> > As > > I explained in other of my posts in this and the > related "AV Naming > > Convention" thread, in general by far the largest > "cost" of naming > > disagreement is borne by the users in the early > hours of large-scale > > outbreaks.
Forget the whole naming thing...it's been bandied about before, ad nauseum, and things haven't changed. What *I* would like to see is some real analysis of what they find. Too many times, weeks after something's come out, some A/V company still has "modifies/updates some Registry keys" on their web site. Even Symantec lacks consistency with this...specifying Registry keys or file entries that affect Win9x vs NT+ in some writeups, but not in others. Some companies do a good job of specifying the footprints that malware leaves behind. However, none of the A/V vendors are really consistent with this. On a side note, it really would be nice for MS to publish specific information on when certain keys are loaded by the system...the bad guys seem to know this sort of thing, but educating sysadmins is difficult when MS doesn't provide any documentation. > You know what, I don't work in the "anti-virus" > field, but what you are > saying is BS. There is no good reason that I can > think of that the AV > companies cannot rename these things after the fact. Why should they? One A/V company calls it one thing, and then puts the names used by other A/V companies in the "aka" section of their writeup. > When an outbreak > happens, they provide a fix and name it whatever > they want. After the > fact, they could rename things and their updates > reflect the "proper" > name. They can keep a reference to their name in > the description, what's > a few more characters in the signature files for > every piece of malware > going to matter? another 100k in a download at most? > I agree that there > is probably a lot of marketing pressure that may > make this difficult, > but there is no technical reason for it. Technical reasons, perhaps...but I think you hit the nail on the head...it's driven by $$, in some way. > The AV companies cannot be that lame that they > cannot handle a simple > name change. I mean we use databases and other > things and using these > "computers" that should make this easy. If thay are > that lame, maybe they shouldn't be in busines. Don't you think that's kind of harsh? After all, one could simply come back to you and say, "well, if you can do better, why aren't you doing it?" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html