lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AV Naming Convention

Todd Towles wrote:

> ...  AV companies are always trying to beat the other company
> and this leads to very little information sharing between the companies on
> new viruses, etc.

Actually, that is quite misleading.

The _marketing_ droids may well want you to believe that view of 
things, but "in the trenches" there is much more inter-researcher, 
cross-vendor communication than that view suggests.  It is not perfect 
and there is not enough commitment from the developers to allow things 
to be much better than we currently have, but there is a fair degree of 
communication and, for "emergency" cases, real-time sample sharing.

The real trouble is that the non-emergency cases _VASTLY_ outweigh the 
emergency cases and (at least for now) there is no practical way to 
share all samples between all developers in (near) real-time (and 
little desire or perceived need to do so).  Thus, even in families that 
have many emergency cases (such as Bagle and MyDoom) there have been 
many non-emergency cases.  In turn, this allows for several points of 
disagreement between developers as to which variant is which "between 
emergencies", and this is then further complicated by some developers 
that do not like making "gaps" in their naming sequences to accommodate 
the "wrong" use of variant ascriptions by other developers and so on 
and so forth...

> Maybe a foundation should be created. This foundation could give a seal of
> approval to all AV corporations that join in. We are starting to make rules
> for patch management over at patchmanagment.org. Why couldn't a group work
> with AV names and the first company that finds and IDs it correctly gets to
> name it in the foundation. Just a dream, I would guess.

I won't go into the details here but I've looked into proposals like 
this and, at least for now, it won't work for many technical, cultural 
and financial reasons.  If the latter can be overcome _AND_ something 
done to swing the culture in many AV development teams that "much 
better naming consistency really does matter" it can be made to work 
with a few technical limitations and there are some moves afoot to 
investigate the practicalities of this.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ