Full Disclosure mailing list archives
RE: AV Naming Convention
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 13:47:07 +1200
Glenn_Everhart () bankone com to Todd Towles:
Maybe a foundation should be created. This foundation could give a seal of approval to all AV corporations that join in. We are starting to make rules for patch management over at patchmanagment.org. Why couldn't a group work with AV names and the first company that finds and IDs it correctly gets to name it in the foundation. Just a dream, I would guess.So isn't this the reason CVE was created some time ago now?
For security vulnerabilities, yes. It almost certainly is too slow a process, as is, to be adopted usefully for virus naming. Naming confusion is usually "worst" and most costly/disruptive in the first few hours after a new fast-spreading virus is isolated. During this period corporate IT admins (and journalists) start getting reports of something new that sounds much like other reports, but often the variant ascriptions and occasionally the family names, are not in agreement. The corporate IT admins then have to convince themselves that FooBar.AB, FooBar.AD, FooBar-AD and Foo.AC are actually all the same thing reported with slightly different names (note I'm assuming these folk are smart enough to know how to ignore, or normalize, all the other optional and/or non-standard stuff that can be in reported malware names -- things like platform precursors (such as "Win32/" or "W32/" and their common, but non-standard variations "Win32." and "W32."), vendor-specific non-standard "extension" precursors (such as "I-Worm."), optional modifiers (such as "@mm", ":Fr"), etc, etc).
Give the AV companies a bit of mercy though: they are called upon to analyze virii with ever less lead time, and need to pick names sometimes before full behavior is even known (as it seems to me from watching them).
Quite right, and that is a part of the "problem", though not a terribly insoluble part once you can get a commitment to attempt better naming consistency from the AV developers.
Given the time allowed to do this work, it seems a cross reference after the fact is probably the best one can hope for.
Well, if usefully better naming consistency is to be achieved, the structural changes needed in many AV companies' internal processes will mean that "after the fact" renaming to achieve better consistency will be easier than it is now and possibly more likely. However, those same structural changes have the added benefit of allowing much better "before the fact" naming consistency too and I can imagine that happening... (We'd never have perfect before the fact consistency, but I can see that rate easily surpassing the current after the fact rate.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: AV Naming Convention, (continued)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Todd Towles (Aug 11)
- RE: AV Naming Convention Todd Towles (Aug 10)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Rui Pereira (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 10)
- Re: AV Naming Convention ASB (Aug 11)
- RE: AV Naming Convention Nick FitzGerald (Aug 12)