RE: AV Naming Convention Reporting Plan.

["Clairmont, Jan M" <jan.m.clairmont () citigroup com>]

Geesh that's why you need a centralized database with an
independent non-vendor specific database. It would be for 
reporting and sharing for the benefit of the community or av, firewall
and other vendors and the internet community.  It implies no force du
jour or coercion on anyone, you could opt out or not use the free
service, duh!  

The service could be funded by donations like PBS. Like any standards
committee it is staffed by vendors interested parties
students, just like freeware or shareware.  The goal is to help
end endless spam, av and trojans etc.  Not to spy or require anyone to
do anything.  Just like this list is a opt in or
opt out,  I frankly think full-disclosure should jump on this
idea for doing it or someone of that ilk.

Is this really that hard to understand?

Essentially this is the Function flow.
Person Finds Spam, Trojan,  Exploit etc
Vender finds Spam, Trojan, exploit
Vender Finds New virus --
                         reports virus forensics, description
                                 format set by database committee
                                 sample reporting tool on Web fill 
                                 in the blanks and 
                                 report
                                |
                                |
                                V
                IVST Database.com
                        |
                        |
                        |creates record time stamp_name & aliases
                        V
                Updated database sees no equal sends out report
                Fix information to all interested parties based on 
                User profile or need.
                        |
                        |investigation continues
                        V
                Database updates duplicates and reports to users
                Keeps track of spam, virus variants, trojans etc.
Back to step 1.

And it could start from day one without a history, just start with
what's new.  A retrofit database would be useful but not necessary.  It
just needs to react to new threats.

What's the big deal, it could be used for independent
researchers,students, Dead Heads, Hacker wannabes,
and best of all standardize the whole mess.  

Right now it's every person for
themselves. What do we have to lose but spam and maybe get a faster
reaction time to incidents, with a rational plan.

It's like finding comets, you find 'em you name 'em.

                                
Jan Clairmont
Firewall Administrator/Consultant


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of
Valdis.Kletnieks () vt edu
Sent: Tuesday, August 10, 2004 2:54 PM
To: Frank Knobbe
Cc: Glenn_Everhart () bankone com; full-disclosure () netsys com
Subject: Re: [Full-disclosure] AV Naming Convention 


On Tue, 10 Aug 2004 10:44:56 CDT, Frank Knobbe said:

> standardized. First representative of an AV shop that raises the hand
> says "We got a new one! Can't give details of course since you are a
> competitor. But if you find the same thing in your research, let's
call
> it Humptydumpty-2."
> Whoever finds the virus first has first choice on the name. No sharing
> of information required, just agreement on a name.

Of course, I *didnt* find the same thing, so I called it Jabberwocky-3.
Only later did we find out it was the same thing.

Only way to do that sanely is the way tropical storms are done - make up
a *long* list beforehand, and as each AV vendor raises their hand, the
get the next name in the list.

Remember guys - I may need a name for the variant I'm about to push
a signature out the door *before* I have any way of finding out that
you've
got a different variant.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html