Full Disclosure mailing list archives
Re: AV Naming Convention
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 10:55:21 +1200
Thomas Loch wrote:
This completely misses the point.I do not completely agree ...
You're welcome to your opinion, but it's clearly based on a grossly simplistic and inadequate notion of what virus scanners do and how viruses work.
When a new virus is discovered, it is essential that there is a RAPID response to the threat. ...I agree...
Good...
...The idead of handing the critter over to a committee to decide it's name is, quite frankly, plain bonkers.Why?
Because of the time it must take to do that... Also, the level of expertise you need to have on that committee to get a high level of correct decisions, especially if you want to get those decisions very quickly to reduce the naming agreement latency as much as possible will necessarily reduce the talent pool available to the AV companies _AND_ be very expensive to employ and maintain because such talented and experienced AV researchers are among the most highly paid "technicians" in the IT industry.
Why can't we handle not yet named viruses as 'unnamed' ...
This is actually the most sensible (so therefore probably the least likely to be used) of solutions. It has been suggested innumerable times in the past and, at least until there is some compelling (financial!) reason for AV developers to change their current practices, seems very unlikely to be implemented by any developers.
... or we use a standardized (by ISO?) method to generate a numeric code that consists of a classification in categories and a sequential number and probably some kind of checksum or hash until the virus gets an official name?
This is suggested almost every day by some or other newbie with no clue how viruses work. Sadly, in (today's) real world, it quite simply will not work and, worse, cannot be made to work. Do you have any idea what polymorphism is? Don't see any problems with that? OK, try adding metamorphism (aka "body polymorphism") -- still no problems with the above suggestion? In an ideal world it should be able to work _combined with access to a library of reference samples that would be the basis of the generated identifiers_ (i.e. an identifier would point to a specific sample, deemed to be the definitive exemplar of the named variant). _HOWEVER_, that ideal world requires all kinds of complex trust issues that simply cannot be made to work in today's real world (and seem unlikely to be workable at least in the medium term). ... I'm pleased to note that so far in this, and the parent, thread no-one has wheeled out the hoary old chestnut of "Why not use something like the hurricane/tropical storm naming scheme that has worked so well in meteorology?" as it is replete with problems that are obviously insoluble to anyone who understands anything about computer virus, and related malware, incident handling. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: AV Naming Convention Randal, Phil (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention ASB (Aug 10)
- Re: AV Naming Convention nobody@localhost (Aug 10)
- Re: AV Naming Convention Nick FitzGerald (Aug 10)
- Re: AV Naming Convention Thomas Loch (Aug 10)
- Re: AV Naming Convention Alerta Redsegura (Aug 10)
- Re: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Thomas Loch (Aug 10)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Frank Knobbe (Aug 10)
- Re: AV Naming Convention ASB (Aug 10)
- <Possible follow-ups>
- RE: AV Naming Convention Glenn_Everhart (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)