Full Disclosure mailing list archives
RE: AV Naming Convention It is who fixes it first.
From: "Clairmont, Jan M" <jan.m.clairmont () citigroup com>
Date: Wed, 11 Aug 2004 10:20:43 -0400
It's about detection and fixing the problem first. Who has a fix and has a methodology for fixing it reports it and puts the link/methodology/information in the database so all who are still trying to respond can benefit from that information. Everyone fixes it eventually, but then the company/person/contributor gains the benefit of first finder's name and the rest of us get to respond and defeat the offending malware/virus/spam etc.Naming could have many aliases in the database to, just in case their is some dispute. It would also make it searchable by alias, time, day etc. This reporting system would be free for information only, free downloads .dll fixes or links to the vendors site for fixes. You would subscribe or unsubscribe at your leisure. Again non-vendor specific, it might just be the name of the offending type, security level threat and a link to the fix for each vendor's updates. Then a standard update and methodology by the vendor. It could contain spam filters for mailers, virus scan identifiers, etc. No virus or actual malware just fixes for cleaning and debugging. Also a daily spam list would be great for people who would like to automatically eliminate spam from their favorite mail utility(outlook, mail, pine ad naseum). This discussion is great, good discussion all. Jan Clairmont Firewall Administrator/Consultant -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Nick FitzGerald Sent: Wednesday, August 11, 2004 5:11 AM To: full-disclosure () netsys com Subject: RE: [Full-disclosure] AV Naming Convention Frank Knobbe to Glenn Everhart:
Given the time allowed to do this work, it seems a cross reference after the fact is probably the best one can hope for.Perhaps they could elect one person (of each AV shop) to be a naming mediator between the organizations. ...
Pick me, please -- I just love being woken up at 3:42am because folk in Russia are working a new virus I already saw hours ago and we now have to agree on a name... That's right -- we don't all work for companies based in the same continent, let all work in the same place as all the other folk doing analysis for our own companies.
... Competition is still ensured... after all, everyone wants to get it out first. Here's another incentive.
Do you work in marketing? If not, please get that stupid idea out of your head (if you do work in marketing then I assume you are genetically unable to think sensibly about the following). Most of antivirus researchers do _NOT_ work that way, regardless of who their employers are (and formerly, when a few such employers were dumb enough to try to use gag-clauses in their employment contracts these were often ignored anyway).
First one out to propose a new virus/strain can give it a name. All prominent AV shops could, to help industry and consumers (marketing opportunity here), come to an agreement that governs how names are standardized. First representative of an AV shop that raises the hand says "We got a new one! Can't give details of course since you are a competitor. But if you find the same thing in your research, let's call it Humptydumpty-2."
Pray tell, how are "name proposers" to convey to their peers which virus they have just found? You say that they should not give details of the virus, yet as (part of) the naming problem is that there is no natural and unique naming method, simply knowing that another researcher called some virus "FooBar" gives one _NO_ insight into whether the new virus they are now looking at is a sample of FooBar. Oh, and the competition thing -- that's not how things work. The AV industry is a great deal better for having driven the John McAfees out all those years ago, along with the divisive and damaging (both to the customer and the industry) "sample competitiion" folk like him had been encouraging. If you really are an AV user, you'd be about the only one who is apparently keen to return to those "bad old days".
Whoever finds the virus first has first choice on the name. No sharing of information required, just agreement on a name.
That is what we have now, which I thought was seen as a problem... Also, how does some other researcher know that FooBar and the new virus they've just been handed to analyse and add to their employer's product is, or is not, one and the same thing? You seem to be forgetting that a name is just a label and, alone, imparts no identity information.
Is that so hard?
Well, it would be if anyone was daft enough to try to do it as you describe... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: AV Naming Convention It is who fixes it first. Clairmont, Jan M (Aug 11)