2007-07-01
Abstract
'The WildList is more pertinent than ever - particularly given today's threat landscape.' Mary Landesman, About.com.
Copyright © 2007 Virus Bulletin
When the WildList was formed in 1993, it was with the noble intention of protecting users by slicing through marketing hype and identifying the actual threats that anti-virus scanners should detect. In the 14 years hence, the WildList - or more precisely, the WildCore - has become the de facto standard by which all reputable anti-virus scanners are measured. But despite its wide adoption, the WildList has struggled to gain respect and has seldom been without controversy. And some say, deservedly so.
A common complaint surrounding the WildList concerns the type of malware represented: only self-replicating viruses and worms make it onto the list - trojans, PUPs, backdoors, bots, adware, rootkits, exploits and nearly half a dozen others need not apply. With such a short list of threats eligible for participation, and such a long list of grievous offenders denied entrance, some question the relevance of the WildList.
Locale-specific malware may impact thousands or even tens of thousands of users. However, the dual reporting requirements of the WildList could prevent a geographically confined outbreak from being properly represented.
Whatever demands the most attention, gets the most attention. Malware that is detected using generics, or is otherwise easily handled by the scanner, will likely be under-reported. Conversely, threats missed by competitors might be over-reported.
Having aired the dirty laundry of the WildList, is it time to pack it in and go home? Are the critics right - does the WildList lack relevance with today's threats and is there a nepotistic management style reminiscent of an old boys' club? Worse, are tests based on the WildList too easy to pass?
As much fun as it is to take cheap potshots and sling similes, the fact is the WildList is more pertinent than ever - particularly given today's threat landscape. By setting a standard, definable bar, the WildList has consistently improved detection across the board. Reputable anti-virus vendors must work (hard) to gain credibility, participating fully in order to engage in the sample sharing necessary to build the library of threats required to score well on the tests. But what WildList testing really offers today is a measure of trust.
The pertinence and sustainability of the WildList is due in no small part to its extensibility. The chief certification bodies - Virus Bulletin, ICSA Labs, and Checkmark - each use the WildList in some fashion as part of their overall certification procedure. This extensibility and widespread adoption has led to considerable credibility for the WildList. That credibility has, in turn, fostered trust. It is this trust that has led to the continued success of the WildList today.
Today's malware isn't a prank. It's not for fun, or for challenge, or to overcome boredom. The imagined idle pastimes of yesteryear's discontented youth are far behind us. Today's malware is about money. And social engineering - the art of tricking the user into infecting themselves - has never been stronger than it is today. One of the favourite tricks for doing this is convincing the user that their system is infected and that 'Scanner X' is the saviour they need. In violation of this trust, Scanner X drops other malware or entices the user fraudulently into paying to remove malware that doesn't actually exist.
Now take away the WildList. Absent any credible, definable, easy-to-understand and widely accepted test criteria. Who are users to believe? Try explaining to your parents - or better yet, your grandparents - why Scanner X is bad and Scanner Y is good. The WildList, and the credibility it brings to the table, is the single best measure we have to draw these distinctions.
Do away with the WildList and we do away with unbiased certification agencies. Do away with the WildList and we do away with the very trust that protects the user. The shortcomings of the WildList can be solved through technology, money, and better management. But trust has to be earned. And the WildList has earned the trust of millions. Let's not consider doing away with that, just when our users need us most.