It would appear that the handlers over at SANS think that Anti-Virus vendors _owe_ them a feature. They believe that Joe Average, or Joe Above-Average should be able to extract malware samples at will, and submit that malware sample to the vendor or vendors of their choosing. They would like to share the information about the malware agents that these products detect for the betterment of the A/V community of course. I’m sure that they would also like to use such a feature to do their own research on the malware.
“A good part of the fight against malware relies on ‘the good guys’ sharing samples and intel. For some reason though, many anti-virus (AV) companies seem to make it exceedingly hard to ‘extract’ usable samples from their tools and quarantines. They insist on a quarantine in proprietary format, and more often than not, the only option given in the GUI is ‘Send to Vendor’ or ‘Delete’.”
My first inclination was that this article was written by some twenty-something noob, full of selfrighteous entitlement, and brought up on a steady diet of Jolt cola, YouTube and Instant Messanger, with the patience and thought capabilities of the common household gnat. Generally, I like the handlers at SANS. Met a couple, chatted with a few, read their blog for intell. Why would a commercial software vendor not want to provide this kind of feature? After all these years and so many vendors, why hasn’t one of them done this?
- Because their detection rate might be a product differentiator?
- Because they expend a signigicant amount of time, resources and energy into building analytic capabiilties for signature development?
- Because they don’t want Joe LessThan, Joe Average, or Joe Above-Average extracting and playing with malware samples?
- Because it provides little value and absolutely no return?
- Because A/V vendors already share samples and intell in another venue and forum?
- Because you can’t tell the ‘good guys’ from the rest of the world at large?
I have heard this childish whining for most of my career. “We should be able to _______!” Ask yourself one simple question. “WHY?” If you can create an intelligent response to that question, ask it again towards that response, and again, and repeat. Keep doing this until you get to the bottom line. “It would be [easier | better | more fun| more convenient] for me.” None of these reasons should be viewed as a justifiable business reason to introduce such a risky feature. None of these would be a security justification either. Who else might this capability assist?
You want to pull the legs off of spiders, play with malware, be the coolest kid on your block? Then eat your wheaties, stay in school, and do your own frickin’ homework. Daniel, give your head a shake, we can all stand the noise…