Full Disclosure mailing list archives
Re: AV Naming Convention
From: Jan Muenther <jan.muenther () nruns com>
Date: Tue, 10 Aug 2004 21:22:48 +0200
Hi,
I wouldn't be in my position, if I ran everything that was sent me. Home users need to be educated, but that is a whole different issue.
Well, I didn't mean to be offensive (no really, for a change). I meant the 'you' rather figuratively. It's not only home users that need to be educated - enterprise users too, in fact, especially them.
The Trojan on my desktop was broken down by me and a friend that is a security researcher. It is a Trojan used by SPAM groups. It isn't a mass-mailer. I am going to write any article about how I received it and the partly code analysis.
Well, do so, if you wish. Part of my job is actually forensic analyisis, and almost every time I find some malware that's not yet documented - simply because a single person has written it for his/her personal use only. Submitting that to an AV vendor seems pretty useless to me, unless some great new technique is introduced (which most often is, erm, not the case). Yeah, it's true, there's a lot out there which people don't see. In any case, the AV vendors pretty much are the ones I'd blame least. They are on a fairly abstract level compared to the things users and sofware vendors f*ck up with and get their machines compromised. For instance, I've found ELF infectors in the wild. But Linux is free from Viruses, isn't it? There's a huge attitude problem here. I do agree though that simply educating users is probably bound to fail, at least most efforts seem to have little to no effect. There may be a techno- logical solution, but the malware detection part can only be fragment, and one which comes in rather late, if you ask me.
But the point, I want to make is that things need to change. We can throw off all talks about it now (and some of you look like you want to) or we can try to find ways to advance the field. We are the customers and we direct where the time and money is spent indirectly.
Well, can you be a bit more specific? I find a statement like "just do better" fairly arrogant towards people at researchers like f-secure, who do brilliant work in the field of matching e.g. variants of malware through the use of graph isomorphisms (yeah, like halvar does). Man, they go far beyond simple pattern matching in the sense of e.g. snort rules. I'm sure if you have any revolutionary ideas, a lot of people have very much open ears indeed, but just complaining just isn't helpful. Cheers, J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: AV Naming Convention, (continued)
- Re: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Thomas Loch (Aug 10)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Frank Knobbe (Aug 10)
- Re: AV Naming Convention ASB (Aug 10)
- RE: AV Naming Convention Glenn_Everhart (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Todd Towles (Aug 11)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Rui Pereira (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 10)