jc135

Level 1
Hi,

Why test malware? Do people think they can be better at manually detecting malware than the likes of BitDefender, Kaspersky and the like? Are they planning to write a new detection engine?

To my inexperienced mind, there are only 2 classes of malware: 1) one that establishes remote control and try to exfiltrate valuable data, 2) those that are pitiless and torment the unhappy user that they lack good security by wrecking their Windows.
 

South Park

Level 2
Verified
When I was new to Windows and before I did online banking, etc. (around 2000), I used to find live malwares at "keygen" sites and download them just to test and play with. For example, I'd put them in nested zip and rar folders or change a bit of code to see if AV still detected them. It was probably foolish and dangerous, but I don't think I ever got infected from my samples. I wouldn't touch live malware nowadays except in a VM with proper precautions.
 

Bryan320

Level 3
playing with malware will help you understand how it works better some do it to test security software. If you're in a VM you can infect yourself and see what methods will get the machine back to a working state. Malware these days is just so destructive some financially motivated which can be even more dangerous to an uneducated user.
 

Burrito

Level 22
Verified
Why test malware?
As Roger stated -- it's to find out how good some AVs and other capabilities are.

If you follow Malware Hub here for a while... you'll notice how the results in The Hub often reflect the results of professional testing.

And, we get things tested in The Hub that professional testers won't take --- like H_C, Wise Vector..

And... some companies do terrible in professional testing and don't participate. Many are afraid of the poor test results, and exposure of how poor their products really are. They can still be tested in The Hub. Best example for this is Webroot, aka Green Kool-Aid.
 

Umbra

Level 26
Verified
Just a hobby like any other.
95% of people testing malware (especially in security forums like here) do it just to check the efficiency of their security solutions, they won't learn much more since they don't have the skills, training nor the tools to obtain an accurate and detailed analysis.
Running malware.exe and seeing it executing rundll32.exe won't explain you much on how it does it, what was the attack chain, what code was used, etc...
Only real security experts/pentesters with proper professional training can achieve such understanding...the rest of us are just kids toying with fire.
 

Lenny_Linux

Level 6
I don't think the amateurs don't understand the attack vectors or intrusion stages is relevant.

When I look at the pictures of a new smartphone tested by an hobbyist, I am not really interested in the technology used to make that picture, I just want to see the results (show me some pictures) and know the experiences of the tester (the time it took before the camera focused or how it holds in difficult lighting conditions). Only the results count in hobbyist testing (system infected, malware remnants or clean).

I agree that it is probably just a hobby like any other with a platform and an audience (security forums, youtube channels, etc)
 

Umbra

Level 26
Verified
I don't think the amateurs don't understand the attack vectors or intrusion stages is relevant.
That is where you are totally wrong, it is the most important thing !
How many times i had to intervene because some "testers" (often Youtesters) test a malware without:
1- understanding what the malware/exploit exactly does.
2- understanding how the security software is supposed to be used.

So yes, it is more than relevant.

When I look at the pictures of a new smartphone tested by an hobbyist, I am not really interested in the technology used to make that picture, I just want to see the results (show me some pictures) and know the experiences of the tester (the time it took before the camera focused or how it holds in difficult lighting conditions). Only the results count in hobbyist testing (system infected, malware remnants or clean).
in photography you don't need skills to push a button and compare qualities, in security it is more complicated than that. You must know what the malware does and what the security soft is supposed to do.
 

Robbie

Level 30
Verified
Content Creator
Malware Tester
Non-professionally, usually for education purposes. In my case, it helps me understand what processes are usually more exploitable so I can protect them (say with SysHardener for example). As well, it helps see if your combo is good enough to stop real malware, or if you should add/change something. And to conclude, it helps find new malware and submit it to your vendor.

And it's fun af :B
 

Umbra

Level 26
Verified
In my case, it helps me understand what processes are usually more exploitable so I can protect them (say with SysHardener for example).
In case of a malware creating a new process, yes you may learn something.
Now let say the malware payload exploit a already running process; how can you even know it was abusing it without proper training or specific analysis tools?

As well, it helps see if your combo is good enough to stop real malware, or if you should add/change something. And to conclude, it helps find new malware and submit it to your vendor.
Those two are the real purpose of "amateur" malware testing. Nothing more.

And it's fun af :B
That i can't deny.
 

Umbra

Level 26
Verified
Photography isn't just about pressing a button. There are many variables there too. This makes the difference between a mediocre photographer and someone who is able to get the most out of his device.
We are talking about testing, not making.
If I need a test about a camera, I want it made with default settings and preferably by a noob in photography like me.
No point testing a camera by a professional photographer who will make the best shot ever with it if I can't even do what he does...
This has nothing to do with testing security softs.

If you really needed an analogy to malware testing, use pharmaceutics, which requires professionals and precise methodology.

Got my point?
 

Lenny_Linux

Level 6
That is where you are totally wrong, it is the most important thing !
How many times i had to intervene because some "testers" (often Youtesters) test a malware without:
1- understanding what the malware/exploit exactly does.
2- understanding how the security software is supposed to be used.

So yes, it is more than relevant.
It is useless to respond to your "I am right and you are wrong" statement. The only new element of information is the intervention you mentioned.

This intervention begs for some additional questions to be asked:

1-What was that intervention, in what form was it delivered through what channel or platform?
2-What was the response of your intervention, where the "testers" open to your ideas and enlightened by your insights?
3-What was the effect/result of your intervention: did they stop testing malware until they understood what the malware/exploit did and/or how the security software was supposed to be used?

I am asking those questions because I am trying to understand what your intervention really did and/or how I am supposed to use your response ;)
 

Umbra

Level 26
Verified
This intervention begs for some additional questions to be asked:

1-What was that intervention, in what form was it delivered through what channel or platform?
Youtube if it was a video, here or other forums.
Case 1: The Youtester used an obsolete version which couldn't prevent the attack, unlike the latest version.
Case 2: Another used a malware against softs that weren't designed to block it, basically he didn't know how to properly test the softs or had an agenda.
Case 3: I proved the Youtester deliberately modified some setting so his the test would show the product failing.

2-What was the response of your intervention, where the "testers" open to your ideas and enlightened by your insights?
Case 1: On one case, he apologized, recognized his error and promised an video update, which, of course never came.
Case 2: The tester dismissed all my arguments, that was even backup by professionals.
Case 3: no answer.

3-What was the effect/result of your intervention: did they stop testing malware until they understood what the malware/exploit did and/or how the security software was supposed to be used?
Case 1: Deleted his channel
Case 2: Got a warning from the lawyer of one of the tested soft's company to remove his video, which he did. Stopped testing.
Case 3: Deleted his channel after people noticed he made those biased video to promote his business.

Was years ago, so i didn't follow what happened to them.


You are young in this forum, so you may not know my history here, hence your questions. Older members who knows me since a decade here knows when i open my mouth (sometimes arrogantly/rudely, i admit) it is because i know i'm right.
If i have a single doubt about what i'm saying , i rather say nothing.
 
Last edited:

Lenny_Linux

Level 6
Thanks for the explanation

Unbra said:
when i open my mouth, it is because i know i'm right.
A half open mouth is also an open, mouth this indicates that when you close you mouth you don't know

Unbra said:
If i have a single doubt about what i'm saying , i rather say nothing.
Doubt is a form of not knowing you are right, so for clarity you repeat the answer in reverse order?

HHHHHHHOOOOOOOOOWWWWW SSSSSSSSLLLLLLLLLOOOOOOOOWWWWWWW DDDDDDOOOOOO YYYYYYYYOOOOOOUUUUUU TTTTTTTTHHHHHHIIIIIIIIIIIIIINNNNNNKKKKKKK IIIIIIIIIII AAAAAAAAMMMMMMM or am I pulling your leg 😂
 
Last edited:

MacDefender

Level 5
Verified
Without testing malware, how do you know if your antivirus works? Is it simply enough that customers seem happy with it? Or a large industry alliance of certification programs says it's good?

For me it's like test driving a car before I buy it. Sure it's a great starting point if Consumer Reports or something like that thinks highly of it, but that shouldn't be the end of research.

I think the other reason is because it's feasible to test. In an ideal world I would love to personally crash test my cars instead of just believing whatever number of stars the federal government assigned it based off manufacturer claims, but that is not at all feasible for me to do :)

At minimum I like seeing the Malware Hub tests to see how these programs react to recent malware samples. Since I'm a developer by day, I also like reading into how malware works and writing my own test samples. And for me it's shown me a lot of things I would not have been able to learn about antivirus from looking at available published tests.
 

SFox

Level 3
Verified
Why test malware?
Everything is relative. Users want to believe that their antivirus is "the best of all." But without comparison with other antiviruses, this is not to be found out. For this, comparative tests are conducted at the amateur level. It is also important to find out how much the protection functions declared by the vendor and the description of "unique technologies" correspond to reality.
On a professional level, tests are carried out by special laboratories commissioned by antivirus vendors, which, like ordinary users, need to know that their antivirus is "the best of all", additionally promote the product, and also find out the weaknesses of their product, the program’s shortcomings. Everyone is happy: users made sure that their antivirus is "very strong" and decided to renew the license, vendors received advertising for their product and increased sales of licenses, the specialists of the testing laboratory received money for the work :) Everyone is happy :)
 

Azure

Level 25
Verified
Content Creator
That is where you are totally wrong, it is the most important thing !
How many times i had to intervene because some "testers" (often Youtesters) test a malware without:
1- understanding what the malware/exploit exactly does.
2- understanding how the security software is supposed to be used.

So yes, it is more than relevant.
These are probably some of the reasons why Cruelsister was so popular and efficient. As she knew perfectly well how each piece of malware works and how the security software would interact with it. It wasn't random