There’s been a lot of talk about the WildList lately. On one hand Larry Seltzer criticized the WildList based certifications as not representative of reality plus a strain on antivirus products by having to detect 10 year old viruses. Some key comments from Larry:
“There is an extraordinary amount of malware that was making headlines in 2004, back in the heyday of the mail worm. There’s W32/BugBear.A-mm from 2002. Go all the way down to the bottom of the list and you’ll find W95/Spaces.1445 from 2000. Yes, that’s one of two Windows 95 viruses on the list.”
“It’s all self-replicating malware, viruses and worms. Research has shown for years that self-replicating malware is not the way people get infected anymore”
“But what if that most advanced product fails to detect W95/Dupator.1503, a Windows 95 virus? A black mark on their marketing which probably precludes them from certain bids. It’s nuts.”
On the other hand Alex from Sunbelt reported on how Trend Micro decided to “boycott the WildList” by cancelling its participation in the Virus Bulletin 100% certification:
“The shocker was last Thursday, when it was reported that Trend Micro (following Pandaâ€™s lead) has decided to “boycott” the Wildlist.”
In Trend Micro’s own words:
“Testing is not done with an internet connection and it isn’t testing for things like rootkits. Pattern matching is now only one piece of puzzle, alongside behaviour blocking technology but pattern matching is all VB100 tests,”
Now, while IÂ agree with almost all the arguments against the WildList (other than the argument against replicating viruses, which ARE still prevalent), it is not true that Panda decided to “boycott the WildList”. In fact early 2007 we submitted a position paper to the ICSA AVPD (owners of WildList.org) titled “The Disconnect Between the WildList and Reality” (I’m releasing it now as it’s one and a half years old), pinpointing the flaws of WildList-based certification and testing and proposing measures to correct the problem, such as:
* Change the WildList reporting criteria to include all types of malware, not only viruses
* Encourage current members to report based on these new criteria
* Release the updated WildList more rapidly
* Design a new certification scheme with extended participation from CERTs and others
These are some of the reasons we don’t participate in Virus Bulletin 100% WildList-based certification tests. Now I know for a fact (even though I can’t disclose details about it) that there’s a lot being done to improve the WildList.
Finally and as proof that Panda is not trying to “boycott the WildList”, I gathered some statistics for the current WildList submissions from the January to May WildCore and Supplemental Lists.
Init Reporter Vendor Jan Feb Mar Apr May TotalÂ ====================================================================================Â Pa Luis Corrons Panda 824 734 670 618 405 3251 Tl/Za Tony Lee Microsoft 326 381 641 1035 387 2770 St Stuart Taylor Sophos 393 361 340 331 249 1674 Ao Amyn Sachedina Symantec 319 324 412 414 144 1613 Mt Miroslav Trnka Eset 266 227 206 206 201 1106 Sj Sanjay Katkar Quickheal 188 179 160 157 162 846 Mo Martin Overton Independent 142 134 123 124 119 642 Is Jim Wu IBM 119 118 111 113 112 573 Fn Bryan Lu Fortinet 141 32 31 79 76 359 Sr Subramanya Rao Proland 78 72 68 66 60 344 Ww Martin Stecher WebWasher 61 61 60 61 61 304 Ta Tjark Auerbach Avira 64 63 63 60 30 280 Jc Luogang Rising 37 35 36 33 29 170 Jy Jamz Yaneza Trend Micro 45 45 36 36 0 162 Ss Szilard Stange Virus Buster 36 32 31 31 29 159 So SiHaeng Cho Ahnlab 28 26 26 27 40 147 Id Ken Dunham Independent 24 22 22 24 22 114 Nl Laura Hartmann Anchiva 26 14 14 26 9 89 Ay Allysa Myers McAfee 1 1 0 0 0 2
The above figures are only the self-replicating viruses submitted that actually make it to the lists. Following our own proposal of expanding the WildList, we also submit on a weekly basis many more non-replicating Trojans which do not make it to the traditional WildList (see Malware Prevalence for April & May for details of what we submit).
I think it’s obvious from the data that we’re not trying to boycott the WildList. We’re just trying to make certification testing meaningful and useful for consumers.
Great article. I never though the situation was this bad. The Wild list should be an accurate reflection of the malware wild. How can Endpoint security be tested and rated against a list that is known to be outdated. Good to see Trend Micro is looking for a better way also.
I’ve been asked separately for the data on WildList submissions by Kaspersky, BitDefender, F-Secure, Ikarus and Computer Associates. At least during 2008 (January to May which is the latest as of writing) there’s no submissions by any of these showing on the WildCore nor Supplemental lists.
Thanks for useful information and need more secure measure too to protect the things.
Thanks for the great article.