funsec mailing list archives
Re: CME: A Total Failure -- Throw in the Towel
From: Alexander Sotirov <asotirov () determina com>
Date: Sun, 12 Mar 2006 13:43:57 -0800
Nick FitzGerald wrote:
Even if the AV vendors refuse include the CME ids in their databases, CME would still provide a very valuable service. If you have a vendor specific malware name, you can go to http://cme.mitre.org/data/list.html and search for the that name. You will find the CME entry, which will lists all other names of this malware, essentially providing a translation service.Hahahahahahahaha... Seriously -- that comment alone shows so little idea of what the malware naming problem is, I am not going to waste my time trying to begin to explain to you the multiple, massive errors in multiple, flawed assumption hidden in it.
Please do. I admit that I don't know much about the AV industry, but I am curious to know what this naming problem is, and how to correct my assumptions if they are flawed. My only experience with CME comes from the following incident: A friend was infected by a virus, and after running multiple AV scanners was confused whether they detected the same thing or there were multiple viruses on the system. I used the CME list in exactly the way I described above, and found out that both products have detected CME-24. My assumption was that this _is_ the naming problem, and that the way I used the CME list is how it's supposed to be used. Is the naming problem that you talk about something entirely different? Is the purpose of CME something else? What am I missing here?
I'll make it easy for you -- CME =/= "CVE for malware". Never was intended for that, never will be that no matter how much a few misguided souls at MITRE might think that it could be a possible goal for them to achieve.
from http://cme.mitre.org/ "CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware." Is this description wrong, or am I just reading it with the wrong assumtpions? To me it sounds just like CVE for malware. If this is not what CME is intended for, then what is it? Alex _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: CME: A Total Failure -- Throw in the Towel, (continued)
- Re: CME: A Total Failure -- Throw in the Towel Blue Boar (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- RE: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 16)
- RE: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 16)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Virus Info Alliance == "new CME"?? (was: CME: A Total Failure) Young, Keith (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Alexander Sotirov (Mar 12)