funsec mailing list archives
Re: The wildlist
From: "David Harley" <david.a.harley () gmail com>
Date: Tue, 3 Jun 2008 12:56:55 +0100
Right on, Larry.
Not really. Though some of the problems I have with the review could be said to be WLO's fault, for failing to have its web site and documentation keep pace with where it is these days. The WildList's deficiencies are well-known, but being addressed (albeit with terrifying slowness...) But the list itself is less outdated than the accompanying explanations, IMHO.
Failure to find all malware in the famous WildList can cause an anti-malware product to fail VB100 certification.
True. Because the list -is- behind the curve, it's all not unreasonable for a WL-focused test to expect 100% detection. How much weight a potential customer should give that particular test is open for debate. :) If the case Larry quoted (W95/Dupator.1503) is really still in the wild, it should be on the list. If it isn't, it shouldn't, according to WLO's own terms of reference, which would entail a minor blemish on the VB100 certification. But would you be comfortable with a scanner missing a sample nearly a decade old? There -is- a longstanding debate about whether long-gone malware stillneeds to be detected, but it's actually fairly academic. As long as there are comparative and certification tests still extant that include DOS executables, batchfile Trojans and so on, scanners will have to detect those samples or lose competitive advantage. Compared to that, one questionable entry on the WildList isn't very significant. In any case, we don't generally insist on detecting only viruses that are known to be active or potentially active on currently supported, whatever certifying organizations do. If we did, we'd catch grief for that, too. One compromise would be for scanners to have some sort of "recent malware only" switch. But I can see a -lot- of problems with that.
Sometimes this is scandalous as when Microsoft's OneCare failed WildList testing last year <http://www.pcmag.com/article2/0,1895,2094219,00.asp> to widespread derision.
Scandalous? That's rather an overstatement if you look at the original comparative review, rather than interpretations of the results by the media et al. And I speak as someone who works for a competitor. :)
In fact, insiders in the anti-virus industry, especially vendors, are widely derisive of the WildList, looking on it as an outdated burden on their development. The malware in it is outdated and not representative of the true threats facing users.
This is misleading. But I've already commented on that. -- David Harley _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The wildlist Alex Eckelberry (Jun 02)
- Re: The wildlist Bruce Ediger (Jun 02)
- Re: The wildlist Drsolly (Jun 02)
- Re: The wildlist coderman (Jun 02)
- Re: The wildlist Drsolly (Jun 03)
- Re: The wildlist David Harley (Jun 03)
- Re: The wildlist Drsolly (Jun 02)
- Re: The wildlist David Harley (Jun 03)
- Re: The wildlist Bruce Ediger (Jun 02)
- Re: The wildlist David Harley (Jun 03)