Hi, At http://www.clamav.net/lang/en/faq/faq-misc/ I found this:
---------------------------------------------------- Why is ClamAV calling the XXX virus with another name? This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition. ---------------------------------------------------- While I understand the comment, it makes it risky I believe from a security perspective to tell users anything more than " file contains virus". I say this because if we find a virus and provide the message "file contains virus with name <ClamAV proprietary virus name XYZ>" then malicious users can effectively deduce our virus engine simply by using the custom name. See the site http://virusscan.jotti.org/en for a very easy illustration of how to do this. Once the malicious user knows this again, it is a fairly straightforward thing for them to test exploits against a site like jotti until they find one not detected by ClamAV - then submit that exploit to our site knowing that it will successfully bypass our anti virus. As mentioned above, I do understand why this is necessary as in some cases ClamAV may indeed get things first, however I submit that it would be possible to create a simple "name mapping database" that contains 2 columns - "clam name" and "generic name" taken from say http://nvd.nist.gov/ ClamAV can then continue to create its "clam name" for viruses found first, simply leaving "generic name" empty until the "generic name" has been created - at which time this could be inserted next to "clam name" completing the mapping. The benefit of this approach to the clamAV community? 1. clamAV system owners could report to users using the generic name as normal - and where one is empty for a new virus developers could make a call as to whether to report the clam name or no name as they like 2. clamAV protected systems would not be exposed to the risk I explain above - or alternatively be unable to provide users any virus detail 3. Users of the clam protected system would have the benefit of being able to see the virus that is affecting them 4. Users of the clam protected system would be able to use that standard name to read up much more about the virus on say http://nvd.nist.gov/ All in all for me there is a fairly compelling argument for going this route so I thought I would put it out there to see what others think. Kind regards Ricki _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
