In message news:(E-Mail Removed), (E-Mail Removed) wrote...
> On Sat, 10 Jan 2004 18:08:33 GMT, (E-Mail Removed) wrote:
>
> >One thing that might help is to test scanners with, say, several
> >thousand carefully selected crud samples. For every alert on a crud
> >sample, a penalty of -1 would be added to the number of alerts on
> >viable samples

That sounds like a good idea. Scanner vendors know the Virus Bulletin blackballs for false alarms, so they try their hardest to avoid false alarms. If the Virus Bulletin started blackballing for crud, vendors would have no choice but to clean up their data bases. But it would break too many eggs. 15 years of FUD marketing and hype would be publicly exposed if the scanners that claim to detect 70,000 viruses today suddenly detect only 60,000 viruses tomorrow. It will never happen.


> BTW, the above was merely a fleeting nasty thought and actually I
> dont think its a good idea at all. I do think a separate test using
> a large and carefully selected set of crud files is a good idea. Id
> certainly be interested in seeing a objective "crud detection index"
> for the scanners.

You would have to reverse engineer and decrypt scanner data bases to obtain their crud signatures. You would find himself on the wrong side of a law suit very quickly. NAI and Symantec have sued each other over far less.

GeNeSiS

On Sun, 11 Jan 2004 04:38:50 +0100 (CET), Tarapia Tapioco
<(E-Mail Removed)> wrote:

>In message news:(E-Mail Removed), (E-Mail Removed) wrote...
>> On Sat, 10 Jan 2004 18:08:33 GMT, (E-Mail Removed) wrote:
>>
>> >One thing that might help is to test scanners with, say, several
>> >thousand carefully selected crud samples. For every alert on a crud
>> >sample, a penalty of -1 would be added to the number of alerts on
>> >viable samples
>
>That sounds like a good idea. Scanner vendors know the Virus Bulletin
>blackballs for false alarms, so they try their hardest to avoid false alarms.
>If the Virus Bulletin started blackballing for crud, vendors would have no
>choice but to clean up their data bases. But it would break too many eggs.
>15 years of FUD marketing and hype would be publicly exposed if the
>scanners that claim to detect 70,000 viruses today suddenly detect only
>60,000 viruses tomorrow. It will never happen.
>
>> BTW, the above was merely a fleeting nasty thought and actually I
>> dont think its a good idea at all. I do think a separate test using
>> a large and carefully selected set of crud files is a good idea. Id
>> certainly be interested in seeing a objective "crud detection index"
>> for the scanners.
>
>You would have to reverse engineer and decrypt scanner data bases
>to obtain their crud signatures.

Not to just test them you wouldn't. I'm not suggesting reverse
engineering any scanners.

>You would find himself on the wrong side of a law suit very quickly.

Well, that would depend on how the test was handled and by whom, I
suppose. Some amateur who just goes out and downloads eval versions of
scanners for testing purposes on his own and then publishes the
results could wind up in deep doodoo I would think, especially since
it's often in writing that using eval scanners in this way is barred.

I dunno if this could be pulled off by one of the recognized testing
agencies or not. I can't imagine getting widespread vendor
cooperation. LOL!

Oh well. Actually, since crud isn't found on most PCs it's not a
serious issue for users IMO. It's annoying to think that data base
swelling is partially due to useless crud detection. I can understand
why someone like Nick gets ****ed over the idea that crap testing by
amateurs and vxers has brought this about. But how do you punish the
vendors, as it were, for playing the testing games? How do you try to
put an end to it?


Art
http://www.epix.net/~artnpeg