Bit9

Defcon is next week. Race2Zero is Defcon's contest that will attempt to create new strains of malware in order to test security capabilities of Anti-Malware products. Setting aside fears that some of these strains could be released to the public, it is an ethical question: Should malware be created for fun and game?

All malicious samples should be treated equally, as they could all be potentially released at one time or another, by malicious intent, by a data breach or by mistake. Yet using artifically created samples to test products that were built to protect from threats iin the wild is not a reasonable study or contest of any kind. It is no secret that anti-malware solutions have their weak points, and pointing them out with bogus examples does not make them any better or the public any safer, in my opinion.

The problem resides in the limited space each anti-malware solution needs to reserve for signatures of truly virulent and prevalent malware samples. Filling signature databases at the end point with thousands upon thousands of signatures for "fun" experiments is not a very good use of time for those few malware analysts and it certainly adds to the performance burden end user experiences.

From the perspective of our Global Software Registry, however, we are looking forward to receiving the Race2Zero samples. If it has been created to run on a computing machine, for fun, profit, game or by mistake, it should have its reputation assessed and we will be doing that. Such information is then of paramount value to any end user, researcher or automated process that may stumble upon it.

On the issue of whether we should be scanning on the endpoint -- the samples created in the lab are few. Because of this, we should not burden the endpoint. But there is no reason not to hammer a database index in-the-cloud as there we are not limited by space and performance constraints of a personal computer. Bit9's Global Software Registry functions in the cloud just fine with almost 7B entries. Comparatively, a typical Anti-Malware Suite keeps a 1-2M entry index on each computer.

Cuil.com launched on Monday demonstrating that it is possible to keep extremely large indexes when necessary. They claim to have a 120B entry index, three times the size of Google's.

In security, we have been afraid for way too long of technical complexity. It is time to embrace it. And put it in its proper place.