RE: [Full-Disclosure] AV Naming Convention
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 08/11/04
- Previous message: Thomas Loch: "Re: [Full-Disclosure] (no subject) (!!!)"
- In reply to: Clairmont, Jan M: "RE: [Full-Disclosure] AV Naming Convention"
- Next in thread: tcleary2_at_csc.com.au: "RE: [Full-Disclosure] AV Naming Convention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@netsys.com Date: Wed, 11 Aug 2004 13:47:08 +1200
Clairmont, Jan M wrote:
> IT would be an automated naming based on first time of discovery and
> reporting, there could be aliases added for the bugger.
> This could be for searching for Mydoom.b Mydoom.c etc. variant rather
> trying t search for a name like Virus20040908.19:24:31.8843 time stamped
> variants.
Ummmm, how would this system deal with parasitic infectors?
What about polymorphics?
Worse, metamorphics?
_Any_ kind of fully automated name generation mechanism has to solve
the Halting Problem to begin to useful, and were that's possible the
naming system would entirely supplant any kind of the antivirus system
based on one or more of the far less accurate and far less reliable
known virus scanning, generic and heuristic scanning, behaviour
monitoing/blocking, etc, etc, etc, etc approaches.
And, if we had perfect, fully automatic virus detection we would not
really need names for them as the "it infected me before my AV was
updated" issue disappears...
> Similar or equal virus would later be eliminated or archived for
> information.
Ahhh, so you are aware of that problem, but clearly did not think about
what you were proposing as what you propose is simply the system we
have now but with an ignorant automaton doling out names rather than
loosely interconnected groups of subject matter specialists trying to
reduce naming conflicts as part of their naming decisions.
On balance, the automaton is likely to produce a _lot_ more different
names for the same thing, making matters worse rather than better, at
least once you realize that the humans who write viruses will be easily
able to target the braindeadedness of the automaton to deliberately
reek naming havoc via it.
> ... Standard record stamping for a database like Oracle. Maybe
> Oracle could be persuaded to provide an
> international database, great public service, providing needed
> information to reduce spam, and virus spreading etc.
Oh yes, just what we need as a "public service" -- a publicly
accessible database of virus and other malware code. That will reduce
availability and damage from malware no end...
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Thomas Loch: "Re: [Full-Disclosure] (no subject) (!!!)"
- In reply to: Clairmont, Jan M: "RE: [Full-Disclosure] AV Naming Convention"
- Next in thread: tcleary2_at_csc.com.au: "RE: [Full-Disclosure] AV Naming Convention"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
