Full Disclosure mailing list archives

RE: AV Naming Convention

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 14:00:27 +1200

"Randal, Phil" to "Todd Towles":

I have thought about it, every time this issue is raised.  To do what is
proposed at first glance seems eminently sensible, but even a post-hoc
renaming exercise requires additional "vendor" resources, and leads to
customer confusion.


Indeed.

Also, as I just explained in another post, the "worst" confusion tends 
to come in the first few hours after something new and fast-spreading 
is first isolated.  Thus, post-hoc renaming does little to help the 
_worst_ of the "problem" from the user's perspective.  If we settle on 
a solution that is heavily dependent on post-hoc renaming, it means 
that most of the early confusion will still be experienced -- the media 
will report four different names for the same new thing and  
productivity will be lost while IT admins work out if the reports of 
FooBar.AB, FooBar.AD, FooBar-AD and Foo.AC are actually all different 
names for precisely the same thing or not, and if not, whether the 
scanners they use from different vendors at different layers in their 
protective strategy detect all of the however many variants that naming 
bundle actually represents (and don't think that is unlikely -- several 
times just this year we have had two or more new variants of large 
families of successful mass-mailers released within hours of each 
other, and in the bot arena, some families are seeing several new 
variants released (or at least isolated by AV researchers/analysts) 
_nearly every day_).

To remove the bulk of the inconvenience naming inconsistency causes we 
really need to address naming consistency up front, during the initial 
analysis period and leading up to the vendors putting up web pages 
naming and describing the variant and/or shipping updated DAT/DEF/etc 
files to detect it.  A "solution" to the naming inconsistency problem 
that is, say, 90% effective at this point in the process should have a 
huge impact on the overall problem...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: AV Naming Convention, (continued)
- - - Re: AV Naming Convention Jan Muenther (Aug 10)
    - RE: AV Naming Convention Todd Towles (Aug 10)
    - RE: AV Naming Convention Nick FitzGerald (Aug 11)
    - RE: AV Naming Convention Todd Towles (Aug 11)
  - RE: AV Naming Convention Frank Knobbe (Aug 10)
    - Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
    - RE: AV Naming Convention Nick FitzGerald (Aug 11)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Randal, Phil (Aug 10)
  - RE: AV Naming Convention Rui Pereira (Aug 10)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Clairmont, Jan M (Aug 10)
  - RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention tcleary2 (Aug 10)
- RE: AV Naming Convention Brad Griffin (Aug 10)
  - Re: AV Naming Convention ASB (Aug 11)
  - RE: AV Naming Convention Nick FitzGerald (Aug 12)
- RE: AV Naming Convention John . Airey (Aug 11)