avast! seemed to do decently, though they didn't mention how kubuntu does...

"The c't researchers also created variants of known viruses"

This is enough to discredit them as "researchers". There are proper ways of testing how well an AV product handles viruses unknown to it - but this isn't one of them. Yet another meaningless "test" by ignorant morons.

Huh? Your statements beggar belief!

So how, exactly, are they meant to test the detection of viruses? By writing "hello world" programs and seeing if the AV applications detect these? A virus is just a program that performs certain tasks, if the "test" program you write doesn't perform these then it isn't a virus and therefore *shouldn't* be picked up by an AV scanner.

I suppose you also disapprove of Vulnerability Scanners and and other tools used by security professionals to verify the security levels of the systems/infrastructures they are trying to secure? After all, some of the tools were created by unethical hackers for malicious purposes...!

"There are proper ways of testing how well an AV product handles viruses unknown to it" Yes? Care to elaborate on that?

Get a grip. Are ethical hackers unethcial? It's just a security test, they probably didn't create actual viruses for use, but rather something that simulated the code the heuristics are designed to look for.

Maybe aye, maybe no, but it's still not very mature to call the researchers c'ts. At worse, they're a'eholes or f'kwits.

There's plenty of anti-virus for Linux - many of the proprietary people produce a version for Linux servers, and there's a few open source packages (like ClamAv).

The difference is that AV on Linux is largely aimed at reducing the propagation of viruses by Linux servers, rather than preventing infection of the Linux machines themselves.

My company mail server has a pretty aggressive AV set-up to scan incoming mail, thus reducing the risk to my co-workers who might be using the OS which the virus is actually targetting. Same goes for the Web Servers, especially where file uploads are permitted...

There are a few viruses, trojans and rootkits that specifically target Linux servers, especially the common LAMP stack - it's foolish to assume that Linux is safe, especially if it is exposed to the Net.

. . don't click.

Education is better than shelling out for the bloated stuff that usually comes with a machine. It doesn't help that many users never even click on 'update' on their anti-virus S/W as the icon in the system tray says 'Norton' or similar so the 'must' be protected.

It also doesn't help when testosterone gets in the way and the thought of a surreptitious peek at the crotch of some celeb silences any warning bells in the head.

Oh yes, and how are you supposed to test for variants - e-mail the virus writers for the next Spring collection or knock up a few of your own with the available kits?

It beggars belief that an AV company's representative (whether in personal or professional capacity is irrelevant) claims that creating more variants of computer virii to test for 'unknown' threats is unethical.

If anything, it mirrors the real world, where such new threats are generated weekly, if not daily! The difference is that these variants do not leave the lab where these tests occur, that they give the researchers a solid test bed to work with, whereas you'd have to honeypot some machine for weeks to get some sort of unknown virus, which doesn't help since by that time those variants are caught by the updated signatures, which ruins the test in the first place.

Yes, so it leaves your organisation on the back foot Dr Bontchev, but it does the same for your colleagues at McAfee, Symantec, Sophos, Eset, Panda, Trend Micro and God only knows which other AV companies. Do you for one second think that your competitors are happy about that? No, they're not. But they don't sound like cry-babies. They fix their software to be more accurate.

Creating new variants is no different from bio-virus researchers at Fort Detrick (AMRIID) or CDC in Atlanta, who do this to ensure that their vaccines are broad-spectrum enough for the purpose they were designed for. Does that make these researchers unethical too?

How about "I've always used windows, i can't stand macs, Vista still sucks"?

... Anyone who creates new computer virii to cause damage, or anyone releasing testbed data (such as the set c't Magazine created) into the wild irrespective of reasoning behind it, earns my condemnation as being unethical. In that respect I am in agreement with Dr Bontchev.

I logged in to bash this wack job Bontehev but everyone else beat me to it.

It isn't unethical to create modified versions of a virus in a lab environment if you need to test Antivirus detection.

Sigh... The crowd of ignoramuses who drool reading ElReg's stupid articles is again demonstrating its collective ignorance. OK, lecture time.

Nick Ryan: I am not sure what you mean exactly. What you're saying is very true - using non-viruses to test an AV program is utter idiocy but, alas, some AV testers do that too. :-( I see no evidence that this is what c't has done, though. If you are objecting to my comment, then I fail to see where the objection is - please bother to explain your thoughts in a more literate manner. I never said that they shouldn't be using viruses to test AV products. In fact, I didn't even say that they shouldn't be using viruses unknown to the AV products they are testing - a fact, which many of the half-wits here clearly missed. What I said is that it is unethical to *create* viruses (no matter for what reason but especially for the purposes of an AV test).

Joskyn Jones: Your supposition is false. My comment covers only self-replicating malware, i.e., viruses.

Gerrit Tijhof: It's quite trivial, really, and the respectable testers do it regularly. Simply, they use viruses that have appeared *after* the AV products they are testing have been released. They don't create these viruses, of course - that would be unethical. They simply use older products - usually 6 months old. Given that 5000+ new malware programs appear every month, there is plenty of test material without the need to create any new one. By conducting such tests regularly, one can eliminate flukes (e.g., under-performance because of an one-off bug in a particular old version of the AV product). Google for Andreas Marx - he is one of those who have performed such tests.

steve: Get a clue. The testers had no way of knowing what exactly the heuristics are looking for, in order to "simulate" it. Besides, the different AV products use different heuristics. Using non-viruses ("simulated" viruses) to test AV products is *wrong* - but this isn't what c't did.

Geoff Mackenzie: If your comment is a joke, it's a good one. :-) If it's a genuine misunderstanding, "c't" is the name of a German computer magazine.

Michael H.F. Wilkinson: There is a much simpler test - is the program you created capable of self-replication, or not - and was this property implemented intentionally? If yes, then your act is unethical, regardless of your intentions. First of all, there is *NOTHING* that can be performed with the help of self-replicating code that cannot be performed without (although that might be at the cost of increased efforts from your part). NOTHING. Second, a virus replicates. It *will* get out. Third, you have to submit the non-detected samples to the companies making the products that didn't detect them - so that the products can be improved or your test is meaningless. But you have no way of ensuring that the products will really "improve" if they start detecting the viruses created by you. Their heuristics might stay the same and they might add just virus-specific detection of them. So, you end up creating work for the AV companies without any benefit for the user. Worse, the "benefit" is not just zero - it's negative. Who do you think will have to pay for the increased workload of the AV companies? That's right - the users. So, virus creation always ends up costing the users money and is unethical.

Anonymous Coward: Get a grip. All industries are staffed exclusively by "capitalistic crooks". That's the definition of "industry" - capitalism. Or does your food and clothing come from charities? Or maybe you truly believe that "Product X" washes whiter than "Product Y"? The AV industry is no different. We, the anti-virus producers, have to eat - just like everybody else. For that, we have to sell the products we make. If you don't like it - don't buy them. Most people find that they like it even less when their computer gets infected due to the lack of protection - but maybe you're different.

Keith T: If user education was ever going to work, don't you think that it would have worked by now?! For every user you manage to educate, a hundred others appear. As for your "how to test" question, your supposition, despite being sarcastic, is not far from the truth. You just have to reverse it - instead of asking the virus writers for their next Spring creations (that would be stimulating virus creation - which is also unethical), wait till the next Spring to test the AV programs of today. Or test with today's viruses the AV programs released this summer. Simple, really - one would have thought that even somebody with a room-temperature IQ would be able to figure it out.

Stefan Paetow: It doesn't "mirror" anything. You don't have the slightest clue how heuristics work, do you? There are two main approaches. First approach (and the one I personally prefer) is "follow the definition". By definition, a computer virus is a program that replicates itself. So, examine the piece of code you're scanning and attempt to determine whether it contains instructions that copy it elsewhere. (Of course, it could simply be an installer - in which case your heuristic is causing a false positive - but that's why it's a heuristic and not a strict algorithm.) How does c't's approach "test" these? They don't know exactly what properties the author of the AV program is looking for in order to determine that the code is copying itself. If they create programs that have these properties, the "test" will say "this AV product is great" while in reality it might miss the majority of viruses created by the virus writers. If they create programs that don't have these properties, the "test" will say "this AV product sucks" even if it actually manages to detect the vast majority (albeit not all) of the viruses produced by the virus authors. Ergo, the "test" results are meaningless.

The second way to implement heuristics is to examine a "bloodline" of malware - i.e., many different but closely related variants of a virus family. The AV producer then determines what seems to remain relatively constant in this family and what seems to change a lot and implements detection of the constant thing. In a way, the AV producer is trying to read the mind of the virus writer and to guess how his future viruses will look like. But this approach is useless for the kind of viruses that are specifically created for test purposes - because there is no "bloodline" to examine. So, the "test" is again meaningless - many AV products that succeed very well to detect unknown viruses might fail it.

Graham Wood: It's me, the genuine article. Google me and you'll see that I'm a rather outspoken opponent of virus creation for WHATEVER purposes. Look up my papers "The Pros and Cons of Macro Virus Upconversion" and "Solving the VBA Upconversion Problem" to see to what lengths I am prepared to go, in order to avoid even trivial virus creation while still protecting the users.

And, yes, you're missing the obvious - there is a third, much better approach; see above.

Oh, and reverse-engineering OF VIRUSES is *not* illegal anywhere. In fact, even reverse-engineering of commercial products is explicitly allowed for specific purposes even in the countries that have laws against reverse-engineering.

Only a person who has no clue how AV programs work can call such "tests" a "sensible approach". It doesn't test *anything*. It's results are *meaningless*. They give absolutely no reliable information whether the tested AV programs are really good or bad.

"Controlled experiments were part of good scientific procedure when I last checked, as anyone with a PhD would appreciate."

Ah, but that would be assuming he's a real doctor, and not just some MD...

Anyway, people who feel the need to put "Dr." in front of their screen names for websites have suspicious psychology... Should I change mine to Dr. J too, since it took me years and quite some work to get my PhD, therefore I must advertise it? Do the chicks dig it, at least? Hmm...

>Well, it's not worth refuting point by point, but you're quite simply wrong. For test purposes, there's nothing inherently evil or wrong with creating viruses. Releasing them in the wild is the wrong thing.

Historically AV industry takes very firm stance on that, and clear separation from those who create malware has served us well so far, so don't expect it to change anytime soon.

Before times of industrial virus writers there were a lot of crackpots accusing AV companies of creating viruses by themselves. And one of the defences of the industry was to have a very clear ethical guidelines.

See:

http://www.eicar.org/about_us/code_of_conduct.htm

>And, no, just because you have a self-replicating program does NOT mean it's going to magically get into the wild. It's quite easy to avoid in fact.

Yeah right, in these days of ubiquitous WLAN and Bluetooth TCP/IP, I would be a bit careful with such statements.

Couple years ago US nuclear power station got infected by Blaster worm, I'd guess that they tried to secure their environment. And still there was one T1 installed by contractor that security did not know about.

>I don't expect that c't is hiring some hax0rs to custom write brand new viruses, I expect they are just making simple alterations to existing ones to see if the virus scanners will catch them or not. That's the very essence of testing if the virus scanner's heuristics are good or not.

Just how do you make simple alterations to existing malware and still have test set that is in any way relevant?

Even if we skip the ethical issues, such test is still invalid for many reasons.

1. Are the modified variants still viable?

You could easily make something that flips one instruction here and one there, and result might even execute, but would it still be malicious? Who cares if some AV product cannot catch a damaged sample.

2. Are the modifications similar that have and will be created by malware writers?

Even if we assume that magazine reviewers are capable of creating new functional malware, are their creations anything like that will be seen in the wild?

What use there is to create more work for AV companies to make them catch modifications that will never occur outside c't labs?

3. Who cares if signature based detection or static heuristics cannot catch a new sample, they are only a fraction of modern toolkit.

The days of simple AV scanner have been over for many years, modern AV packages use a lot of different techniques, from simple heuristics, to emulation, to runtime behavioral analysis. Testing that all is very complicated work, and taking shortcuts in the simple part of process is frankly very stupid.

As Vesselin said, the best and ethical approach is:

1. Install AV product with 3-6 month old updates.

2. Test it against malware that has appeared after that.

Far easier to accomplish, and the results are actually usable.

J: I *am* a real doctor (Ph.D.) - not some MD. As you would have doubtlessly discovered, had to used an ounce of common sense and had you googled me. My Ph.D. thesis, "Methodology of Computer Anti-Virus Research", is used as a textbook for educating new anti-virus researchers at several anti-virus companies. Whether you put your scientific title in front of your name or not, I guess, depends on how much confidence you have that you deserve it.

Henry Wertz: I never said it was evil. I'm pretty sure that the people at c't had the best intentions in mind. But it is still unethical and wrong (technically wrong - not just ethically). Creating new viruses does *NOT* give meaningful results in tests. And these viruses *DO* get out, increasing the workload of the AV companies and, in the long run, costing the users money.

I am not saying that they will get out and start infecting your hard disk. But they *have* to be provided to the producers of the AV programs that did not detect them - so that these programs can be improved. (If this is not done, the "test" is even more meaningless. Like you know, "gee, I created a bunch of new viruses that your product didn't detect and I won't even let you figure out why".) And, the way malware is shared among the AV industry these days (we get 5-7 Gb collections of new malware every month just from Microsoft!), it is guaranteed that just about everyone (every AV company, I mean) will have them within a month. And will have to implement detection of them. Which, I assure you, is not free. And the costs of which will be eventually paid by the users.

So, to summarize, such "tests" do not give a meaningful indication of whether an AV product is good or not, and they end up costing the users money. Not to mention that they enforce the myth that "AV people make viruses". In other words, they are a very bad idea. Any AV tester who does not know and understand this is at best incompetent.

On the ethical side, an AV person creating a new computer virus is similar to a medical person creating a new deadly biological virus. Yes, I'm quite aware that quite a few people with a medical education do just that (e.g., for bioweapons research) - but for someone who has sworn to "do no harm", it is still unethical, no matter how it is rationalized as "necessary".

Finally, it is true that many AV companies treat viruses and spyware/adware differently. The reason is mostly technical. Viruses are easy to define formally - if a program replicates, then it's a virus. And a program either replicates itself (in some real-life environment, of course, because for any given sequence of symbols it is possible to construct an environment in which it will self-replicate) or it does not. Simple. But Trojans, adware, spyware, etc. are difficult to define objectively. Their definition requires such subjective terms as "malicious" and "damage". But what is "damage" for one person might not be for another.

Let me give you an example. Is a program that formats your hard disk malicious? What if it's the program FORMAT.COM? Does it become malicious if somebody renames it to SEXYGIRLS.COM? Despite that it has the same content? Ah, but it asks before proceeding. What if the question is in Swahili? And the default answer is "yes"? Is it a malicious program - or just a badly designed one?

In any case, I don't see how you have made the conclusion that this dichotomy (AV companies treat viruses differently from adware/spyware) is what has lead to under-performance of some products in these so-called "tests". Whether the newly created viruses would be detected depends only on what heuristics the AV products used and whether the viruses were created in a way that would avoid these heuristics or not.

is to use Ubuntu Linux. No viruses for Linux. Much better than Windows - and don't get me started on Vista,

Perhaps some of the more informed/enlightened posters could divert their intellect into the study of biological viruses and their role in the food chain.

When they've completely eradicated the "nuisance" they cause to us good people, they can "cure" the electronic world too

Viruses are simply sculpting the IT industry towards a perfect (if possible) method of computing.

My current plan is to do banking and other sensitive work on a trusted computing platform, and the rest on whatever comes to hand.

Here's my trusted platform: an old Pentium III @930 MHz with 384 MB of RAM running Knoppix 5.1.1. Every boot is clean off either a CD, DVD or an iso image of same on the hard disk, though I plan to re-md5sum the hard disk image periodically to ensure that it hasn't been tampered with.

I do have persistent storage on a USB key integrated with the Knoppix image filesystem via AUFS which could preserve contamination across boots, but I hope to limit its usage to personal data storage as opposed to extensive system software and configuration file changes. (I still need some way to compare configuration and software updates with the static iso image just to make sure that only my changes have been made.)

If I'm feeling especially paranoid, I can still boot straight off the CD or DVD without the persistent USB storage and do my banking etc. with zero possibility of software and/or configuration contamination assuming that

1) I downloaded and burned a clean copy of Knoppix,

2) Klaus Knopper has put together a clean distro, and

3) nobody has hidden a hardware keylogger in my keyboard or desktop system.

(As for privacy, I plan to do whole-disk encryption with loop-AES since the dm stuff doesn't seem cooked quite yet. I'm already running encrypted swap on a separate disk volume.)

Although the DVD edition of Knoppix has some nice software development tools, I will probably do development and general web browsing in less austere surroundings.

But can anybody poke any holes in my trusted computing platform as far as virus resistance is concerned?