funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CME: A Total Failure -- Throw in the Towel

From: Drsolly <drsollyp () drsolly com>
Date: Mon, 13 Mar 2006 14:26:08 +0000 (GMT)
On Sun, 12 Mar 2006, Blue Boar wrote:


Drsolly wrote:

OK. My favourite antivirus scanner says that "This specimen resembles
Yellow Wheelbarrow". Now what? I still don't know if it's CME-24 or not.


You scanner spits out the string "CME-24" somewhere next to "Yellow 
Wheelbarrow",


But it doesn't ...


and/or you go to the CME site and type in 
"Win95.YellowWheelbarror@mm-wtfbbq", and it gives you back CME-24. 


How do the CME people determine that what Wonder Antivirus calls Yelly 
Wheelbarrow, is identical to what they call CME-24?


Or were you instead asking about something more complicated, related to 
partial matches, and the fact that one AV may identify two files as two 
things, probably in the same family, while a second scanner says they 
are the same thing?

 
That's part of it. Are there any products today that do exact 
identification by checksumming the static bytes of the malware?

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: