Dennis,
Thanks for the reply. I understand all of what you are saying, having
worked as a sysadmin for many years now. My issue is that even with most
vendors using different naming conventions, they are "usually" cross-reference
in any technical info that is out there. I can't find any data on these
messages and would like to know what other malware names they match up to so I
can present it to management. At this point I can't even give a risk assessment.
Rich
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson
Sent: Thursday, October 25, 2007 12:54 PM
To: ClamAV users ML
Subject: Re: [Clamav-users] Recent viruses
Gomes, Rich wrote:
> I received some emails yesterday matching the following:
>
> Infected messages:
> Email.Ecard-28: 2 Message(s)
> Email.Phishing.RB-1804: 2 Message(s)
> Email.Phishing.RB-1806: 2 Message(s)
>
>
> I think these are ClamAV-specific names, how can I find out more detailed
> info on each one? I do not see them anywhere on the web.
>
>
> Any help would be greatly appreciated.
There are no naming standards and it doesn't look like any initiative to create
one is going anywhere. The problem is each AV vendor has to call it something
(I actually don't agree with this, but sexy names sell product). So what do you
call a virus you've not seen before? I suppose you could submit it to all the
other vendors'
systems to see if they have a name for it and adopt that, but then that's a lot
of work and there are no returns. And what if you are the first to discover it?
You can't wait around for a committee to come up with a name so you call it
something and release the update. As you know, within a day all the vendors
will have discovered that same virus and will also go through this same drill.
If you think about it, vendor A using vendor B's names is an admission that
vendor A was not the first to discover it, and that means vendor B is going to
look better in reviews.
My bottom line is, I really don't care what they're called. A simple serial
number would be fine with me. The names mean more to the popular press than
anyone else on the planet because they make great headlines. A name that is
also the date discovered would be even better as I could voluntarily remove any
old virus patterns I think are obsolete. This addresses another issue - AV
vendors get a big plus for showing they have a bizzillion patterns in their
database. I don't care - if that represents something that was an issue in 1987
it is not a problem for me today. Get rid of it.
How to get more detail? You can translate (they're hex encoded) the record for
the the virus name and read what the pattern is. This is especially true for
the phishing and text based "viruses". Less useful for viruses found in
executable files.
One final point: phishing and scam mails will not necessarily have a
corresponding identity with other vendors. They may not provide phishing and
scam protection, for one thing, and for another the manner of detecting them is
entirely arbitrary. Vendor A might look for embedded URL's in the message where
vendor B might look for repeating misspelled words or unusual phrasing in the
same message. In other words there is no guarantee of a match with any other
vendor.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
