[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FFD8005.1673.2AB7D8C0@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Show me the Virrii!
Nicob <nicob@...ob.net> replied to S G Masood:
> > 5. They *might* have an arrangement with each other to
> > share samples.
>
> Individuals at antivirus companies share samples every day, without any
> previous arrangement.
In fact, that would be relatively rare.
It may happen that a "junior" (new, less experienced, not well known
within the industry) analyst may be told by a more senior research
analyst to send someone at another company a sample. In such a case,
although the junior analyst may well not know the recipient, s/he would
be following the trust decision of the senior analyst and that would be
based on a great deal of prior arrangement and experience.
> At a corporate level, there's the "Rapid Exchange of Virus Sample"
> (REVS) hosted by The Wild List website.
First, REVS was not hosted by the WildList Organization (although some
once prominent in the WLO folk were involved in setting up REVS).
Second, REVS is no more. It "died out" because too many of the "more
influential" members of the AV research community would not accept the
removal of inter-personal trust relationships from the sample
distribution equation that participation in REVS necessitated.
(Whether that was entirely a good thing or not given REVS was intended
purely for use with "emergency" samples and not all or even "many"
samples is something that could be debated ad nauseum, but this is not
the appropriate venue for that...)
REVS was replaced by another inter-researcher sample distribution
mechanism that outwardly looks quite similar but which crucially (for
those to whom this was an issue) allows the _sender_ of a sample to
know both who it is going to _and_ to limit the distribution should one
or more folks on the sample distribution list not meet the sender's
required level of trustworthiness. That is, REVS was replaced by a
mechanism that allows for sender-determined control over recipient -- a
glorified way of saying "dependendt on previous arrangement".
I think anyone who thinks they'll break into contemporary mainstream
antivirus research (which is very heavily dependent on access to huge
repositories of malware samples) by side-stepping such issues is
severely deluding themselves...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists