RE: AV Naming Convention

[Nick FitzGerald <nick () virus-l demon co uk>]

Glenn_Everhart () bankone com to Todd Towles:


> > Maybe a foundation should be created. This foundation could give a
> > seal of approval to all AV corporations that join in. We are
> > starting to make rules for patch management over at
> > patchmanagment.org. Why couldn't a group work with AV names and the
> > first company that finds and IDs it correctly gets to name it in the
> > foundation. Just a dream, I would guess. 
>
> So isn't this the reason CVE was created some time ago now?

For security vulnerabilities, yes.

It almost certainly is too slow a process, as is, to be adopted 
usefully for virus naming.

Naming confusion is usually "worst" and most costly/disruptive in the 
first few hours after a new fast-spreading virus is isolated.  During 
this period corporate IT admins (and journalists) start getting reports 
of something new that sounds much like other reports, but often the 
variant ascriptions and occasionally the family names, are not in 
agreement.  The corporate IT admins then have to convince themselves 
that FooBar.AB, FooBar.AD, FooBar-AD and Foo.AC are actually all the 
same thing reported with slightly different names (note I'm assuming 
these folk are smart enough to know how to ignore, or normalize, all 
the other optional and/or non-standard stuff that can be in reported 
malware names -- things like platform precursors (such as "Win32/" or 
"W32/" and their common, but non-standard variations "Win32." and 
"W32."), vendor-specific non-standard "extension" precursors (such as 
"I-Worm."), optional modifiers (such as "@mm", ":Fr"), etc, etc).

> Give the AV companies a bit of mercy though: they are called upon to
> analyze virii with ever less lead time, and need to pick names sometimes
> before full behavior is even known (as it seems to me from watching
> them).

Quite right, and that is a part of the "problem", though not a terribly 
insoluble part once you can get a commitment to attempt better naming 
consistency from the AV developers.

> Given the time allowed to do this work, it seems a cross reference after
> the fact is probably the best one can hope for.

Well, if usefully better naming consistency is to be achieved, the 
structural changes needed in many AV companies' internal processes will 
mean that "after the fact" renaming to achieve better consistency will 
be easier than it is now and possibly more likely.  However, those same 
structural changes have the added benefit of allowing much better 
"before the fact" naming consistency too and I can imagine that 
happening...  (We'd never have perfect before the fact consistency, but 
I can see that rate easily surpassing the current after the fact rate.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html