VirusTotal, Useful Engines, and Useful AV

In a recent blog on whether security professionals really don't use anti-virus (sorry, but quite a few of us do!) I mentioned a paper by myself and Julio Canto on the use and misuse of multi-scanner sites like VirusTotal.  Especially the (Virus-)totally inappropriate use of VT reports as some sort of substitute for real comparative testing.

I presented it at a forensics conference in the UK a while ago, but since quite a few people have expressed an interest in it, it's now on the ESET white papers page: Man, Myth, Malware and Multi-Scanning.

 Another Really Useful Engine*

 As it turns out, the argument as to whether or not anti-virus is worth anything continues to rage. Well, perhaps it's better described as mild peevishness rather than rage.

• In the latest issue of SC Magazine, there's a debate between Jeremiah Grossman and myself as to whether Anti-virus is essential. I guess you could call it a draw, since my view is that it isn't always essential and his seems to be that it is essential but not worth paying for. ;-) (And if you read it in the print edition of the magazine, no, I haven't changed my name to Hartley: it's a typo.)
• Paul Ducklin also weighed in today, discussing the proposition that Anti-virus is no good.
• Simon Edwards explained Why even experts need antivirus just a few days ago.

I have a feeling I'm going to have to come back to this, but not tonight: it's the VirusTotal/multi-scanner paper I want you to read right now. :)

* Photograph by permission of Small Blue-Green World

David Harley CITP FBCS CISSP
ESET Senior Research Fellow