Re: (no subject)

[Maarten <fulldisc () ultratux org>]

On Friday 13 August 2004 05:00, Brad Griffin wrote:

> > network but located inside the "dirty" lab, say) they often do not
> > _want_ to break their own concentration.
> >
> > I'd suggest they're not so isolated as you claim.  For one thing, how
> do you suppose they get to hear new strains are found ?  Or receive
> samples ?
>
> Did you take the term 'isolated' to mean locked away with no human or
> other contact? ...strange...

Not per se.  But the argument about not wanting to break concentration doesn't 
really fly if one is constantly interrupted by coworkers either...

>  *virii*
> grrrr

What ? You prefer viruses ? virusses ? Viri ? Virea ?  Virux ? ;-)

> > No.  It may not matter IF you only use one single brand of AV software.
> > But that is NOT how it works in the real world.  Companies tend to
> deploy
> > multiple AV solutions on different layers so as to decrease the
> likelihood of some virus slipping through.  And maybe even more
> importantly, "Google
> > research" is done all the time, which doesn't work well if a strain
> goes by many different names.
>
>
> I am yet to come across a 'large' company or enterprise that uses
> separate brand av applications for desktop and server solutions. It
> makes economic and logistic sense to use one vendor for your av solution
> that is deployed at different levels (or layers if you prefer that
> terminology). About the only people I've seen use different antivirus
> products in one environment are home users or small businesses that
> misinterpret 'layers of defence' in an anti-virus context to mean
> 'different brands of defence'. Considering that many major av co's
> products are cross platform nowadays, I doubt many companies will
> continue using separate brand products in a mixed OS environment for
> much longer either.

Well, whoever said 'large' companies are the only ones that matter?
In my experience having multiple brands happens often.  In some cases they may 
deploy a filtering mail gateway that's bundled with a brand X virusscanner. 
In other cases they may find that brand Y on the desktop offers better value 
than using brand Z which they equipped their exchange server with...

In any case, deploying multiple brands IS a good practise, security-wise.
If a buffer overflow (or a botched Datfile update) is found in one product it 
will probably affect their whole line of products. That's bad.  Then let's 
consider the various timezones; using european and US AV products can 
sometimes give you the few hours advance that you need to avoid a disaster.

If you want 4 locks on your front door, would you buy four locks of the same 
brand ?  (or even, for paranoid people like me: would you have them all 
installed by the same guy ?)  For me, the answer would be a resounding NO.

> I can't understand how the Google research is a problem with naming
> conventions. Google for a virus name and multiple hits come up, mostly
> for descriptions on a/v sites that also carry the alias names in most
> cases.

Yes they do.  But I hardly think it is LESS work for them to track all those 
"aka" names and versions to include in their description pages than it would 
be to standardize after the fact on one single name for the virus.  Right ?

> My take is that so long as anti-virus developers are managing to keep
> their reactive model of virus detection and removal almost up to speed
> with the release of new malware, I don't really care if they name the
> next virus George or Mildred, so long as their software will identify
> and remove it from a system.

Well, precisely.  You hit the nail on the head...

It happened on SO many occasions to me that the installed AV scanner did 
identify the virus but was unable to remove it (or it instantly came back 
after "removal") that I had to hunt down a different (better) removal tool 
(rescue-CD, dedicated removal tool, or otherwise).   
It is at those moments that all the aliases in use for the virus bite you.

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html