Better-Behaved AV Testing

The newly formed Anti-Malware Testing Working Group will determine how best to conduct behavioral tests

5:54 PM -- Antivirus software testing has always been hit or miss because most testing relies on the virus signatures catching suspicious files, not on how those suspicious files may interact with the system. Rarely are AV products really put to the test -- on just how effective they are when deployed. The AV fight club put on by Untangle Inc. is a perfect example of this. (See Antivirus Tools Underperform When Tested in LinuxWorld 'Fight Club'.)

But hopefully the formation of the Anti-Malware Testing Working Group, will help magazines, vendors, and prospective customers test these solutions to see if they can protect computers from all types of malware. The group, which was formed last week during a meeting of security vendors and software testing organizations, will determine how best to conduct behavioral tests -- something that reputable testing groups have been doing for a couple years.

Why is behavioral detection so important? This year, antivirus vendors have dealt with a record-breaking number of malware submissions. There are too many samples for them to analyze each one, so vendors must come up with behavioral detection methods that will complement, and possibly replace, traditional virus signatures.

Virus signatures will still have a place for doing quick analysis to see if a file is suspicious, which is useful in incident response situations where decisions need to be made immediately, or on a network gateway that scans HTTP/FTP/SMTP, etc., traffic. But the usefulness of signatures has been waning as most of today’s malware is obfuscated with compression (packing) and encryption (crypting).

The shift toward behavioral testing will have a major impact on the groups doing the actual testing. Scanning with signatures is fast and easy, but behavioral testing will require physical, not virtual, machines to execute the suspicious file to determine its behavior. Virtual machines can’t be used because malware authors have already demonstrated their skill at detecting virtual environments and operating differently.

So if your organization does antivirus testing regularly, or is looking to switch AV vendors, keep an eye out for the upcoming testing guidelines from the Anti-Malware Testing Working Group.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading