Yes, I’ve used that pun before, but I can’t resist using it again now that I’m back from the EICAR conference. I actually got back a couple of days ago, but I was sidetracked by some urgent administrivia and dental treatment. I’m having bacon and eggs for breakfast, my first pet’s name was Stuart Little Caesar Salad, and the first street I lived on was Letsby Avenue. Oh, sorry, I forgot for a moment that I’m not posting on TwitterBook…
So, EICAR. I went to several of these in the 1990s when the organization was still formally known as the European Institute for Computer Anti-virus Research, but quite rarely this decade, for various complicated reasons such as a change of job focus. Having learned, however, that EICAR is taking a strong interest in security software testing, which you may have noticed plays a large part in my life, there was no way I wasn’t going to this one. And, sure enough, there was a healthy ration of testing-related presentations, though it was depressing to see how young everyone in the industry (not to mention academia, which has always been well-represented in EICAR) is these days.
As I mentioned in a previous blog, there was an interesting panel session on testing issues at which members of AMTSO, EICAR, ICSALabs and CARO spoke. While this session didn’t solve the testing problem at a stroke, it did have a positive outcome, in that all the parties concerned seem to be in agreement that they need to cooperate and share information. Well, of course, such talk is cheap, as any summit conference demonstrates. But there’s actually room here for more players. While AMTSO is doing important, practical work towards raising standards with a small "s" and providing information for testers, the public, and vendors alike, EICAR may well be able to provide impetus towards providing definitions and standards in a more formal sense, and the importance of such work should not be underestimated.
Meanwhile, I’d like to pick up a point that was made after Randy and I presented a paper on "Execution Context and Anti-Malware Testing". Another vendor suggested that the paper should have been directed more specifically at mainstream testers in another presentation context, because anti-malware vendors already know about the problems with static testing and the misinterpretation of detection statistics.
I think this misses several points: mainstream testers and certification providers were both represented at the conference, which in any case is not exclusively focused on anti-malware and certainly not solely intended for information exchange between vendors.
The fact that the individual testers specifically mentioned weren’t physically present on this occasion is irrelevant: one of them has certainly been an attendee and presenter at EICAR in the past, and the other has actually asked for a copy of that paper. Furthermore, both are active in AMTSO. These are people who are trying to contribute to the improvement of testing in general and constantly working on their own methodologies, and shouldn’t be confused with those less well-informed testers who are most likely to mislead their audiences because they have insufficient understanding of the technology they’re testing. Do many of these less-informed individuals attend Virus Bulletin or EICAR? Of course not: but as more people realize the specific problems, the likelihood increases that the information will be cascaded down to testers and audiences.
Meanwhile, the security industry does itself no favours by giving the impression that it is the sole guardian of knowledge and cannot learn, only teach: that impression is one of the biggest Public Relations problems the industry in general faces. Furthermore, one of the problems we do need to acknowledge is that if vendors are exploiting general misunderstanding of technology in order to get good reviews, they are contributing to the problem, not the solution. The anti-malware industry doesn’t deserve all the bad press it gets, but it’s not altogether an innocent victim either. But that’s starting to sound like an altogether different paper.
My EICAR paper is now available here, if you’d like to make your own decision as to how relevant it is. Like several of our conference papers, it isn’t mounted directly on the ESET white papers page, in order to avoid issues with organizations that don’t like papers that have been presented at their conferences mounted on commercial web sites, but we do link to them along with all the other resources we list there.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET