On 16 May 2010 at 12:22, Christian Sciberras wrote: >> An interesting point - Unicode? >> >> I don't think 5Mb files are infeasible, especially as time passes, >> that'll be just a blip before long.
> You call it a "blip" yet you are counting in infections for *everywhere* and > *anyone* so, what makes you think service providers (which have been comfy > in the last 6 years with a dialup-grade connection) to abruptly switch to > high-speed fiber-optic? Well, just because network capacity is also growing at an exponential rate. I take your point, some people don't have high-speed connections. This will slow things down a bit, but that's all.. > I'm just saying that your statistics are based on too little variables What else could I use? x=time, y=amount. I'm not sure how I could use more than two variables. Those are the only numbers I get from Symantec's data. > You yourself mentioned an error margin of ~24%. This will only *grow* by > next year. It's an average, so I thought it might auto-correct. There was a similar dip in 2006. > Lastly, I stand my point: Malware cannot be taken is a combination (as you > and other certain "specialists" think of it). Reason number one being that a > software combination (hash) can vary from between "malware", "useful" or > "utterly useless"; ie, the combination of having only malware is so > undefinable that you can't put it in any equation. I think I understand, you're saying a virus can't be a random string, and I agree. That is the job of the obfuscator, to make the virus as random as possible, while retaining the integrity of the logic. I thought you were saying that the ASCII character set has insufficient characters to permit x billion combinations, so I wondered whether Unicode would. The problem of defining malware is not mine. All I'm doing is analysing Symantec's stats. Symantec have already examined the sample and classified it as malware, before it gets included in the stats. Symantec's stats might be dodgy, but I doubt it, surely they wouldn't waste their time? > Symantec's results are not wrong, it is how you/people use them that may be > wrong, such as attempting to predict anything out of them. The time-series analysis I did is commonly used to make forecasts. It is an accepted practice to take time-series data and extrapolate from it. Of course, there is an element of uncertainty, especially if the data is weak (small sample size, bias in the data etc). I was disappointed I only got 75.4%. What I will concede is that the conclusions I have drawn from the results of the analysis may well be wrong. I don't work in an AV company and can only report what I see in the field. I can see those numbers going up, and up, and up, and it's only natural to wonder where it will end. I can also see my customers' computers running slower and slower, and I know what sort of performance kick is possible if AV is disabled, and I know that virus scans take longer and longer to complete. So I do think it's a fair question to ask - will my computer handle billions of threats? Does it make sense to be relying on AV to protect my customer's computers? Is this house really on fire, or is that completely normal? What answer should I give, when my customers ask me, how can I stop this from happening again? When my customer is about to make an expensive strategic purchase, what points should I make, concerning long-term planning? Is my business at risk, if I say the wrong thing, and my customers go out of business because their hardware/software combination is no longer viable? I imagine these questions are on the minds of many IT managers, and with a chart on the wall showing 243% mutation, it is only reasonable that they be asked. Stu --- Stuart Udall stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/