lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040813105840.82719.qmail@web51507.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: (no subject)

> >  As
> > I explained in other of my posts in this and the
> related "AV Naming
> > Convention" thread, in general by far the largest
> "cost" of naming
> > disagreement is borne by the users in the early
> hours of large-scale
> > outbreaks.  

Forget the whole naming thing...it's been bandied
about before, ad nauseum, and things haven't changed. 
What *I* would like to see is some real analysis of
what they find.  Too many times, weeks after
something's come out, some A/V company still has
"modifies/updates some Registry keys" on their web
site.  Even Symantec lacks consistency with
this...specifying Registry keys or file entries that
affect Win9x vs NT+ in some writeups, but not in
others.

Some companies do a good job of specifying the
footprints that malware leaves behind.  However, none
of the A/V vendors are really consistent with this.

On a side note, it really would be nice for MS to
publish specific information on when certain keys are
loaded by the system...the bad guys seem to know this
sort of thing, but educating sysadmins is difficult
when MS doesn't provide any documentation.

> You know what, I don't work in the "anti-virus"
> field, but what you are
> saying is BS.  There is no good reason that I can
> think of that the AV
> companies cannot rename these things after the fact.

Why should they?  One A/V company calls it one thing,
and then puts the names used by other A/V companies in
the "aka" section of their writeup.

>  When an outbreak
> happens, they provide a fix and name it whatever
> they want.  After the
> fact, they could rename things and their updates
> reflect the "proper"
> name.  They can keep a reference to their name in
> the description, what's
> a few more characters in the signature files for
> every piece of malware
> going to matter? another 100k in a download at most?
>  I agree that there
> is probably a lot of marketing pressure that may
> make this difficult,
> but there is no technical reason for it.

Technical reasons, perhaps...but I think you hit the
nail on the head...it's driven by $$, in some way.

> The AV companies cannot be that lame that they
> cannot handle a simple
> name change.  I mean we use databases and other
> things and using these
> "computers" that should make this easy.  If thay are
> that lame, maybe they shouldn't be in busines.

Don't you think that's kind of harsh?  After all, one
could simply come back to you and say, "well, if you
can do better, why aren't you doing it?"



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ