Is the Wildlist still relevant?

Filed Under: Malware, SophosLabs

Just wanted to say hello from all the SophosLabs members here at the Virus Bulletin conference in Vienna. The VB conference is one of the very few events where technical people from the industry meet and present their ideas and research results.

This year the conference is full of excellent presentations and even some controversial topics addressed at today's presentation about the Wildlist and its relevance to the industry.

Andreas Marx from AV-Test.org thinks that the Wildlist has lost a lot of its relevance. According to Andreas, it is not just that there are not enough active reporters of the new samples so the number of malware on the list (currently around 500) is by the order of magnitude lower than the actual number of active malware. Furthermore, the Wildlist only contains self-replicating malware which makes up a minority of malware we see every day.

Finally, the Wildlist is published once a month and the typical malware campaign is only active for a very short time, so by the time the Wildlist is published it is already out of date.

On the other hand, Wildlist samples are verified by skilled reporters and the quality of samples is very high. With large sets used by testing companies such as AV-Test.org it is not so easy to verify that every sample in the test set is actually malicious. One could, perhaps, rely on the scanning results of anti-virus products, but the fact is that different vendors choose to detect different classes of files, especially one with borderline malware characteristics such as adware and dialers.

After all, the purpose of the Wildlist from its beginning was to provide a basic set of viruses that should be detected by every decent anti-virus product and as such it is still a valuable resource for testers. Despite some of its shortcomings, it is quite interesting that even some major anti-virus products sometimes miss samples from the Wildlist. A good way to track the detection performance of products against the Wildlist test set is to follow the results of the regular VB100 tests conducted by Virus Bulletin.

I certainly enjoyed this discussion and I think both Andreas Marx and the Wildlist organisation had some good arguments about the Wildlist's relevance and purpose.

If you are interested to find out more about the subject of anti-virus testing and the Wildlist test set please listen to our latest podcast with Mark Harris, Director of SophosLabs.

You might like

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.