[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4119FB19.15554.A43C960A@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AV Naming Convention
Thomas Loch wrote:
> > This completely misses the point.
> I do not completely agree ...
You're welcome to your opinion, but it's clearly based on a grossly
simplistic and inadequate notion of what virus scanners do and how
viruses work.
> > When a new virus is discovered, it is
> > essential that there is a RAPID response to the threat. ...
> I agree...
Good...
> > ...The idead of
> > handing the critter over to a committee to decide it's name is, quite
> > frankly, plain bonkers.
> Why?
Because of the time it must take to do that...
Also, the level of expertise you need to have on that committee to get
a high level of correct decisions, especially if you want to get those
decisions very quickly to reduce the naming agreement latency as much
as possible will necessarily reduce the talent pool available to the AV
companies _AND_ be very expensive to employ and maintain because such
talented and experienced AV researchers are among the most highly paid
"technicians" in the IT industry.
> Why can't we handle not yet named viruses as 'unnamed' ...
This is actually the most sensible (so therefore probably the least
likely to be used) of solutions. It has been suggested innumerable
times in the past and, at least until there is some compelling
(financial!) reason for AV developers to change their current
practices, seems very unlikely to be implemented by any developers.
> ... or we use a
> standardized (by ISO?) method to generate a numeric code that consists of a
> classification in categories and a sequential number and probably some kind
> of checksum or hash until the virus gets an official name?
This is suggested almost every day by some or other newbie with no clue
how viruses work. Sadly, in (today's) real world, it quite simply will
not work and, worse, cannot be made to work.
Do you have any idea what polymorphism is?
Don't see any problems with that? OK, try adding metamorphism (aka
"body polymorphism") -- still no problems with the above suggestion?
In an ideal world it should be able to work _combined with access to a
library of reference samples that would be the basis of the generated
identifiers_ (i.e. an identifier would point to a specific sample,
deemed to be the definitive exemplar of the named variant). _HOWEVER_,
that ideal world requires all kinds of complex trust issues that simply
cannot be made to work in today's real world (and seem unlikely to be
workable at least in the medium term).
...
I'm pleased to note that so far in this, and the parent, thread no-one
has wheeled out the hoary old chestnut of "Why not use something like
the hurricane/tropical storm naming scheme that has worked so well in
meteorology?" as it is replete with problems that are obviously
insoluble to anyone who understands anything about computer virus, and
related malware, incident handling.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists