| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: AV Naming Convention Thomas Loch wrote: > > This completely misses the point. > I do not completely agree ... You're welcome to your opinion, but it's clearly based on a grossly simplistic and inadequate notion of what virus scanners do and how viruses work. > > When a new virus is discovered, it is > > essential that there is a RAPID response to the threat. ... > I agree... Good... > > ...The idead of > > handing the critter over to a committee to decide it's name is, quite > > frankly, plain bonkers. > Why? Because of the time it must take to do that... Also, the level of expertise you need to have on that committee to get a high level of correct decisions, especially if you want to get those decisions very quickly to reduce the naming agreement latency as much as possible will necessarily reduce the talent pool available to the AV companies _AND_ be very expensive to employ and maintain because such talented and experienced AV researchers are among the most highly paid "technicians" in the IT industry. > Why can't we handle not yet named viruses as 'unnamed' ... This is actually the most sensible (so therefore probably the least likely to be used) of solutions. It has been suggested innumerable times in the past and, at least until there is some compelling (financial!) reason for AV developers to change their current practices, seems very unlikely to be implemented by any developers. > ... or we use a > standardized (by ISO?) method to generate a numeric code that consists of a > classification in categories and a sequential number and probably some kind > of checksum or hash until the virus gets an official name? This is suggested almost every day by some or other newbie with no clue how viruses work. Sadly, in (today's) real world, it quite simply will not work and, worse, cannot be made to work. Do you have any idea what polymorphism is? Don't see any problems with that? OK, try adding metamorphism (aka "body polymorphism") -- still no problems with the above suggestion? In an ideal world it should be able to work _combined with access to a library of reference samples that would be the basis of the generated identifiers_ (i.e. an identifier would point to a specific sample, deemed to be the definitive exemplar of the named variant). _HOWEVER_, that ideal world requires all kinds of complex trust issues that simply cannot be made to work in today's real world (and seem unlikely to be workable at least in the medium term). ... I'm pleased to note that so far in this, and the parent, thread no-one has wheeled out the hoary old chestnut of "Why not use something like the hurricane/tropical storm naming scheme that has worked so well in meteorology?" as it is replete with problems that are obviously insoluble to anyone who understands anything about computer virus, and related malware, incident handling. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists