Re: The wildlist

["David Harley" <david.a.harley () gmail com>]

> Right on, Larry.

Not really. Though some of the problems I have with the review could be said
to be WLO's fault, for failing to have its web site and documentation keep
pace with where it is these days. The WildList's deficiencies are
well-known, but being addressed (albeit with terrifying slowness...) But the
list itself is less outdated than the accompanying explanations, IMHO.

> Failure to find all malware in the famous WildList can cause 
> an anti-malware product to fail VB100 certification. 

True. Because the list -is- behind the curve, it's all not unreasonable for
a WL-focused test to expect 100% detection. How much weight a potential
customer should give that particular test is open for debate. :) 

If the case Larry quoted (W95/Dupator.1503) is really still in the wild, it
should be on the list. If it isn't, it shouldn't, according to WLO's own
terms of reference, which would entail a minor blemish on the VB100
certification. But would you be comfortable with a scanner missing a sample
nearly a decade old? There -is- a longstanding debate about whether
long-gone malware stillneeds to be detected, but it's actually fairly
academic. As long as there are comparative and certification tests still
extant that include DOS executables, batchfile Trojans and so on, scanners
will have to detect those samples or lose competitive advantage. Compared to
that, one questionable entry on the WildList isn't very significant. In any
case, we don't generally insist on detecting only viruses that are known to
be active or potentially active on currently supported, whatever certifying
organizations do. If we did, we'd catch grief for that, too.

One compromise would be for scanners to have some sort of "recent malware
only" switch. But I can see a -lot- of problems with that.

> Sometimes this is scandalous as when Microsoft's OneCare 
> failed WildList testing last year 
> <http://www.pcmag.com/article2/0,1895,2094219,00.asp>  to 
> widespread derision. 

Scandalous? That's rather an overstatement if you look at the original
comparative review, rather than interpretations of the results by the media
et al. And I speak as someone who works for a competitor. :)

> In fact, insiders in the anti-virus industry, especially 
> vendors, are widely derisive of the WildList, looking on it 
> as an outdated burden on their development. The malware in it 
> is outdated and not representative of the true threats facing users. 

This is misleading. But I've already commented on that.

--
David Harley



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.