Ethics and Virus Testing

By Larry Seltzer  |  Posted 2006-08-20 Print this article Print

Opinion: How come discovering vulnerabilities and writing exploits is "research," but viruses for testing is a crime against humanity?

The anti-virus community is abuzz in controversy over the tests performed recently by Consumer Reports on anti-virus products.

CR went out and did what many of us have considered in the past, but not actually done: With the help of consultants at ISE (Independent Security Evaluators), they created a test bed of 5,500 new viruses in order to test the products.

There's an old joke about Consumer Reports, that nobody respects their work for their own field, just for others. So a carpenter will scoff at their review of circular saws, but trust them for gas grills and washing machines. I've heard a lot of this in the discussions about virus testing.

Symantec's veteran virus-hunter Vincent "Vinny" Gullotto recently joined Microsoft to head its Security Research and Response team. Click here to read more.

Many in the anti-malware community are adamant that creating viruses is always a bad thing, and never necessary in order to test anti-virus software. In fact, they argue that it's not as good a methodology as the alternatives. You can find some good links to opinion on the matter in this blog entry by Sunbelt Software's Alex Eckelberry.

I've been involved in many tests of anti-virus products, and it's always tough. There are many ways you can go about the testing and they all have their strengths and weaknesses. The biggest problem is testing of heuristic protection, or protection against unknown viruses.

I have no specific opinion on the work by Consumer Reports; not being a subscriber I haven't read the actual test results, just the methodology linked to above. But it seems to me that the abhorrence of virus creation that many are expressing is an overreaction.

Let's take what seem to me to be the two main arguments against it: 1) If you create malware, there's a chance it could escape and cause damage to innocent third parties, and 2) it's not a good way to test AV.

Read the full story on eWEEK.com: Ethics and Virus Testing

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.