Full Disclosure mailing list archives
RE: AV Naming Convention
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 11 Aug 2004 14:00:27 +1200
"Randal, Phil" to "Todd Towles":
I have thought about it, every time this issue is raised. To do what is proposed at first glance seems eminently sensible, but even a post-hoc renaming exercise requires additional "vendor" resources, and leads to customer confusion.
Indeed. Also, as I just explained in another post, the "worst" confusion tends to come in the first few hours after something new and fast-spreading is first isolated. Thus, post-hoc renaming does little to help the _worst_ of the "problem" from the user's perspective. If we settle on a solution that is heavily dependent on post-hoc renaming, it means that most of the early confusion will still be experienced -- the media will report four different names for the same new thing and productivity will be lost while IT admins work out if the reports of FooBar.AB, FooBar.AD, FooBar-AD and Foo.AC are actually all different names for precisely the same thing or not, and if not, whether the scanners they use from different vendors at different layers in their protective strategy detect all of the however many variants that naming bundle actually represents (and don't think that is unlikely -- several times just this year we have had two or more new variants of large families of successful mass-mailers released within hours of each other, and in the bot arena, some families are seeing several new variants released (or at least isolated by AV researchers/analysts) _nearly every day_). To remove the bulk of the inconvenience naming inconsistency causes we really need to address naming consistency up front, during the initial analysis period and leading up to the vendors putting up web pages naming and describing the variant and/or shipping updated DAT/DEF/etc files to detect it. A "solution" to the naming inconsistency problem that is, say, 90% effective at this point in the process should have a huge impact on the overall problem... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: AV Naming Convention, (continued)
- Re: AV Naming Convention Jan Muenther (Aug 10)
- RE: AV Naming Convention Todd Towles (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Todd Towles (Aug 11)
- Re: AV Naming Convention Valdis . Kletnieks (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 11)
- RE: AV Naming Convention Rui Pereira (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 10)
- RE: AV Naming Convention Nick FitzGerald (Aug 10)
- Re: AV Naming Convention ASB (Aug 11)
- RE: AV Naming Convention Nick FitzGerald (Aug 12)