Jump to content
Posted 23 May 2017 - 07:59 PM
He gave his reason on github.
Distributed, scalable fuzzing on Windows can be challenging and inefficient. This is especially true for endpoint security products, which use complex interconnected components that span across kernel and user space. This often requires spinning up an entire virtualized Windows environment to fuzz them or collect coverage data.
This is less of a problem on Linux, but I've found that porting components of Windows Antivirus products to Linux is often possible. This allows me to run the code I’m testing in minimal containers with very little overhead, and easily scale up testing.
This is just personal opinion, but I also think Linux has better tools. ¯\_(ツ)_/¯
Edited by JohnC_21, 23 May 2017 - 07:59 PM.
Posted 23 May 2017 - 08:14 PM
Ah, ok... it's just for testing. He's not planning on releasing his Frankencode.
Posted 24 May 2017 - 05:54 AM
In all honesty, Defender, like just about every other AV product relies heavily on "definitions". Definitions of known malware, either tight (pick up a single strain) or loose (to pick up families), plus other behaviorial rules (realtime). Behavior may prove interesting cross-platform, definitions when statically scanning files, but definitions that are looking for other behavior (I don't imagine a syscall to erase shadow volume copies would work on Linux) are not likely to be useful.
FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer
Posted 28 May 2017 - 08:49 AM
In all honesty, Defender, like just about every other AV product relies heavily on "definitions".
OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
Bachelor of Science in Computing Security from Drexel University
0 members, 0 guests, 0 anonymous users