Friday, 15 May 2009

○ How to test antivirus software

The Eicar test file...

This is something that got me thinking. First of all, great idea, but i have noticed there is some confusion going on, in the sense that some people are referring to this test like "how to know if my antivirus is good?" and couldn't help thinking that there's some misleading information around this. I'll explain why.

The purpose of this test file should be testing if the antivirus is working or not, not to show if your antivirus is good in it's word sense, these are two different things altought i admit there can be some discussion around this as i will explain later in this article. Anyway, it looks more like an agreement, or maybe i may say a kind of "RFC standard" for all AV companys that are currently selling these type of services, to allow the final user to know wether the AV is operational or if it stopped responding by any malware means ( which is possible ). Thus, any of these companys can add this test entry to their virus defenition files, allowing the AV to sucessfully report virus alert, but this alone does not prove an AV to be good.

Everyday, or almost everyday new virus with new attack methods are injected into the internet, spreading by their programmed ability to be spreaded. At the same time, the AV companys try to release periodic updates to cover most of these new attacks. If the fact that an AV sucessfully reporting a virus in this text file meant that it was good, then it would always be good and there would be no purpose in launching new definition updates, so by now you understand how a statement like that can seem ridiculous.

On the other hand, a good AV is determined by the effectiveness of the software implementation, effectiveness of the algorithm detection speeds, quality of the updates, and ultimately their natural hability to protect themselves to attacks ( did i forget something? ) externally or internally, leading ultimetely to the AV being turned off. This leads back to my above statement that some discussion around this could be raised. True, there is some connection beetween the test file and the AV being good, but saying that alone is an improper association.


No comments:

Post a Comment