You may have noticed that we have an intense interest in issues around sample-sharing and testing. Recently we noticed a thread in a forum associated with a free security product, originating in an open letter to a well-known tester, asking him to donate his sample set for the improvement of the product.
You might think that the anti-malware industry might hate the idea of free anti-malware products. As it happens, we aren't against free products in principle: some companies make a free version of their software available for home users, and others (like ESET) make a free on-line version available. (There is a problem with many free products if the user gets the idea that they're better protected by freeware than is really the case, and I'll revisit that issue in another, more general blog.)
However, on this occasion, many of the people involved in the thread have missed the point, and that's the point I want to focus on now.
Sample sharing in the anti-malware industry is done on the basis of responsible, ethical exchange between trusted parties (including reputable testing organizations). The exchange might be regulated by contractual agreements, but even when the agreement is informal, it's always on the assumption that the same samples will only be passed on subject to terms acceptable to the original source of the samples.
In other words, if source A gives samples to tester B, A is entitled to expect that B will not pass them on to anyone else unless that's within the terms of their agreement, and that if B does pass them on, it will be in a responsible manner to a trustworthy individual. (Let's be original and call him C.) If those expectations are not met (as when B doesn't have permission to share A's samples, or A doesn't regard C as a trustworthy individual), the trust relationship between A and B evaporates: A stops giving samples to B, so C's supply also dries up. Everybody loses.
It's not about C being in competition with the commercial interests of mainstream vendors: the purveyors of free software aren't generally able to offer the full range of features and support that commercial vendors can, so aren't really in competition. It's perfectly possible for a developer of free software to develop trust relationships of his own with the anti-malware industry, but he has to prove in some way that he's honest and competent.
Let's assume that C is a sincerely well-meaning individual with no hidden agenda, but has no interest in co-operating with the anti-malware community at large. That may be because he doesn't trust that community, which is his prerogative, but means there is no basis for a mutual trust relationship. Even worse, he may not understand not only the ethical framework but also the technical issues around co-operation in the industry, which suggests that he doesn't really understand the nature of the threat he's aiming to mitigate. (That's also an issue that deserves its own blog.)
To attempt to use someone else's trust relationship to get an occasional transfusion of samples so as to avoid subjecting oneself to the scrutiny of the anti-malware industry would , regardless of the ethical issues, simply not be a practical approach to maintaining a serious malware-specific scanner.
David Harley
Director of Malware Intelligence
