[Full-Disclosure] AV Naming Convention It is who fixes it first.
Clairmont, Jan M
jan.m.clairmont at citigroup.com
Wed Aug 11 15:20:43 BST 2004
It's about detection and fixing the problem first. Who has a
fix and has a methodology for fixing it reports it and puts the
link/methodology/information in the database so all who are still
trying to respond can benefit from that information. Everyone fixes it eventually, but then the company/person/contributor
gains the benefit of first finder's name and the rest of us get to respond and defeat the offending malware/virus/spam etc.Naming could have many aliases in the database to, just in case their
is some dispute. It would also make it searchable by alias, time, day etc.
This reporting system would be free for information only,
free downloads .dll fixes or links to the vendors site for
fixes. You would subscribe or unsubscribe at your leisure.
Again non-vendor specific, it might just be the name
of the offending type, security level threat and a link to
the fix for each vendor's updates. Then a standard update and
methodology by the vendor.
It could contain spam filters for mailers, virus scan
identifiers, etc. No virus or actual malware just fixes for
cleaning and debugging. Also a daily spam list would be great for people who would like to automatically eliminate spam from
their favorite mail utility(outlook, mail, pine ad naseum).
This discussion is great, good discussion all.
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com]On Behalf Of Nick
Sent: Wednesday, August 11, 2004 5:11 AM
To: full-disclosure at netsys.com
Subject: RE: [Full-Disclosure] AV Naming Convention
Frank Knobbe to Glenn Everhart:
> > Given the time allowed to do this work, it seems a cross reference after
> > the fact is probably the best one can hope for.
> Perhaps they could elect one person (of each AV shop) to be a naming
> mediator between the organizations. ...
Pick me, please -- I just love being woken up at 3:42am because folk in
Russia are working a new virus I already saw hours ago and we now have
to agree on a name...
That's right -- we don't all work for companies based in the same
continent, let all work in the same place as all the other folk doing
analysis for our own companies.
> ... Competition is still ensured...
> after all, everyone wants to get it out first. Here's another incentive.
Do you work in marketing? If not, please get that stupid idea out of
your head (if you do work in marketing then I assume you are
genetically unable to think sensibly about the following).
Most of antivirus researchers do _NOT_ work that way, regardless of who
their employers are (and formerly, when a few such employers were dumb
enough to try to use gag-clauses in their employment contracts these
were often ignored anyway).
> First one out to propose a new virus/strain can give it a name. All
> prominent AV shops could, to help industry and consumers (marketing
> opportunity here), come to an agreement that governs how names are
> standardized. First representative of an AV shop that raises the hand
> says "We got a new one! Can't give details of course since you are a
> competitor. But if you find the same thing in your research, let's call
> it Humptydumpty-2."
Pray tell, how are "name proposers" to convey to their peers which
virus they have just found? You say that they should not give details
of the virus, yet as (part of) the naming problem is that there is no
natural and unique naming method, simply knowing that another
researcher called some virus "FooBar" gives one _NO_ insight into
whether the new virus they are now looking at is a sample of FooBar.
Oh, and the competition thing -- that's not how things work. The AV
industry is a great deal better for having driven the John McAfees out
all those years ago, along with the divisive and damaging (both to the
customer and the industry) "sample competitiion" folk like him had been
encouraging. If you really are an AV user, you'd be about the only one
who is apparently keen to return to those "bad old days".
> Whoever finds the virus first has first choice on the name. No sharing
> of information required, just agreement on a name.
That is what we have now, which I thought was seen as a problem...
Also, how does some other researcher know that FooBar and the new virus
they've just been handed to analyse and add to their employer's product
is, or is not, one and the same thing?
You seem to be forgetting that a name is just a label and, alone,
imparts no identity information.
> Is that so hard?
Well, it would be if anyone was daft enough to try to do it as you
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.