Testing malware without the delivery part has some pros and cons.
The entire point of not testing the malware delivery part is that it is not relevant to the test.
By not testing the delivery part, shows what would happen if the detection or blocking while being delivered failed.
This is an extremely simple concept but there are those that argue "any test that does not show the delivery part is an invalid test." That statement is not accurate and the people repeating it over-and-over have an agenda. That agenda is to discredit
@cruelsister 's tests.
The cons follow from the fact that it is hard to conclude the real-world danger because other security layers can partially cover the exposed weak points.
That is a weak argument. As I have stated many times, the spreading of malware by shared USB flash drives happens at a large scale in south central and southeast Asia. The only way to test such a scenario is to either launch the malware from the USB drive or, what is most typical, from the desktop. Hundreds of millions of people use PCs in that region of the world but they do not have reliable internet. They solve this partially by sharing USB drives.
The whole argument "A test must also include the malware delivery (meaning internet download) to be valid" is a very self-centered, first-world perspective.
It is a completely false statement to say "Your test is invalid because it did not test every layer of the product." OK, so what about products that only have a single layer of protection? What about the case where Smartscreen fails to block? What then? Only certain people here at MT will say "Well, that is not real-world because the tester turned off Windows Smartscreen and other Windows Security protections. If they did not disable them, then the test would have failed." LOL, such statements are ridiculous and reveal a lack of basic understanding of test methodology. But what is really going on is certain people here take every opportunity to attack some aspect of any test demonstration that
@cruelsister makes because their objective is to discredit the test, and thereby discredit
@cruelsister herself.
Nobody here better ever go to a BlackHat conference. They will see proof-of-concept (POC), vulnerability attacks, and testing that they'll have to wash their eyes out with Clorox bleach afterwards. A significant amount of demonstrations at hacker and pentest conferences involve disabling aspects of the operating system - or more often - also includes slightly obsolete builds of the OS or software which are exploited.
"What if" or "What could potentially occur..." testing if this or that fails (by disabling it) to protect is a standard, widely-accepted industry pentest practice. Security layers are not infallible. They can be bypassed. So honest and accurate testing of a focused aspect of a system can be done by disabling a security feature, a security layer, or devising a test that does not utilize that feature or layer. It is a completely legit form of testing.
These are very simple concepts. Children on a schoolyard playground can understand them.
When tests are performed and demonstrated, it is not the responsibility of the person(s) performing the tests to explain all the caveats to the test. Any claim otherwise just ain't true. The responsibility is on the viewer to figure it out. If they do not have that knowledge then it is on them to gain the knowledge to completely understand what the test shows - and what it does not show. What the events shown mean or imply, and what they do not.
It is not
@cruelsister 's responsibility to educate every viewer on the full details of her demonstrations. It is up to the viewer to figure out the limitations, the exceptions, the corner case & specificity of the test.
It is for this reason that neophytes are like deer caught in the headlights at a BlackHat conference. The difference is that they are there to learn and many soon get it. Whereas the intent at MT is to criticize tests to discredit them, and the person who created and performed the test.
malwaretips.com
