Full Disclosure mailing list archives
Re: Show me the Virrii!
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 08 Jan 2004 16:06:29 +1300
Nicob <nicob () nicob net> replied to S G Masood:
5. They *might* have an arrangement with each other to share samples.Individuals at antivirus companies share samples every day, without any previous arrangement.
In fact, that would be relatively rare. It may happen that a "junior" (new, less experienced, not well known within the industry) analyst may be told by a more senior research analyst to send someone at another company a sample. In such a case, although the junior analyst may well not know the recipient, s/he would be following the trust decision of the senior analyst and that would be based on a great deal of prior arrangement and experience.
At a corporate level, there's the "Rapid Exchange of Virus Sample" (REVS) hosted by The Wild List website.
First, REVS was not hosted by the WildList Organization (although some once prominent in the WLO folk were involved in setting up REVS). Second, REVS is no more. It "died out" because too many of the "more influential" members of the AV research community would not accept the removal of inter-personal trust relationships from the sample distribution equation that participation in REVS necessitated. (Whether that was entirely a good thing or not given REVS was intended purely for use with "emergency" samples and not all or even "many" samples is something that could be debated ad nauseum, but this is not the appropriate venue for that...) REVS was replaced by another inter-researcher sample distribution mechanism that outwardly looks quite similar but which crucially (for those to whom this was an issue) allows the _sender_ of a sample to know both who it is going to _and_ to limit the distribution should one or more folks on the sample distribution list not meet the sender's required level of trustworthiness. That is, REVS was replaced by a mechanism that allows for sender-determined control over recipient -- a glorified way of saying "dependendt on previous arrangement". I think anyone who thinks they'll break into contemporary mainstream antivirus research (which is very heavily dependent on access to huge repositories of malware samples) by side-stepping such issues is severely deluding themselves... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Show me the Virrii! Richard Maudsley (Jan 04)
- Re: Show me the Virrii! S G Masood (Jan 04)
- RE: Show me the Virrii! Steve Wray (Jan 05)
- Re: Show me the Virrii! (heuristics) starlabs (Jan 05)
- Re: Show me the Virrii! (heuristics) S G Masood (Jan 05)
- RE: Show me the Virrii! Nick FitzGerald (Jan 07)
- RE: Show me the Virrii! Steve Wray (Jan 05)
- Re: Show me the Virrii! Nicob (Jan 07)
- Re: Show me the Virrii! Nick FitzGerald (Jan 07)
- Re: Show me the Virrii! Valdis . Kletnieks (Jan 07)
- Re: Show me the Virrii! Nick FitzGerald (Jan 08)
- Re: Show me the Virrii! S G Masood (Jan 04)
- Re: Show me the Virrii! Richard Maudsley (Jan 04)
- RE: Show me the Virrii! Richard Maudsley (Jan 05)
- RE: Show me the Virrii! Nick FitzGerald (Jan 07)
- Re: Show me the Virrii! Harry Hoffman (Jan 04)
- Re: Show me the Virrii! Valdis . Kletnieks (Jan 04)