Re: What ever happened to the Code Red worm?

[Nick FitzGerald <nick () virus-l demon co uk>]

Florian Weimer to Sonny Discini:

> > A virus that can be cured? Whatever will the AV companies do if we start
> > eradicating virii? 
>
> They remove it from the signature file.

I know this is funsec, so that was a joke, right?


Despite the contributions from others suggesting that it is pure greed 
motivating AV developers to retain detections of ancient and long-
eradicated-ItW malware in their products, it is actually the end-user 
(and particularly the _corporate_ end-user) that ensures these old 
detections never die.

How?

Many of you have your little (and some not-so-little) malware 
collections -- at a minimum, the stuff you've personally received 
and/or diagnosed, and usually all that plus samples of most things ever 
stopped at your content-scannings gateways, etc.  Often there's also 
the contents of one or more of the (once) easily found VX collections 
from around the web.

Some, small-ish, proportion of you quasi-regularly scan those 
collections with the AV products your employers license "just to make 
sure".  Some of you (a smaller proportion still) even systematically do 
so as part of your ongoing QA processes, etc.

The AV developers brave enough to remove detection of anything likely 
to be in the cumulative set of all these informal test-sets increases 
the level of "nonsense" support calls they will have to handle, and 
(often silently) find their products quickly moving to a "not to be 
considered" list.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.