Sophos v9 detection rate not improving?

Update on getting the malware samples not covered by Sophos in the latest testing from Security Spread.

ruckus, this is a list of all the OSX malware samples used in testing. The latest Detection Rates PDF which you already downloaded contains all the necessary MD5 hashes needed in order to get those samples.

http://securityspread.com/mac-antivirus-applications/  shows a list of the sources Security Spread used for these malware samples.

All this information is publicly available on the Sec Spread site. I hope this will enable Sophos to include the missing definitons.

Checksums will confirm the file passed to SophosLabs is the same as the one used in a particular test but they aren't the files themselves.  Where are the files?  I've clicked around a bit but there is not a zip or similar that I can see.  Actually I would hope that testers don't publicly share malware for any and all to get hold of.  Therefore I would suggest the way to proceed is if security spread can forward the actual files to SophosLabs.

It would be good to update detection but we don't have a process for manually hunting around different sites for hundreds of individual files. :smileysad:

I don't feel very comfortable being in the middle of this: Jay at Sec Spread has told me that he is obligated by his sources not to distribute the malware samples anywhere. Wouldn't you be able to contact the sources he's listed?

What about asking those sources just for the Mac samples Sophos appears to missing, according to the PDF? Wouldn't that narrow it down to a manageable size? I don't think it's that many.

---

brvx wrote:

I don't feel very comfortable being in the middle of this

---

I can understand that - you want to hand it over to either the people with the files, or the people who want the files.

---

brvx wrote:

Jay ... is obligated by his sources not to distribute the malware samples anywhere.

---

I can imagine they shouldn't be handed out to private individuals, but not even an anti-virus firm?  I would think that a restriction on that wouldn't exist otherwise detection would be seriously delayed - unless the idea is to have a nice set of undetected files to shout about. :smileysurprised:

A rather good test surely would be to forward them to each vendor and retest 24/48 hours later and see who's done something about it. :smileyhappy:

---

brvx wrote:

Wouldn't you be able to contact the sources he's listed?

What about asking those sources just for the Mac samples Sophos appears to missing, according to the PDF? Wouldn't that narrow it down to a manageable size? I don't think it's that many.

---

I can't go into detail but there are file exchanges setup so we would see a lot samples from other places (AV companies are all in the business of stopped malware and not about keep our files to ourselves).  I'll look into the missing detections more on Monday and speak to the labs and see what they want to do.  However (if Jay is listening) it would be ten times easier to host the files somewhere on a private link and email it the labs (or zip them up and email/upload them), labs grab the whole bunch at once, drop them into the mega machines that process all the files, URLs, spam emails, etc. and produce new detections within a couple of hours.