Author Topic: Service to human race or fame seeking selfishness?  (Read 49012 times)

Offline John Buchanan

  • The greatest victory comes from the battle within.
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5608
  • Personal Dragons can be defeated. Improve yourself
Re: Service to human race or fame seeking selfishness?
« Reply #15 on: September 16, 2008, 05:09:06 AM »
Pleasant dream.  Why not start it yourself (it is your idea)?
Please follow Comodo Forum Policy

Offline DaRtH VaDeR.

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 1784
  • Everything in life comes to an end, exept life
Re: Service to human race or fame seeking selfishness?
« Reply #16 on: October 08, 2008, 01:52:44 PM »
The problem is that almost all the anti virus companies out there are commercial and do have a lot of paying customers.... There is a huge market for solutions against malware and it is expanding, growing, becoming bigger and bigger since it started 25 years ago! So there is competition!

Because of this competition av vendors need a good reputation, av testing companies do give this opportunity for av vendors to keep a good reputation....

So the idea of sharing malware/selling malware to each other (maybe also real time) is not of this world... because it does injustice to the competition/ the existing market we know today!

Melih, in order to achieve your goal, the system you really want to have (read: real time malware sharing), there has to be created a new kind of market!!! A new business model!!! A totally new system! and all the existing vendors must step in it!!!

This means: the destruction or partly destruction of 25 year old eco system!

Do you see this happening ??? I do not see it happen at the moment.... But who knows what the future brings....

As for me, I am a supporter of this new system you want to implement and when it starts it will shake the hell out of the current system... (:WIN)
DaRtH VaDeR says: "The path of success and progress is not to be reached by the things you have done, but by the things you will do, so think before you act,the voice of your history will confirm this fact.."

DaRtH VaDeR says: "Your system is as secure as the weakest link in your entire security"

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Service to human race or fame seeking selfishness?
« Reply #17 on: October 15, 2008, 10:37:45 AM »
I mostly agree with Fake vegeta :-TU  Some of my points of view without facts:

1) AV Testing organisations like any other commercial organisations (I suppose most of them are commercial) strive for profit (the bigger the better). So if they would share all samples they have that might break their business due to wich they earn money. To "adopt new and better ways to serve the users" they are required either to drop their business and profit (..is that possible without external force? ...like government etc.) or change their business model (which requires hard work to be done and success is not guaranteed).

2) how do av vendors benefit from sharing their db's contents with other av vendors in terms of gaining more profit ? It seems they won't win much (at least they might think so), because if they do they would have done this already. If they won't gain extra profit why should they bother?

In most cases "end users" and their safety is a third-rate subject when we talk about big business and its profits. It seems the driving force of most av/firewall/.../ vendors to enhance their products is not a concern about "end users" but a desire to increase sales (marketshare) by surpassing competitors... and their products.
Not many people out there like Melih who can develop different business model that really takes care about end users (OK, providing HIPS and outbound protection that don't leak for free IS a concern about end users).


IMO...

Offline Star Shadow

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Re: Service to human race or fame seeking selfishness?
« Reply #18 on: October 15, 2008, 12:21:33 PM »
The last two posters do bring up good points, but there is counter to what they say. ;) It doesn't matter if an AV has every single possible piece of baddie out there in their DB, what matters is how well the AV engine can find and clean the infection out of files. It's a whole other ballgame in trying to just detect the baddie to begin with. Then it's another to actually remove the infection from an important system file. So, even if all the AV companies shared their DBs, it would still not really hurt them if they have a better and faster scan engine that is cable of detecting the the malware and also able to actually remove it. Users will buy products based on those stats alone: Detection and removal. They don't care how many samples are in the DB. So, an AV company has nothing to lose if they are better at detection than the competition. Having a shared DB will only make AV companies work harder to improve their detection and healing capabilities, and also make their programs smaller and faster than others.

Thoughts to chew on for awhile. :)
Married to a loving wife. :)

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #19 on: October 24, 2008, 07:29:16 AM »
So, even if all the AV companies shared their DBs, it would still not really hurt them if they have a better and faster scan engine that is cable of detecting the the malware and also able to actually remove it.
Even when companies have the samples, they don't always achieve 100% detection on the samples they have.

Besides, I find this whole thread quite pointless. Testing organizations DO share samples with vendors that manage to meet their criteria - that's a known fact, and this has been going on for years. In fact, it's even a two-way process where testers sometimes accept submissions from different vendors, and then redistribute those samples back among the vendors that don't have them. What Melih is trying to do is simply to pressure testing organizations into handing samples over to Comodo even though CAV does NOT meet those minimum criteria, by creating negative PR for the testers and deliberately encouraging the misconception that testers are elitist and do not share samples at all.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Service to human race or fame seeking selfishness?
« Reply #20 on: October 24, 2008, 07:57:58 AM »
Testing organizations DO share samples with vendors that manage to meet their criteria

Testing organizations may feel entitled to set arbitrary minimum requirements because samples are considered private properties or are regulated by private agreements.

So it is possible to set "Minimum requirements" that include samples that cannot possibly be found in the wild anymore thus restricting sample sharing to established brands without even the need to explicitly state that.

AFAIK inter-AV vendor malware sharing is usually regarded as a private agreement and thus a new AV brand may not be entitled to cooperation because another brand got enough partners.

IMHO the whole point is if sample sharing should be regulated by such private agreements whereas biological viruses are treated in a different way for obvious reasons.

Every year, the World Health Organization predicts which strains of the virus are most likely to be circulating in the next year, allowing pharmaceutical companies to develop vaccines that will provide the best immunity against these strains.

Having a sample it is only the first step to research and build an appropriate countermeasure being it an a AV signature that only work on a specific patented AV engine, a removal application, a patented heuristic detection engine or a patented HIPS technology.
« Last Edit: October 24, 2008, 12:17:53 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #21 on: October 24, 2008, 08:08:56 AM »
Testing organizations may feel entitled to set arbitrary minimum requirements because samples are considered private properties or are regulated by private agreements.
While that's a possibility, I'm sure you're aware of the problems that arise from handing out samples to simply every Tom, Dick, and Harry.

Thus it is possible to set "Minimum requirements" that include samples that cannot possibly be found in the willd anymore thus restricting sample sharing to extablished brands without even the need to explicitely state that.
gibran, given today's rate of malware growth, I assure you there is no need to keep any samples more than 3 years old (at most) in the test set, nor would it be feasible to do so. AV-Test regularly tests with samples no older than 12 months, while ~60% of AV-Comparatives' testbed for the last review were no older than Oct '07. The myth that testers test with obsolete malware that cannot be found anywhere is a one that needs to die.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Service to human race or fame seeking selfishness?
« Reply #22 on: October 24, 2008, 08:32:47 AM »
While that's a possibility, I'm sure you're aware of the problems that arise from handing out samples to simply every Tom, ****, and Harry.
I guess the possibility is that such restrictions could not be imposed only on single individuals or real rogue AV developers.
Today this is legit. It's their samples they choose the restrictions.

gibran, given today's rate of malware growth, I assure you there is no need to keep any samples more than 3 years old (at most) in the test set, nor would it be feasible to do so. AV-Test regularly tests with samples no older than 12 months

I take an effort to read methodological papers when I'm able to find them even if they could be difficult to understand as I'm a plain end user. If you know about a specific AV tester who does this and describe his selection criterias I will gladly add it to my favourites and even more if there is a methodological description about the minimal requirements testing procedures that could be possibly used to restrict sample sharing.

Anyway IMHO the whole point is still  if sample sharing should be regulated by private agreements whereas biological viruses are treated in a different way for obvious reasons.
« Last Edit: October 24, 2008, 10:09:04 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #23 on: October 24, 2008, 08:54:43 AM »
I guess the possibility is that such restrictions could not be imposed only on single individuals or real rogue AV developers.
Today thisi is legit. It's their samples they choose the restrictions.
Yes, but the thing to note is that the restrictions are not discriminatory. There is no attempt to block or encourage sharing of samples among select vendors by the tester because of any personal gain. Any vendor who fulfills the criteria gets the samples - and most of them do.

If you know about a specific AV tester who does this and describe his selection criterias I will gladly add it to my favourites.
For my post I headed to the AV-C online results page for a quick verification of my facts. AV-Test is a bit trickier, as the translated links seem to have expired for now. Both PCMag and VB claim that that samples are max 12mths old when quoting AV-Test results, but I don't have a methodology listing at hand right now.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Service to human race or fame seeking selfishness?
« Reply #24 on: October 24, 2008, 09:58:06 AM »
Yes, but the thing to note is that the restrictions are not discriminatory. There is no attempt to block or encourage sharing of samples among select vendors by the tester because of any personal gain. Any vendor who fulfills the criteria gets the samples - and most of them do.

This is way different than using a criteria that restrict sample sharing to from single individuals or real rogue AV developers.

Eg using a minimum detection rate as a selection criteria means that the sampleset composition only evaluate malware gathering abilities and possibly include an unverified number of nowhere-to-be-found samples even if the sampleset composition is not older than 12 months (if those time related selection criterias are ever documented).

Malware gathering abilities can also be affected by inter-vendor sharing private agreements and related marketshare in case of user submission (eg new samples are submitted to a specific AV vendor and shared among partners), or timerelated availability (eg a new sample is submitted and shared among partners, the new sample got detected and exterminated or the vector sites are shut down) or spreading abilities (low spreading samples are likely to be exterminated faster).

Business logic and private agreements have much more effect on the AV ecosystem than the pharmaceutical counterpart.
It goes without saying that this will continue as long malware will not be considered a first rate threat.

In the current situation like AV engines can be treated as Intellectual Property, malware samples are treated as a private property and thus is legitimate for the holder to claim certain exclusive rights.

On the other hand if a pharmaceutical company develop a vaccine for a virus it can file a patent and get exclusive right on that specific cure.
This will not prevent another company to research that specific sample, develop a different cure and patent it.

« Last Edit: October 25, 2008, 03:35:08 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #25 on: October 24, 2008, 10:36:37 AM »
Eg using a minimum detection rate as a selection criteria means that the sampleset composition only evaluate malware gathering abilities and possibly include an unverified number of nowhere-to-be-found samples even if the sampleset composition is not older than 12 months (if those time related selection criterias are ever documented).
False. To repeat myself again, the ability to gather malware is only one of the factors in determining detection. A lot of factors come into play - it's not as simplistic as "get malware, add detection". The manpower to process samples and the quality of the scanning engine are also key factors in determining how well a product performs. In his post Melih claims to be able to detect 100% of the malware they have seen. I know for a fact that this is a lie; they're nowhere near to detecting even half the samples I've sent.

A company can have some well-polished collection mechanisms and still fail at detection. Comodo is one example, given the automated submission system built into CFP. Until a short while ago, PC Tools (with their ThreatExpert system) is another, though they're still nothing to shout about now. And then there are some vendors who deliberately scale back the detection they can achieve due to various factors, such as to avoid false positives; McAfee, F-Prot and Trend Micro are three such vendors that I know of, but I highly suspect all major vendors do this to some degree. For a short while Symantec deliberately scaled back the full power of their heuristics engine during the NIS2009 beta as well, perhaps due to similar concerns.

Malware gathering abilities can also be affected by inter-vendor sharing private agreements and related marketshare in case of user submission (eg new samples are submitted to a specific AV vendor and shared among partners), or timerelated availability (eg a new sample is submitted and shared among partners, the new sample got detected and exterminated or the vector sites are shut down) or spreading abilities (low spreading samples are likely to be exterminated faster).
Comodo is not a newcomer to the antivirus industry. They've been around for years, and already have an entrenched and well-deserved reputation. If their malware collection infrastructure is still as roughshod as when they first started, it's nobody's fault but their own, and certainly not because they're suffering from the disadvantage of being a "new" company.

In the current situation like AV engines can be treated as Intellectual Property, malware samples are treated as a private property and thus is legitimate for the holder to claim certain exclusive rights.
Not quite. Nobody "owns" malware except for the guys who wrote them (and even that is debatable), and neither do testers charge an additional fee for distributing samples. There are no exclusive claims to malware, contrary to your claim; just because you found one sample doesn't make it yours. I believe you're getting confused between this so-called "exclusive rights" to malware, and the act of handing it out to untrustworthy parties. I really doubt testers don't distribute samples to vendors who don't meet the minimum criteria because they think the samples are "theirs"; if that's the case, they wouldn't distribute samples at all.
« Last Edit: October 24, 2008, 11:10:05 AM by solcroft »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Service to human race or fame seeking selfishness?
« Reply #26 on: October 24, 2008, 11:54:51 AM »
False. To repeat myself again, the ability to gather malware is only one of the factors in determining detection. A lot of factors come into play - it's not as simplistic as "get malware, add detection". The manpower to process samples and the quality of the scanning engine are also key factors in determining how well a product performs.

I see you are shifting the point and take another chance to shoot at Comodo. What you describe would be the situation in which malware samples are shared without restrictions among all AV parties. In that case it would possible to reliably score such aspects.

I wish to point out that this topic pertains if there should be arbitrary restriction to malware sharing and that you started from an indirect reply like

While that's a possibility, I'm sure you're aware of the problems that arise from handing out samples to simply every Tom, ****, and Harry.

Then you continued with
Yes, but the thing to note is that the restrictions are not discriminatory. There is no attempt to block or encourage sharing of samples among select vendors by the tester because of any personal gain. Any vendor who fulfills the criteria gets the samples - and most of them do.

I wonder if you think that a non discriminatory requirement can endorse a selection criteria that measure detection rates over a sampleset that can possibly include nowhere-to-be-found samples.

I wonder if you think that every and each 12 months old sample can be surely found in the wild.

I wonder if you think that malware gathered by user submitted samples is not influenced by cumulative market-share of partnering AV brands.

I wonder how long you think the vast majority of websites that spread malware will last online.

I wonder if you think a malware collection infrastructure of a group of companies that are binded by a private agreement partneships can be really compared to any new player that is possibly excluded from such private sharing agreements.

I wonder if you think that new AV brands can possibly gather all samples that were available before the development of their AV engine even started and if anyone could be entitled to not disclose samples leveraging on some "minimum requirement" argument.

I really doubt testers don't distribute samples to vendors who don't meet the minimum criteria because they think the samples are "theirs"; if that's the case, they wouldn't distribute samples at all.
I guess it depend on whatever those arbitrary criterias to restrict sample sharing really are.

Even if I still would like to know if there is an AV tester that thorougfully disclose his/her selection criterias and minimum requirement testing methodology to let everyone understand the restriction imposed on malware sharing and let everyone decide if or if not such restrictions are discriminatory I still wonder what people would think if a pharmaceutical company could not get a sample to research and develop a new vaccine because it has to prove, for example, how many other vaccines it has already developed (and what would be the minimum number of developed vaccines required).

Once again  IMHO the whole point is still  if sample sharing should be regulated by private agreements whereas biological viruses are treated in a different way for obvious reasons.
« Last Edit: October 24, 2008, 12:30:50 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #27 on: October 24, 2008, 12:36:38 PM »
I see you are shhifting the point and take another chance to shoot at Comodo. What you describe would be the situation in which malware samples are shared without restrictions among all AV parties. In that case it would possible to reliably score such aspects.
I was simply pointing out that detection rates are not based solely on a vendor's ability to gather malware, as you claimed. It may be the cause for low detection rates, it may be part of the cause for low detection rates, or it may not be a cause at all.

I wish to point out that this topic pertains if there should be arbitrary restriction to malware sharing. I wonder if you think that a non discriminatory requirement can endorse a selection criteria that measure detection rates over a sampleset that can possibly include nowhere-to-be-found samples.
I think it can. The criteria were created to prevent abuse, not to discriminate against specific vendors. I imagine the restrictions were put in place to ensure that vendors who participate in the sharing do actually have competent virus labs, and that the testers themselves do not become virus collectors for vendors who have no ability to do so themselves. And once that very non-discriminatory criteria is established, there seems to be no further conditions barring a vendor from receiving samples from the tester - short of concerns about the vendor's ethics, of course.

Regarding your "nowhere-to-be-found" samples: if they were really nowhere to be found, they wouldn't have ended up in the tester's sample set in the first place.

I wonder if you think that every 12 months old sample can be surely found in the wild.
I don't have hardcore statistics that are 100% verifiable, if that's what you're asking for. I do think, however, that isn't a problem for a vendor unless it is less than 12 months old.

I wonder if you think that malware gathered by user submitted samples is not influenced by cumulative market-share of partnering AV brands.
No, I don't, but that wasn't the point I was trying to make. A vendor fully detecting the samples submitted by its user base doesn't necessarily make its product's detection rate reflective of the overall malware population, but if it can fully protect its users there would be little need for it to bother with what samples are inside testing organizations' sample sets at all.

Comodo insists on picking up every unknown file from its users' systems, in addition to manually submitted samples. But even among user submitted samples (at least from me) I see an average of 30% detection after several weeks. Hence my claim that a company can have some well-polished collection mechanisms and still fail at detection.

I wonder how long you think the vast majority of websites that spread malware will last online.
In the era of fast-flux domains? Not very long, but definitely long enough to infect users. And certainly long enough for those malware to end up inside the collections of testers and antivirus vendors alike. Come on, now. They don't vanish instantly. How do you think anyone got those samples at all? Time machines?

I wonder if you think a malware collection infrastructure of a group of companies that are binded by a private agreement partneships can be really compared to any new player that is possibly excluded from such private sharing agreements.
As I've already mentioned, Comodo is not new at all. Secondly, sharing criteria exist only between testers and vendors, as defined by the testers themselves - let's not confuse and lump this together with between vendors themselves. Researchers share samples among themselves with their colleagues from other companies if considered trustworthy; I believe I've discussed this with you at length before.

Once again you make it sound as though there's an insider's clique of corporate bigwigs among the "big boys" who scheme and conspire to decide who gets samples. On the contrary, it's the tester who establishes a public baseline that even the so-called "big boys" need to toe in order to receive samples from the tester. There's absolutely nothing hush-hush and backstage about it.

I guess it depend on whatever those criterias to restrict sample sharing really are. Even if I still would like to know if there is an AV tester that thorougfully disclose his/her selection criterias and minimum requirement testing methodology to let everyone understand the restriction imposed on malware sharing IMHO how AV tester want to test different AV products to compare them it's another topic.
For some reason I'd always thought it was 80% detection for AV-C. I'm not sure where I got that impression from, though, because now that I go back and look through the methodology outline, it's not stated in there.
« Last Edit: October 24, 2008, 12:58:45 PM by solcroft »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Service to human race or fame seeking selfishness?
« Reply #28 on: October 24, 2008, 02:44:38 PM »
I was simply pointing out that detection rates are not based solely on a vendor's ability to gather malware, as you claimed. It may be the cause for low detection rates, it may be part of the cause for low detection rates, or it may not be a cause at all.

That wasn't the point I was trying to make. Despite all this statements about legitimate and not discriminatory selection criteria this only means that not all kind of restrictions can simply motivated by detection rate tests.

I feel such considerations more appropriate if such tests were only meant to score detection rates and not to to establish if an AV brand is eligible to receive samples (always provided that a private property can be denied for whatsoever arbitrary reason, if no reason at all).

I think it can. The criteria were created to prevent abuse, not to discriminate against specific vendors. I imagine the restrictions were put in place to ensure that vendors who participate in the sharing do actually have competent virus labs, and that the testers themselves do not become virus collectors for vendors who have no ability to do so themselves. And once that very non-discriminatory criteria is established, there seems to be no further conditions barring a vendor from receiving samples from the tester - short of concerns about the vendor's ethics, of course.
I would imagine any detection rate test to not be able to tell the difference between AV vendors whose malware collection infrastructure is influenced by malware sharing partnerships and other AV vendors.

Thus while it could be useful to score how much an AV protects against known samples IMHO it doesn't tell much about how competent a specific brand AV lab is if it is not possible to exclude any bias from possibly existing cross-vendors partneships.

It look like you are sure that each vendor gather samples indipendently without whatsoever private agreement sharing aid and each direct(eg own userbase submitted samples) or indirect contribution (eg partners userbase submitted samples) collectively amount to an irrelevant part (I wonder how much amount can still be considered irrelevant).

There is no need to cite any specified AV tester either but I would like to know what you consider a non discriminatory selection criteria for sample disclosure along with a description how it could be possible to really measure how much competent a single virus labs is alone without relying on any from of partnership.

You can then leave it to other readers the effort to verify if any tester or vendor does meet your suggested criterias.

Regarding your "nowhere-to-be-found" samples: if they were really nowhere to be found, they wouldn't have ended up in the tester's sample set in the first place.
I don't have hardcore statistics that are 100% verifiable, if that's what you're asking for. I do think, however, that isn't a problem for a vendor unless it is less than 12 months old.
Such clean-cut logic doesn't address the fact that not all malware can be found for an extended timeframe.

Apart from recurring treats, that could be also years old I have yet to confirm how many samples in any AV testbeds were available at least for a week.

I have yet to understand then if an AV company that fails to gather a sample in a week (or any meaningful timeframe) doesn't qualify as trustworthy or got bad virus labs.

AFAIK AV testbeds are not designed to test that and yet I wonder if anyone could possibly use them to score trustworthiness or virus labs competency.

Again I wonder assuming that most malware is regionally targeted if Cross-AV partnerships could prove useful to increase malware gathering geographical coverage and I wonder, if malware gathered by user submitted samples is influenced by cumulative market-share of all partnering AV brands, how much this does add to each single AV vendor competent virus lab.


sharing criteria exist only between testers and vendors, as defined by the testers themselves - let's not confuse and lump this together with between vendors themselves. Researchers share samples among themselves with their colleagues from other companies if considered trustworthy; I believe I've discussed this with you at length before.
That's a circular reference besides I guess you consider private agreement malware sharing being motivated by trustworthiness alone whereas business logic also includes other restrictions like for example if existing partnerships already fulfill an AV brand needs.

A vendor fully detecting the samples submitted by its user base doesn't necessarily make its product's detection rate reflective of the overall malware population, but if it can fully protect its users there would be little need for it to bother with what samples are inside testing organizations' sample sets at all.
What about vendors involved in private agreement partnerships? The more vendors involved in sharing partnerships the more the collective sampleset is likely reflect the overall malware population.

Comodo insists on picking up every unknown file from its users' systems, in addition to manually submitted samples. But even among user submitted samples (at least from me) I see an average of 30% detection after several weeks. Hence my claim that a company can have some well-polished collection mechanisms and still fail at detection.
I would be highly interested to know if there is any AV tester that actually measure how much time each AV brand does it need to issue a signature for all samples sent after a comparative (in case he/her do share samples of course) besides I see you wish to peruse signature creation speed and neglect the malware gathering aspect as irrelevant.

In the era of fast-flux domains? Not very long, but definitely long enough to infect users. And certainly long enough for those malware to end up inside the collections of testers and antivirus vendors alike. Come on, now. They don't vanish instantly. How do you think anyone got those samples at all? Time machines?
Yep not very long. I cannot possibly know how long a malware site will last either but again I wonder what will happen once an AV vendor get a sample and how private agreement partnerships affect the subsequent steps.

I wonder if as long the sample exists and some AV vendor pass a test it doesn't really matter what happened in between. Numbers tell the truth I guess and sure they do about detection rates.

If it is really all that matters.

Once again you make it sound as though there's an insider's clique of corporate bigwigs among the "big boys" who scheme and conspire to decide who gets samples. On the contrary, it's the tester who establishes a public baseline that even the so-called "big boys" need to toe in order to receive samples from the tester. There's absolutely nothing hush-hush and backstage about it.

Once again IMHO the whole point is still if sample sharing should be regulated by private agreements whereas biological viruses are treated in a different way for obvious reasons.

I see even more from you arguments that such malware disclosure practices are so bound to the current system that it looks almost no one is left to question it.

I still consider  signature creation speed tests to be useful as a possible way to score AV vendors as an alternative to absolute detection rate tests in a totally different AV ecosystem where malware gathering is not such a limiting factor with so many unclear aspects.

Again I still wonder what people would think if a pharmaceutical company could not get a sample to research and develop a new vaccine because it has to prove, for example, how many other vaccines it has already developed. But this will never happen I guess, no way it will be endorsed the same clique that affects the AV ecosystem.

After all I guess computer viruses are treated as a second rate threat whereas their biological siblings evoke totally different considerations.

Every year, the World Health Organization predicts which strains of the virus are most likely to be circulating in the next year, allowing pharmaceutical companies to develop vaccines that will provide the best immunity against these strains.
« Last Edit: October 24, 2008, 05:50:52 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline solcroft

  • Comodo Loves me
  • ****
  • Posts: 146
Re: Service to human race or fame seeking selfishness?
« Reply #29 on: October 24, 2008, 07:25:54 PM »
I feel such considerations more appropriate if such tests were only meant to score detection rates and not to to establish if an AV brand is eligible to receive samples (always provided that a private property can be denied for whatsoever arbitrary reason, if no reason at all).
As I've mentioned, you're getting confused between a vendor not being eligible to receive samples because the tester feels that the samples are his own private property (they're not), and because the tester feels that he's not an employee for that vendor who collects samples for them due to their own inability to do so. If you believe your misconception is actually true, can you explain to us why testers would hand over their "private property" simply based on how much of it vendors can detect? It makes no sense at all.

I would imagine any detection rate test to not be able to tell the difference between AV vendors whose malware collection infrastructure is influenced by malware sharing partnerships and other AV vendors.
Not entirely, no. But it does tell the tester which vendors are simply trying to leech samples off him.

It look like you are sure that each vendor gather samples indipendently without whatsoever private agreement sharing aid and each direct(eg own userbase submitted samples) or indirect contribution (eg partners userbase submitted samples) collectively amount to an irrelevant part (I wonder how much amount can still be considered irrelevant).
That is actually the case that happens with most competent vendors, yes. One of the metrics of a good product happens to be the ability to protect its users from malware before said users run into said malware. It doesn't matter if a product can add and release detection within minutes after receiving user submisssions. If it consistently detects only a poor percentage of malware before that, it's still a bad product. Aside from some dedicated volunteers, user submitted samples among good products are typically insignificant compared to the number the vendor itself gathers from other sources.

But as I said above, not that this is of much relevance to the tester. The tester is simply interested in ensuring that vendors have their own means of collecting samples other than leeching off him. Which I think is quite a valid concern.

Such clean-cut logic doesn't address the fact that not all malware can be found for an extended timeframe.

Apart from recurring treats, that could be also years old....
Assuming a competent vendor, this isn't an issue at all, since the vendor in question (Comodo) is older by far than most of the samples used in most reputable tests. Assuming an incompetent vendor, I think the incompetence is the issue here instead of the age and timeframe of availability of the samples.

I have yet to understand then if an AV company that fails to gather a sample in a week (or any meaningful timeframe) doesn't qualify as trustworthy or got bad virus labs.
In an age where zero-day protection is strived for, I think that the inability to obtain the sample after more than a week - let alone to add and release detection - should be the exception rather than the rule. And if a vendor seems to have a tendency to exhibit this failure not just on the rare occasion, but repeatedly over an extended period of time, I think that's a fairly good indicator of untrustworthiness and/or bad infrastructure on their part. Don't you?

That's a circular reference besides I guess you consider private agreement malware sharing being motivated by trustworthiness alone whereas business logic also includes other restrictions like for example if existing partnerships already fulfill an AV brand needs.
Your logic would make sense if it was the sales department and management that regulated the sharing of samples and signed the relevant contracts. Sample sharing among researchers (whether they work for vendors or are independent) is often done unofficially, often with no commercial gain for themselves and no specifically dedicated infrastructure set up to facilitate this exchange. Simply because this link is off the top of my head, ESET's ThreatBlog provides a brief glimpse of the nature of this sharing: http://www.eset.com/threat-center/blog/?p=158

But let's assume it's a commercial exchange for now. If this was so, then Comodo's position becomes even easier, as they can simply walk in and ask to buy from others without being hindered by their reputation.

I would be highly interested to know if there is any AV tester that actually measure how much time each AV brand does it need to issue a signature for all samples sent after a comparative (in case he/her do share samples of course) besides I see you wish to peruse signature creation speed and neglect the malware gathering aspect as irrelevant.
It is irrelevant in this case because Comodo already have the samples delivered right to them. All they need to do is process the samples. Again, this is to prove the point that the popular misconception that vendor has sample = nothing else matters is false.

I see even more from you arguments that such malware disclosure practices are so bound to the current system that it looks almost no one is left to question it.
I'm simply explaining the status quo because you've provided no solid arguments that things should be any different. "Disclosure" practises? Once again, you make it sound as though a select few entities control who gets which samples. It's simply not possible to exert such control over the industry, when even amateurs like myself have no problems with collecting more malware than I can handle. And until you can stop making this fallacy the crux of your arguments, I don't think we'll get anywhere, simply because we're spending all our time just trying to get you to base your points on facts instead of popular myth.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek