Changes in the Wilderness

The Wildlist is a list of viruses that is maintained by the Wildlist Organization. The intent is to have a list of viruses that is representative of what is really out in the Wild (Antivirus vendors’ name for what our customers will face).

The list of viruses is provided by experts that submit virus samples to the Wildlist on a regular basis. The requirements for a sample to be submitted are: 

  1. It must replicate
  2. It must be a real sample from a real customer

If two or more Wildlist reporters submit the same sample then it will be included in the Wildlist for the following month. Each antivirus company typically has one Wildlist reporter and I am the reporter for Commtouch.

The intent of the Wildlist, as I understand it, is to be a reproducible, standardized test set with some level of certainty that the virus samples included are relevant.

There is one glaring problem with this system: It is limited to viruses only. Some people will say there are other problems as well, but the other problems with the Wildlist are mere technicalities compared to the virus limitation. The reality is that less than 1% of malware we receive will replicate or can be called a virus. Please also note the distinction between virus and malware. Some malware are viruses and all viruses can be considered malware. Malware also includes backdoors, Trojans, downloaders, password stealers and other categories of malicious applications that we as an industry have been dealing with for years but has not been covered by the Wildlist.

To improve on this situation, the Wildlist Organization has been testing the Extended Wildlist. The Extended Wildlist drops the requirement that the sample replicate, which is probably one of the most significant limitations to the existing Wildlist. This change significantly expands the scope of the Wildlist and hopefully resolves a significant number of complaints against the Wildlist. It is still not perfect, but there never will be a perfect test set.

Starting August 2011, the Extended Wildlist was formally released to testers and AV companies, and future Virus Bulletin VB100 comparatives will test against the Extended Wildlist. Due to the fact that samples on the Extended Wildlist are not required to replicate, it is technically significantly simpler to deal with this new list than the traditional Wildlist. Despite this, it is a significant step forward.