Two years on from “Is there a lawyer in the lab”, greyware and Possibly Unwanted Applications offer serious challenges for security vendors.
First published in Virus Bulletin 2011 Conference Proceedings*

The Anti-Malware Testing Standards Organization (AMTSO) has shaken up the AV testing world and attracted much controversy. But has it outlived its usefulness? And what is the future of detection testing?
First published in Virus Bulletin 2011 Conference Proceedings*

Presented at the 2011 EICAR conference in May 2011, this paper contrasts existing malicious and legitimate technology and marketing, considering ways in which integration of security packages might mitigate the current wave of fake applications and services.

This paper, presented at the Annual Computer Security Applications Conference (2010), and to which ESET’s Pierre-Marc Bureau was a contributor, discusses alternative approaches to understanding botnet mechanisms, using “in the lab” experiments involving at-scale emulated botnets.

This paper, presented at the 2010 AVAR conference summarizes the kind of problems that arise when simulated malware is used inappropriately in detection testing, with particular emphasis on the history and correct use of the EICAR test file.

How and why a group of researchers replicated a botnet for experimental purposes, and what use they made of the results.
First published in Virus Bulletin 2010 Conference Proceedings*

Considers the good, the bad, and the ugly in comparative testing, and explores how to lie (or even inadvertently mislead) with detection statistics.
First published in Virus Bulletin 2010 Conference Proceedings*

Does WildList testing still have a place in testing and certification when dynamic and whole product testing methodologies are now preferred in most testing contexts?
First published in Virus Bulletin 2010 Conference Proceedings*

This paper looks at the implications in the age of the botnet of the “Some Other Dude Did It” and “it must have been a Trojan” defences against conviction for possession of illegal material, especially pornography.
Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.

A summary of how the Anti-Malware Testing Standards Organization has developed in the past few years and the way in which the AV and testing industries have responded to those developments.
Presented at the 4th Cybercrime Forensics Education & Training (CFET 2010) Conference in September 2010.

This paper objectively evaluates the most common performance testing models (as opposed to detection testing) used in anti-malware testing, highlighting potential pitfalls and presenting recommendations on how to test objectively and how to spot a potential bias.
First presented at EICAR 2010 and published in the Conference Proceedings.

Apple’s customer-base has rejoined the rest of the user community on the firing line. This paper will compare the view from Apple and the community as a whole with the view from the anti-virus labs of the actual threat landscape.
First presented at EICAR 2010 and published in the Conference Proceedings.

This 1997 paper reviews the shared history of viruses and the Mac, summarizes the 1997 threatscape, and considers possibilities and strategies for the future. It’s been made available for historical interest because so many people asked about it at EICAR 2010.
First published in Virus Bulletin 1997 Conference Proceedings.*

This paper looks at the ethical, political and practical issues around the use of “policeware”, when law enforcement and other legitimate agencies use “cybersurveillance” techniques based on software that resembles some forms of malware in its modus operandi.
First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.*

This paper considers the practical, strategic and ethical issues that arise when the security industry augments its marketing role by taking civic responsibility for the education of the community as a whole.
First presented at AVAR 2009 in Kyoto, and published in the Conference Proceedings.*

This paper considers steps towards a holistic approach to behaviour analysis, using both social and computer science to examine the behaviours by both criminals and victims that underpin malware dissemination.
First published in Virus Bulletin 2009 Conference Proceedings.*

This paper traces the evolution of email-borne chain letters, from crude virus hoaxes to guilt-tripping semi-hoaxes, and examines both their (generally underestimated) impact on enterprises and individuals, and possible mitigations.
First published in Virus Bulletin 2009 Conference Proceedings.*

This paper by the Head of ESET’s Virus Laboratory explores the complex legal problems generated by applications that can’t be called out-and-out malware, but are nevertheless potentially unsafe or unwanted.
First published in Virus Bulletin 2009 Conference Proceedings.*

This paper follows up on “A Dose By Any Other Name”, explaining why sample glut and proactive detection have sounded the death knell of the “one detection per variant” model.
Presented at the 3rd Cybercrime Forensics Education & Training (CFET 2009) Conference in September 2009.

This paper explains why comparative test results based on static testing may seriously underestimate and misrepresent the detection capability of some products using proactive, behavioural techniques such as active heuristics and emulation.
First published in EICAR 2009 Conference Proceedings.