RE: AV Naming Convention

["Todd Towles" <toddtowles () brookshires com>]

I wouldn't be in my position, if I ran everything that was sent me. Home
users need to be educated, but that is a whole different issue.

The Trojan on my desktop was broken down by me and a friend that is a
security researcher. It is a Trojan used by SPAM groups. It isn't a
mass-mailer. I am going to write any article about how I received it and the
partly code analysis. 

But the point, I want to make is that things need to change. We can throw
off all talks about it now (and some of you look like you want to) or we can
try to find ways to advance the field. We are the customers and we direct
where the time and money is spent indirectly.


-----Original Message-----
From: Jan Muenther [mailto:jan.muenther () nruns com] 
Sent: Tuesday, August 10, 2004 1:14 PM
To: Todd Towles
Cc: Glenn_Everhart () bankone com; todd () hostopia com; frank () knobbe us;
full-disclosure () netsys com
Subject: Re: [Full-disclosure] AV Naming Convention

Hey there,

> Oh, I am not unhappy with AV companies at all. They do their job and most
do
> it very well and very fast. But there are programs that aren't detectable
by
> any AV programs. I have one sitting on my desktop; I received it in the
> e-mail weeks ago. I send it in as a sample and heard nothing. Why? Because
> it isn't running thru the news and in everyone's e-mail. The largest
threats
> should be taken care of first, given. But should the public not be
informed
> about things like this. Where is the protection?

While I understand your point, you must also understand that AV vendors need
to focus whatever manpower they have at hand on the more immanent threats to
the biggest part of their userbase. 

If you just execute everything that you can get a hold of on your box, don't
cry for your AV vendor. It's your own fault, basta la pasta.
Besides, their reactivity really depends on the AV vendor, at least
according
to my experience. 

> Some people question sig-based scanning and I understand their point. We
> need to help the AV companies think outside the box and create new ways of
> detection and prevention. We are the community help them. 

Erm. AV detection goes a little bit beyond simple pattern matching nowadays.


If you ask me, it's far more important to tell people it's just not a good
idea
to run everything and the kitchen sink with Administrator/root rights, even
if you have AV software running with recent signatures. 

Like in a car, you can have excellent security measures, such as airbags and

seat belts, but in the end, it's you who's at the wheel. 

cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html