[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003701c47faa$5bf5a690$fc11010a@msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: AV Naming Convention
I understand your point but I have to disagree with you when you say that a
person on this list can't make a difference.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Nick FitzGerald
Sent: Wednesday, August 11, 2004 5:29 AM
To: 'Mailing List - Full-Disclosure'
Subject: RE: [Full-Disclosure] AV Naming Convention
Todd Towles wrote:
> Nowhere did I state that AV researchers were doing a crappy job and
> everything needs to change. I stated a shift is needed. A shift toward
more
> sharing of information between AV companies is needed.
Information sharing is not the main part of the problem. We do lots of
information sharing all the time. One large part of the problem is
simply that too many developers do not have (and never did) a
sufficiently customer-centred focus. If they did, these developers
would realize that most corporate customers use multiple products from
multiple vendors, and even the smallest of customers -- the one PC home
or small business user -- gets their information about viruses from
multiple _other_ resources than just their "favourite" AV developer.
Sadly, way too many AV developers have worked for far too long with an
internal culture that did not see that reality and the obvious problems
to arise from that failure to recognize such a problem. Several of
these developers evolved complex internal procedures that eased the
processing of samples of suspect new malware flowing to their labs, but
as naming was not seen as an issue, much less and important issue to
prioritize, naming issues were not designed for or around. As a
result, some of these procedures are so crucially dependent on the
choice of a name _AND_ require that to happen so early in the process
that it is all but inconceivable for some of these developers to change
a virus' name.
Thus, for example, no matter how often and how quickly it is realized
that some new mass mailer is a Bagle variant and the analysts from two
dozen or more AV companies discuss it in the hope that they can finally
agree on a breaking point in the Bagle variant chain allowing all
vendors to align future Bagle variants, at least one AV company will
call it "Beagle.<something>" (they could actually call this latest one
"Bagle.<whatever is agreed>" but that would be to admit all those
others were wrong and all but unchangeable...).
<<snip>>
> I can tell you that the way viruses are named right now is meaningless to
> the public. ...
So is the way their cars run but they seem to get along just fine...
> ... Look at the newspaper; they just throw headlines with "MyDoom"
> and "Beagle" in them. They can't keep up with what version is or and who
> called this what.
Don't get me started on this...
As much as most of the industry may agree to not aggrandize some spotty
faced, bad-breathed teenager's fantasies by not using the name the
virus writer chose, the media will latch onto the one tiny, weird-arse,
industry convention defying, publicity starved, former Eastern-bloc
hopped up AV company that does use the "cute" or "catchy" or whatever
name, and thereby greatly exacerbates the problem. Worse, many
journalists (or perhaps their editors) feel that they are better
qualified to make up virus names than antivirus researchers are and
they will simply coin what they consider a catchy, snazzy, sexy,
attention grabbing, etc name to make a good headline or some dodgy joke
later in their copy.
If you depend on the media for your antivirus information, more fool
you...
> Do you really believe that trying to improve the AV information process is
> meaningless? Just because we can't see the answer at this very second
> doesn't matter that one doesn't exist.
Absolutely, but I _seriously_ doubt that anything J. Random Full-
Disclosure Reader is going to suggest will come close to being useful
given the intellect, experience and AV smarts that have already gone
into trying to resolve this problem (or at least into considering what
could be made to work given how AV and viruses really work).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists