|
Posted by matthias on June 15, 2005, 12:19 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hey, thanks for your answer.
I am trying to test networking equipment, like a firewall or a mail
server with virus scanning abilities. So I need to send them "infected"
files to find out how many they will detect and how much time they need
to check a file for example.
|
|
Posted by kurt wismer on June 15, 2005, 7:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
matthias wrote:
> Hey, thanks for your answer.
> I am trying to test networking equipment, like a firewall or a mail
> server with virus scanning abilities. So I need to send them "infected"
> files to find out how many they will detect and how much time they need
> to check a file for example.
you do not need to see how many they will detect... you are not doing a
detection rate analysis of the anti-virus products (or if you are you're
doomed to generate absolutely worthless results)... an anti-virus'
effectiveness can not be meaningfully evaluated by laymen or even
experts if they have too few resources...
what you need to do is make sure the anti-virus on those devices is
working, and for that all you need is the eicar standard anti-virus test
file...
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
|
|
Posted by Roger Wilco on June 15, 2005, 9:50 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hey, thanks for your answer.
> I am trying to test networking equipment, like a firewall or a mail
> server with virus scanning abilities. So I need to send them
"infected"
> files to find out how many they will detect and how much time they
need
> to check a file for example.
How many, and the computing cost, would be a function of the scanner
itself and not so much of the network devices. The EICAR file works as a
sort of "go/no go" gage for the device end (it proves the scanner at
least looks). The scanner would have to be tested professionally, there
is too much work involved in the process for an individual to accomplish
it without misleading results.
Professional testing facilities give results (about the scanner) such as
you request. Their "coverage" (how many) and the time it takes to scan
(*best tested on a diverse group of "non-infected" materials BTW) should
be listed in the results. If you want to see how detections are
handled - and the cost there - EICAR works.
*computing cost would be more important on these because most of the AVs
time would be spent on looking and not finding anyway - - unless it is a
virus server being scanned. :)
|
|
Posted by matthias on June 16, 2005, 7:36 am
If you were Registered and logged in, you could reply and use other advanced thread options
collegue I continued to work on this topic. We managed to create nearly
30000 test files just containing virus signatures. We then checked them
with Symantec´s AV and got a detection rate of nearly 9%. This means
more than 2600 viruses were detected just because of their signature.
In my opinion, for not being supposed to detect a single one of them,
this is quite a high result...
|
|
Posted by Zvi Netiv on June 16, 2005, 7:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I wanted to let you know that in the meantime, with the help of a
> collegue I continued to work on this topic. We managed to create nearly
> 30000 test files just containing virus signatures. We then checked them
> with Symantec´s AV and got a detection rate of nearly 9%. This means
> more than 2600 viruses were detected just because of their signature.
>
> In my opinion, for not being supposed to detect a single one of them,
> this is quite a high result...
You actually tested your AV for false positive susceptibility. ;-)
Take a look at the following:
http://groups-beta.google.com/group/alt.comp.virus/msg/93248a9d9c4986bf
Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
|
| Similar Threads | Posted | | create your spyware????? | June 4, 2005, 5:19 pm |
| Disable AVG signature | February 28, 2006, 9:27 am |
| Nod32 signature | December 13, 2006, 11:12 am |
| NOD32 Signature | May 6, 2008, 2:00 am |
| Remove NOD signature from emails? | August 9, 2005, 4:49 am |
| eTrust Signature Distribution options | November 2, 2005, 5:18 pm |
| Re: BugHunter Signature Update 05.08.2007 | May 16, 2007, 4:07 pm |
| Re: BugHunter Signature Update 05.08.2007 | May 16, 2007, 6:43 pm |
| BugHunter Signature Update 06.12.2007 | June 12, 2007, 4:50 pm |
| BugHunter Signature Update 06.17.2007 | June 13, 2007, 6:36 pm |
|
XML site map