reviewer workshop in San Francisco Dec. 11. These workshops are always an interesting mix of “head fixing” on the part of the workshop sponsor (Symantec is far from the only company that holds such events) combined with often feisty reviewers on the other side. Our wrangles yesterday ranged from what constitutes malware (does a piece of malware have to be active to be considered a threat?) to what constitutes a good test for false positives in a behavior analysis tool (Symantec says the minimum test harness configuration should include 500 legitimate applications to get a meaningful test of a behavior-based threat prevention tool.)
We didn’t spend that much time on virtualization except to say that some malware turns itself off if it detects a VM because virus makers know how much the security industry relies on VMs to expedite the testing and detection process.
I enjoy these tussles, for the most part. I enjoy meeting my peer-competitors in the test/review world. I always gain some new insights into test methods that I might want to try, although I have to say that I won’t be installing 500 applications in the eWEEK Labs test harness. I think I’ll stick with the top 10 or 20 applications likely to be used by eWEEK readers, the typical mix of Microsoft productivity applications, along with Acrobat, a couple of different e-mail clients, several different Web browsers and one or two CRM clients. With the coming year, I’m thinking that I’ll try to increase the number of applications in my test harness.
One thing that’s certain, however, is that I will be increasing my focus on how security products interact with virtual machines to keep malware from spreading through the emerging virtual infrastructure.