Re: (no subject)

[Harlan Carvey <keydet89 () yahoo com>]

> >  As
> > I explained in other of my posts in this and the
> related "AV Naming
> > Convention" thread, in general by far the largest
> "cost" of naming
> > disagreement is borne by the users in the early
> hours of large-scale
> > outbreaks.  

Forget the whole naming thing...it's been bandied
about before, ad nauseum, and things haven't changed. 
What *I* would like to see is some real analysis of
what they find.  Too many times, weeks after
something's come out, some A/V company still has
"modifies/updates some Registry keys" on their web
site.  Even Symantec lacks consistency with
this...specifying Registry keys or file entries that
affect Win9x vs NT+ in some writeups, but not in
others.

Some companies do a good job of specifying the
footprints that malware leaves behind.  However, none
of the A/V vendors are really consistent with this.

On a side note, it really would be nice for MS to
publish specific information on when certain keys are
loaded by the system...the bad guys seem to know this
sort of thing, but educating sysadmins is difficult
when MS doesn't provide any documentation.

> You know what, I don't work in the "anti-virus"
> field, but what you are
> saying is BS.  There is no good reason that I can
> think of that the AV
> companies cannot rename these things after the fact.

Why should they?  One A/V company calls it one thing,
and then puts the names used by other A/V companies in
the "aka" section of their writeup.

>  When an outbreak
> happens, they provide a fix and name it whatever
> they want.  After the
> fact, they could rename things and their updates
> reflect the "proper"
> name.  They can keep a reference to their name in
> the description, what's
> a few more characters in the signature files for
> every piece of malware
> going to matter? another 100k in a download at most?
>  I agree that there
> is probably a lot of marketing pressure that may
> make this difficult,
> but there is no technical reason for it.

Technical reasons, perhaps...but I think you hit the
nail on the head...it's driven by $$, in some way.

> The AV companies cannot be that lame that they
> cannot handle a simple
> name change.  I mean we use databases and other
> things and using these
> "computers" that should make this easy.  If thay are
> that lame, maybe they shouldn't be in busines.

Don't you think that's kind of harsh?  After all, one
could simply come back to you and say, "well, if you
can do better, why aren't you doing it?"


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html