That Magic Lantern thing just keeps raising its head (and an ugly little head it is too, poor thing…) Earlier this week I was in Krems, Austria, for the EICAR conference,and the story was alluded to in a paper by Eric Filiol and Alan Zaccardelle called “Magic Lantern… Reloaded/Anti-Viral psychosis McAfee Case," though it was kind of peripheral to the other topics covered in that paper.
I picked up one of those other topics in a blog for SC Magazine, in particular the suggestion that the industry – or at any rate one of our competitors – exaggerates the size of the malware threat by detecting the same threat under more than one name. I'm quite clear in my own mind that this suggestion is the result of confusion between the number of threats and the number of detections (signatures, if you like) that a scanner has. I addressed that at some length for SC Mag, but the gist is this.
Let's try the hypothetical example of a malicious program that uses a well-known malicious obfuscator. What do you call the detection?
In this instance, two products might both detect every sample of our hypothetical malware that exists. Which is best, A or F? You might argue that A is best because it has more signatures, or that F is best because it detects more samples. Actually, you can't determine which is best, because they're counting different things, and anyway the detection names don't tell you anything about numbers in either instance.
In that blog, I said that I didn't know if the competitor in question publishes the total number of threats it detects. (That was literally true: I was getting my internet connection in a hotel, and for some reason it wouldn't connect to any of the search engines I tried. It's amazing how difficult it is to research a topic without a search engine…)
Kurt Wismer suggested that it does, and came up with this link from 2006. However, that looks to me like The Register's interpretation of some figures about detections, not numbers of individual threats. [Update: I owe thanks to Kurt, who has since found the post by Jimmy Kuo to which the Register article refers, and confirms that it's about detections, not raw threat volumes.]
In any event, I would certainly suggest that you take any statement like "Grottyscan AntiVirus is best because it detects 200 million viruses" with a pinch of salt. Actually, a whole salt mine.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET