[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <411A267B.11121.A4E60C6C@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: AV Naming Convention
"Randal, Phil" to "Todd Towles":
> I have thought about it, every time this issue is raised. To do what is
> proposed at first glance seems eminently sensible, but even a post-hoc
> renaming exercise requires additional "vendor" resources, and leads to
> customer confusion.
Indeed.
Also, as I just explained in another post, the "worst" confusion tends
to come in the first few hours after something new and fast-spreading
is first isolated. Thus, post-hoc renaming does little to help the
_worst_ of the "problem" from the user's perspective. If we settle on
a solution that is heavily dependent on post-hoc renaming, it means
that most of the early confusion will still be experienced -- the media
will report four different names for the same new thing and
productivity will be lost while IT admins work out if the reports of
FooBar.AB, FooBar.AD, FooBar-AD and Foo.AC are actually all different
names for precisely the same thing or not, and if not, whether the
scanners they use from different vendors at different layers in their
protective strategy detect all of the however many variants that naming
bundle actually represents (and don't think that is unlikely -- several
times just this year we have had two or more new variants of large
families of successful mass-mailers released within hours of each
other, and in the bot arena, some families are seeing several new
variants released (or at least isolated by AV researchers/analysts)
_nearly every day_).
To remove the bulk of the inconvenience naming inconsistency causes we
really need to address naming consistency up front, during the initial
analysis period and leading up to the vendors putting up web pages
naming and describing the variant and/or shipping updated DAT/DEF/etc
files to detect it. A "solution" to the naming inconsistency problem
that is, say, 90% effective at this point in the process should have a
huge impact on the overall problem...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists