Frisk Software International - Technical note #5


                       "Simulated" viruses

One of the most annoying questions I get is:

   "I created a bunch of viruses with the Virus Simulator, and [product X]
    does not detect any of them.  Why ?"

This "virus simulator", available on BBSes and FTP archives under the name
VIRSIM2C.ZIP provides several options, one of which is the possibility to
to create files, which contain bits and pieces from various viruses.  

The documentation of the package makes various claims, such as:

   "The simulators all produce safe and controlled dummy test virus  samples
    that enable users to verify that they have installed and are using their
    virus detecting programs correctly..."

   "A virus detecting program is validated when it reports the simulations."

   "Virus Simulator's ability to harmlessly compile and infect with safe
    viruses, is valuable for demonstrating and evaluating anti-virus security
    measures..."

Those claims are false, or at least extremely misleading.  

The facts are:

    The files created by the program are not viruses, and there is no valid
    technical reasons why they should be reported as such.  A virus scanner
    may pick up some of the virus fragments and incorrectly conclude that a
    virus is present.  

    A scanner may actually react in one of four different ways, when it
    encounters one of those "simulations".

       1) The scanner might not report anything at all.  This is the "correct"
          approach - the files are not virus infected.  However, this does
          not tell you anything about whether the scanner would find the
          actual viruses or not.

       2) The scanner might report something like "Non-virus: VIRSIM-generated"
          A few anti-virus companies have taken this approach, partly to
          avoid having to answer the question why they do not report a virus,
          but partly because they are afraid that somebody might actually
          use VIRSIM to decide between two scanners - in other words, they
          are afraid to losing a sale to an inferior product that incorrectly
          reports viruses.  

       3) The scanner might report something like "Unknown variant of virus X".
          This indicates the scanner picks up the search string, but is able
          to determine that the file is not infected in the regular way.
          A report like this is really a false alarm, and indicates a possible
          problem with the scanner....it may be too likely to generate false
          alarms....however, this is much less serious than the situation
          described below.

       4) The scanner might report the file to be infected with a virus, and
          might even offer to remove the virus.  This is the worst possible
          performance.  It indicates that the identification part of the
          scanner is seriously flawed and the scanner might for example be
          unable to distinguish between two similar, but different variants
          of the same virus.  It might also have serious problems when
          disinfecting....possibly frequently corrupting files because of the
          lack of proper identification.

    In other words, the VIRSIM-generated files are not usable for scanner
    testing at all.

-frisk

