nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Clueless anti-virus products/vendors (was Re: Sober)

From: Larry Smith <lesmith () ecsis net>
Date: Sun, 4 Dec 2005 21:44:08 -0600

On Sunday 04 December 2005 21:27, Church, Chuck wrote:

What about all the viruses out there that don't forge addresses?
Sending a warning message makes sense for these.  Unless someone has
done the research to determine the majority of viruses forge addresses,
you really can't complain about the fact that the default is to warn.
Calling vendors 'clueless' because a default doesn't match your needs is
a little extreme, don't you think?  The ideal solution would be for the
scanning software to send a warning only if the virus detected is known
to use real addresses, otherwise it won't warn.


True, but the "capability" has been in most AV software for quite a long time 
now to know which ones "forge" and which do not.  Clamav has a "list" of 
which virii are "forging" and which are not - I am reasonably certain that 
most other AV products have the same information at hand (a quick search of 
Symantec confirms that they know [ref sober worm, para 23, From:   
(spoofed)).  So while I agree with your basic concept of notifying someone 
that they are infected - when you can notify the "right" person - blanket 
notifications are more trouble than the virus itself in many cases.  And yes, 
as of yesterday I have more "blowback" from sober than from the worm 
itself....

-- 
Larry Smith
SysAd ECSIS.NET
sysad () ecsis net
Previous By Date Next
Previous By Thread Next

Current thread: