Blue lagoons and testing protection

I’ve returned from the testing workshop in Iceland. It was an interesting experience and was my first visit to Iceland. I thought I was going to be lucky and get an opportunity to see a little of city as my flight wasn’t until late afternoon. Unfortunately, it was a public holiday and everything was shut!

The discussions at the actual event were wide and varied, and as I said in my previous post, the issue is that everyone agrees that an on demand scan of a large collection of files is not the best way of evaluating security products, but it is the one that most publications want to see and no one can come up with a better way that is practical.

The same goes for measuring ‘response times’, this is currently measured by calculating how long it takes for a vendor to add a ‘signature’ to detect a particular piece of malware. However, in most cases ‘protection’ is provided much sooner. Especially in our case, malware sent out in spam will be blocked first, if the malware is on a website it will also be blocked, and specific detection will follow. Response times only measure the last part. Average response times are also getting much harder to calculate because it’s very rare that there is an outbreak like Loveletter or Nimda instead it is a constant stream of variants of existing malware. Most of our detection is proactive and new variants are blocked without the need for a new ‘signature’.

Having said that, we do have one of the fastest ‘response times’ in the industry, and we always strive to get faster. It’s widely believed that some malware authors test for detection before they ‘release’ it, so there will always be the need to react.

Part of the conference was a social event including a visit to the blue lagoon which I would recommend to anyone visiting, although (with all due respect to my fellow attendees) a group of virus researchers may not be the best company for a relaxing swim. It’s also the only tourist attraction I know of that is based around a power station.