Back to Top

Tuesday, August 14, 2007

Letting competent people do their jobs

Firs of all - the usual disclaimer applies - this is my personal opinion, blah, blah

The first positive comment to my VirusTotal uploader came in which is cool, however it brought up two issues:

The fist would be: please don't use this tool to scan your entire collection, performing a small DoS attack on VirusTotal. It was written to be as gentle as possible to the service including:

  • no multithreading, samples are submitted one by one
  • it waits until the previous sample is fully scanned before it moves on to the next sample
  • it uses a custom user agent string, so that VirusTotal can filter it / prioritize it if they wish

However the main topic of this post is the idiotic test (if you can call it that - it was more a marketing spin) carried out by Untagle. If you didn't hear about it yet, the gist of it was: pull out around 30 samples from our a** (one of which was EICAR!), scan them with some AV engines and declare that ClamAV (which coincidently is used in their product) is good enough. This is wrong on so many levels. You can read the a good writeup on the McAfee AVERT blog, however the most infuriating thing (for me) was the constant pondering on the fact that AV testing is not open, AV testing needs to be peer reviewed. My response is:

  • Don't try to climb out the s*** hole you put yourself into. You've made some (very) bad moves, now admit to them
  • Have you've heart about AV-Comparatives (full disclosure: I have no relation with them)? It is a venue whicg (as opposed to your little show) does tests that are fully independent, recognized industry wide and fully documented (as far as the methodology).
  • There has been many claims (including the McAfee blog and this result - generated with my script by a third party) - which seems to be true - that the scanners were misconfigured and the detection rate would have been much higher, would you have taken the time to configure them properly
  • Making malware publicly available is stupid at best, illegal at worst

I agree that many AV tests in magazines are completely irrelevant and bogus, but - congratulations - you've managed to make something even less valuable and accurate.

PS. This criticism is not directed towards ClamAV, the open source movement, etc. Its sole target is the Untangle test. ClamAV is a reasonably good AV engine with its main focus being threats which arrive in the inbox (it being more a gateway product rather than a desktop product)

1 comment:

  1. Hi,
    I share your opinion..

    - I added a note to warn people about note using the script to scan to many files.

    - I shared the "untangle" results of your script to:
    . Try to prevent people do scan the same sample of virures... (limiting the load on virusTotal)
    . Let the reader make is own opinions about the validity of the "untangle virus test" by comparing untangle and virusTotal results..

    Thank you

    ReplyDelete