Re: [clamav-users] Virus names - a rose by any name?
"Pancho" wrote: >Hi - thanks to everyone for the replies. I have seen 2 replies now and it >may well be that I have not been clear enough because both are at cross >purposes. Then it might help if you alaborated on what you meant. >Unfortunately I don't have further time to invest in this topic but I do >hope that someone at ClamAV sees value in the suggestions. They might if they could understand what the suggestions were. It;s clear from your response that what people took away from your post is not what you meant. Hence it's unlikely that anyone will see value in something they haven't seen. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
At 02:02 PM 1/12/2013, Pancho wrote: Again I believe you are talking at cross purposes but regardless I am entirely comfortable if you disagree with the suggestion I made. As I mentioned to Joel, please feel free to throw it away. Wow, you don't like any criticsm, don't you? Seriously, whatever a malware is called, it just doesn't matter. Certainly any virus author couldn't care less. AV software doesn't detect malware by it's name, but by code signatures. And with at least a couple hundred AV products out there, there are at least a hundred different names. Do you really think that the name matters in any way, to anyone? Ralf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Again I believe you are talking at cross purposes but regardless I am entirely comfortable if you disagree with the suggestion I made. As I mentioned to Joel, please feel free to throw it away. Thanks -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Shawn Webb Sent: 12 January 2013 11:37 PM To: ClamAV users ML Subject: Re: [clamav-users] Virus names - a rose by any name? In addition to having the same sentiments Joel has, I'd like to explain why not displaying the name of the virus does not add any extra security for a number of reasons: 1. Attackers can already "deduce" ClamAV's engine because it's opensource. They have the blueprints. They already know how it works. 2. Security through obscurity is not security. 3. If an attacker is trying to practice evasion techniques, all the attacker cares about is whether his malware evades AVs. The attacker doesn't care what name the AV engine gives (or doesn't give) his malware. 4. It's already common practice for malware authors to do point #3 using services like VirusTotal. Thanks, Shawn On Sat, Jan 12, 2013 at 4:01 PM, Joel Esler wrote: > So what you want is for us to change the millions of Names we have for > Trojans to match one of our competitors? So when people look up the > open source detection that we provide in our open signature format, > they instead get pointed to a competitor with closed proprietary detection? > > Even leaving our competitors out of this, how does this make sense to > go and change millions of signatures for no functionally viable reason? > > -- > Joel Esler > Sent from my iPhone > > On Jan 12, 2013, at 3:42 PM, "Pancho" wrote: > > > Hi - thanks to everyone for the replies. I have seen 2 replies now > > and it may well be that I have not been clear enough because both > > are at cross purposes. > > > > Unfortunately I don't have further time to invest in this topic but > > I do hope that someone at ClamAV sees value in the suggestions. > > > > If not, well such is life. > > > > -Original Message- > > From: clamav-users-boun...@lists.clamav.net > > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon > > Hobson > > Sent: 12 January 2013 06:32 PM > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] Virus names - a rose by any name? > > > > "Pancho" wrote: > > > >> While I understand the comment, it makes it risky I believe from a > >> security perspective to tell users anything more than " file > >> contains > > virus". > >> > >> I say this because if we find a virus and provide the message "file > >> contains virus with name " then > >> malicious users can effectively deduce our virus engine simply by > >> using > the > > custom name. > >> See the site http://virusscan.jotti.org/en for a very easy > >> illustration of how to do this. > >> > >> Once the malicious user knows this again, it is a fairly > >> straightforward thing for them to test exploits against a site like > >> jotti until they find one not detected by ClamAV - then submit that > >> exploit to our site knowing that it will successfully bypass our > >> anti > > virus. > > > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > > software that calls it and the administrator that set it up. > > > > For example, suppose we are using ClamAV to scan inbound mail - > > using > Amavis > > as integration software as that's a fairly common setup. So when the > email > > is submitted by the outside MTA, our MTA hands off the message the > Amavis, > > and Amavis (amongst other things) halds it off to ClamAV. > > > > The response sent to the outside MTA can be anything from "message > blocked" > > at one extreme to "ClamAV found XXX" at the other - and where in > > that spectrum is down to not just ClamAV (which should correctly > > identify > what it > > found IMO), but also the config of Amavis and the config of our MTA. > > > > Of course, what is reported to the outside MTA can be different to > > what > is > > logged in our mail log. We may just report "blocked" to outside > > while logging full details (as is usually the case) in the mail log > > so that the administrator has more information if the reason is queried. > > > > Much the same applies if you scan innbound file on a web site that >
Re: [clamav-users] Virus names - a rose by any name?
In addition to having the same sentiments Joel has, I'd like to explain why not displaying the name of the virus does not add any extra security for a number of reasons: 1. Attackers can already "deduce" ClamAV's engine because it's opensource. They have the blueprints. They already know how it works. 2. Security through obscurity is not security. 3. If an attacker is trying to practice evasion techniques, all the attacker cares about is whether his malware evades AVs. The attacker doesn't care what name the AV engine gives (or doesn't give) his malware. 4. It's already common practice for malware authors to do point #3 using services like VirusTotal. Thanks, Shawn On Sat, Jan 12, 2013 at 4:01 PM, Joel Esler wrote: > So what you want is for us to change the millions of Names we have for > Trojans to match one of our competitors? So when people look up the open > source detection that we provide in our open signature format, they instead > get pointed to a competitor with closed proprietary detection? > > Even leaving our competitors out of this, how does this make sense to go > and change millions of signatures for no functionally viable reason? > > -- > Joel Esler > Sent from my iPhone > > On Jan 12, 2013, at 3:42 PM, "Pancho" wrote: > > > Hi - thanks to everyone for the replies. I have seen 2 replies now and it > > may well be that I have not been clear enough because both are at cross > > purposes. > > > > Unfortunately I don't have further time to invest in this topic but I do > > hope that someone at ClamAV sees value in the suggestions. > > > > If not, well such is life. > > > > -Original Message- > > From: clamav-users-boun...@lists.clamav.net > > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson > > Sent: 12 January 2013 06:32 PM > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] Virus names - a rose by any name? > > > > "Pancho" wrote: > > > >> While I understand the comment, it makes it risky I believe from a > >> security perspective to tell users anything more than " file contains > > virus". > >> > >> I say this because if we find a virus and provide the message "file > >> contains virus with name " then > >> malicious users can effectively deduce our virus engine simply by using > the > > custom name. > >> See the site http://virusscan.jotti.org/en for a very easy illustration > >> of how to do this. > >> > >> Once the malicious user knows this again, it is a fairly > >> straightforward thing for them to test exploits against a site like > >> jotti until they find one not detected by ClamAV - then submit that > >> exploit to our site knowing that it will successfully bypass our anti > > virus. > > > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > > software that calls it and the administrator that set it up. > > > > For example, suppose we are using ClamAV to scan inbound mail - using > Amavis > > as integration software as that's a fairly common setup. So when the > email > > is submitted by the outside MTA, our MTA hands off the message the > Amavis, > > and Amavis (amongst other things) halds it off to ClamAV. > > > > The response sent to the outside MTA can be anything from "message > blocked" > > at one extreme to "ClamAV found XXX" at the other - and where in that > > spectrum is down to not just ClamAV (which should correctly identify > what it > > found IMO), but also the config of Amavis and the config of our MTA. > > > > Of course, what is reported to the outside MTA can be different to what > is > > logged in our mail log. We may just report "blocked" to outside while > > logging full details (as is usually the case) in the mail log so that the > > administrator has more information if the reason is queried. > > > > Much the same applies if you scan innbound file on a web site that allows > > uploads - what ClamAV reports to your software, and what your software > > reports to the end user may be different things. > > ___ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > > > > ___ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
It is not an attack on ClamAV Joel - but I tell you what, delete the post if it makes you happier. Truly I'm sorry I wasted the effort trying to contribute, and you can relax because I certainly won't again. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler Sent: 12 January 2013 11:02 PM To: ClamAV users ML Cc: ClamAV users ML Subject: Re: [clamav-users] Virus names - a rose by any name? So what you want is for us to change the millions of Names we have for Trojans to match one of our competitors? So when people look up the open source detection that we provide in our open signature format, they instead get pointed to a competitor with closed proprietary detection? Even leaving our competitors out of this, how does this make sense to go and change millions of signatures for no functionally viable reason? -- Joel Esler Sent from my iPhone On Jan 12, 2013, at 3:42 PM, "Pancho" wrote: > Hi - thanks to everyone for the replies. I have seen 2 replies now and > it may well be that I have not been clear enough because both are at > cross purposes. > > Unfortunately I don't have further time to invest in this topic but I > do hope that someone at ClamAV sees value in the suggestions. > > If not, well such is life. > > -Original Message- > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon > Hobson > Sent: 12 January 2013 06:32 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Virus names - a rose by any name? > > "Pancho" wrote: > >> While I understand the comment, it makes it risky I believe from a >> security perspective to tell users anything more than " file contains > virus". >> >> I say this because if we find a virus and provide the message "file >> contains virus with name " then >> malicious users can effectively deduce our virus engine simply by >> using the > custom name. >> See the site http://virusscan.jotti.org/en for a very easy >> illustration of how to do this. >> >> Once the malicious user knows this again, it is a fairly >> straightforward thing for them to test exploits against a site like >> jotti until they find one not detected by ClamAV - then submit that >> exploit to our site knowing that it will successfully bypass our anti > virus. > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > software that calls it and the administrator that set it up. > > For example, suppose we are using ClamAV to scan inbound mail - using > Amavis as integration software as that's a fairly common setup. So > when the email is submitted by the outside MTA, our MTA hands off the > message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. > > The response sent to the outside MTA can be anything from "message blocked" > at one extreme to "ClamAV found XXX" at the other - and where in that > spectrum is down to not just ClamAV (which should correctly identify > what it found IMO), but also the config of Amavis and the config of our MTA. > > Of course, what is reported to the outside MTA can be different to > what is logged in our mail log. We may just report "blocked" to > outside while logging full details (as is usually the case) in the > mail log so that the administrator has more information if the reason is > queried. > > Much the same applies if you scan innbound file on a web site that > allows uploads - what ClamAV reports to your software, and what your > software reports to the end user may be different things. > ___ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml > > ___ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
So what you want is for us to change the millions of Names we have for Trojans to match one of our competitors? So when people look up the open source detection that we provide in our open signature format, they instead get pointed to a competitor with closed proprietary detection? Even leaving our competitors out of this, how does this make sense to go and change millions of signatures for no functionally viable reason? -- Joel Esler Sent from my iPhone On Jan 12, 2013, at 3:42 PM, "Pancho" wrote: > Hi - thanks to everyone for the replies. I have seen 2 replies now and it > may well be that I have not been clear enough because both are at cross > purposes. > > Unfortunately I don't have further time to invest in this topic but I do > hope that someone at ClamAV sees value in the suggestions. > > If not, well such is life. > > -Original Message- > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson > Sent: 12 January 2013 06:32 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Virus names - a rose by any name? > > "Pancho" wrote: > >> While I understand the comment, it makes it risky I believe from a >> security perspective to tell users anything more than " file contains > virus". >> >> I say this because if we find a virus and provide the message "file >> contains virus with name " then >> malicious users can effectively deduce our virus engine simply by using the > custom name. >> See the site http://virusscan.jotti.org/en for a very easy illustration >> of how to do this. >> >> Once the malicious user knows this again, it is a fairly >> straightforward thing for them to test exploits against a site like >> jotti until they find one not detected by ClamAV - then submit that >> exploit to our site knowing that it will successfully bypass our anti > virus. > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > software that calls it and the administrator that set it up. > > For example, suppose we are using ClamAV to scan inbound mail - using Amavis > as integration software as that's a fairly common setup. So when the email > is submitted by the outside MTA, our MTA hands off the message the Amavis, > and Amavis (amongst other things) halds it off to ClamAV. > > The response sent to the outside MTA can be anything from "message blocked" > at one extreme to "ClamAV found XXX" at the other - and where in that > spectrum is down to not just ClamAV (which should correctly identify what it > found IMO), but also the config of Amavis and the config of our MTA. > > Of course, what is reported to the outside MTA can be different to what is > logged in our mail log. We may just report "blocked" to outside while > logging full details (as is usually the case) in the mail log so that the > administrator has more information if the reason is queried. > > Much the same applies if you scan innbound file on a web site that allows > uploads - what ClamAV reports to your software, and what your software > reports to the end user may be different things. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
Hi - thanks to everyone for the replies. I have seen 2 replies now and it may well be that I have not been clear enough because both are at cross purposes. Unfortunately I don't have further time to invest in this topic but I do hope that someone at ClamAV sees value in the suggestions. If not, well such is life. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson Sent: 12 January 2013 06:32 PM To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Virus names - a rose by any name? "Pancho" wrote: >While I understand the comment, it makes it risky I believe from a >security perspective to tell users anything more than " file contains virus". > >I say this because if we find a virus and provide the message "file >contains virus with name " then >malicious users can effectively deduce our virus engine simply by using the custom name. >See the site http://virusscan.jotti.org/en for a very easy illustration >of how to do this. > >Once the malicious user knows this again, it is a fairly >straightforward thing for them to test exploits against a site like >jotti until they find one not detected by ClamAV - then submit that >exploit to our site knowing that it will successfully bypass our anti virus. AFAIK ClamAV doesn't tell outside users anything - that is up to the software that calls it and the administrator that set it up. For example, suppose we are using ClamAV to scan inbound mail - using Amavis as integration software as that's a fairly common setup. So when the email is submitted by the outside MTA, our MTA hands off the message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. The response sent to the outside MTA can be anything from "message blocked" at one extreme to "ClamAV found XXX" at the other - and where in that spectrum is down to not just ClamAV (which should correctly identify what it found IMO), but also the config of Amavis and the config of our MTA. Of course, what is reported to the outside MTA can be different to what is logged in our mail log. We may just report "blocked" to outside while logging full details (as is usually the case) in the mail log so that the administrator has more information if the reason is queried. Much the same applies if you scan innbound file on a web site that allows uploads - what ClamAV reports to your software, and what your software reports to the end user may be different things. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
"Pancho" wrote: >While I understand the comment, it makes it risky I believe from a security >perspective to tell users anything more than " file contains virus". > >I say this because if we find a virus and provide the message "file contains >virus with name " then malicious users >can effectively deduce our virus engine simply by using the custom name. >See the site http://virusscan.jotti.org/en for a very easy illustration of >how to do this. > >Once the malicious user knows this again, it is a fairly straightforward >thing for them to test exploits against a site like jotti until they find >one not detected by ClamAV - then submit that exploit to our site knowing >that it will successfully bypass our anti virus. AFAIK ClamAV doesn't tell outside users anything - that is up to the software that calls it and the administrator that set it up. For example, suppose we are using ClamAV to scan inbound mail - using Amavis as integration software as that's a fairly common setup. So when the email is submitted by the outside MTA, our MTA hands off the message the Amavis, and Amavis (amongst other things) halds it off to ClamAV. The response sent to the outside MTA can be anything from "message blocked" at one extreme to "ClamAV found XXX" at the other - and where in that spectrum is down to not just ClamAV (which should correctly identify what it found IMO), but also the config of Amavis and the config of our MTA. Of course, what is reported to the outside MTA can be different to what is logged in our mail log. We may just report "blocked" to outside while logging full details (as is usually the case) in the mail log so that the administrator has more information if the reason is queried. Much the same applies if you scan innbound file on a web site that allows uploads - what ClamAV reports to your software, and what your software reports to the end user may be different things. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus names - a rose by any name?
On 1/12/13 5:22 AM, Pancho wrote: All in all for me there is a fairly compelling argument for going this route so I thought I would put it out there to see what others think. Kind regards Ricki Is there something about real-time day one virus outbreaks and US government involvement that you see as productive? There are certain bragging rights that go along with being first to detect a new virus, and the flag you wave is the name you assign to it. Keep the government out of it. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] virus names (any reference?)
Quoting jef moskot <[EMAIL PROTECTED]>: I think a concern with image is legitimate. Calling a well-known worm something else for no immediately obvious purpose (yes, it makes sense How many times must we endure this incorrect statement? when you explain it to someone, but most users wouldn't get that on their own) makes the product seem a little dicey. It might make admins ask, "Should I put nonconformist software on my production server?" That isn't the right question. The real question is: "Should I put this non-release pre-version-one still-under-development software on my *production server*?" And you think they are going to worry about the name of one virus, rather than the fact that the software hasn't even reached version 1.0 yet? If so, don't hire them. If you're going to decide on running pre-1.0 software you are going to have to put some time into investigating it, and if you put any time into investigating or testing ClamAV you will find out it the netsky issue and how to solve it. Come on, let's be real here. A central repository of cross-references would probably be the best and most resilient solution. I definitely agree, but that's a lot of work. Not really. But there are other issues (machine/hardware to run it on, bandwidth to support it, etc). But if you are going to complain about some missing feature in an open source project, you better be willing to step up and help provide the feature! I know I keep saying the same thing here (and I'll stop now, if nothing new is brought up), but this seems like a real no-brainer to me. It might be different if we weren't constantly getting questions on this list the whoel SomeFool/Netsky issue. I just don't understand why we're insisting on going against the grain on this one... Are you sure he's going against the grain, and not you? Sorry to go on about this so much, because it really is a minor point, but it seems like we're being a little silly with this one. Jeffrey Moskot System Administrator [EMAIL PROTECTED] -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
B. van Ouwerkerk wrote: I partially disagree. It would be possible to fill a database with the announcements on the virusdb list without user intervention.. procmail and PHP is a nice combination but Perl or python would be fine too. If you look at old and new updates and submitted by different people you will see that they differ in format which makes it hard to parse. That problem is being addressed now. All it would take are a few users who keep an eye on the database and enter additional information if they have it. That's the plan. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.29.7, SpamAssassin 2.63 + DCC 1.2.39, ClamAV 0.70RC + GMP 4.1.2, MailStats 0.25 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
> A central repository of cross-references would probably be the best and > most resilient solution. I definitely agree, but that's a lot of work. I partially disagree. It would be possible to fill a database with the announcements on the virusdb list without user intervention.. procmail and PHP is a nice combination but Perl or python would be fine too. All it would take are a few users who keep an eye on the database and enter additional information if they have it. I have a few thoughts about this but since someone else is already building a solution I'd rather wait and see what comes out. No fun in doubling someone elses work. I know I keep saying the same thing here (and I'll stop now, if nothing new is brought up), but this seems like a real no-brainer to me. It might be different if we weren't constantly getting questions on this list the whoel SomeFool/Netsky issue. This will probably happen with each new and famous virus too. I just don't understand why we're insisting on going against the grain on this one... As long as there is no agreement in the AV industry it's an illusion that all AV software will give a virus the same name. B. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Bart Silverstrim wrote: > On Apr 13, 2004, at 7:16 PM, jef moskot wrote: > > Personally, I don't understand why this particular name has not been > > changed, given the prevalence of this worm. > Statistics being broken, it would create "transient" viruses that in > reality were just renamed, adds to the cruft of multiple names floating > around in lists and search engines, I'm only talking about the seriously ridiculous differently-named worms here. Let's say, for example, one we're all probably receiving (at least) a couple hundred of each day. (I don't even think there's another example in the ClamAV database.) The "broken statistics" argument is the only one I think carries any weight. I personally don't care about this one, and even if I did, it doesn't sound like anything that can't be fixed with a simple search and replace, but I understand how this could be a big deal for some of us. If you want to get rid of "cruft", eliminating "SomeFool" would be a good way to do it. Actually, I think it should have been done a long time ago, once it became obvious that this one's going to be with us for a long time. To me, the only question is: is the continuing confusion worse than the work necessary to change those databases? I don't suppose we actually have the data to answer that question. But, as I said before, if a new user who is considering using ClamAV checks to see if the worm that's currently slamming his server is detected by ClamAV and he does the most reasonable search possible, it's going to look like ClamAV doesn't do the job. If another crappy magazine reviews ClamAV, a hack writer could check the database and write "Ha, it doesn't even catch Netsky!". I think a concern with image is legitimate. Calling a well-known worm something else for no immediately obvious purpose (yes, it makes sense when you explain it to someone, but most users wouldn't get that on their own) makes the product seem a little dicey. It might make admins ask, "Should I put nonconformist software on my production server?" > A central repository of cross-references would probably be the best and > most resilient solution. I definitely agree, but that's a lot of work. I know I keep saying the same thing here (and I'll stop now, if nothing new is brought up), but this seems like a real no-brainer to me. It might be different if we weren't constantly getting questions on this list the whoel SomeFool/Netsky issue. I just don't understand why we're insisting on going against the grain on this one... Sorry to go on about this so much, because it really is a minor point, but it seems like we're being a little silly with this one. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Apr 13, 2004, at 7:16 PM, jef moskot wrote: On Wed, 14 Apr 2004, Jesper Juhl wrote: I've been working on a website to allow users to do exactely that, but due to being overworked and various other issues it has not progressed as fast as I had hoped - still working on it when I have a chance though, so expect something like that in the future. I think if the website just said "What we call 'SomeFool' others call 'Netsky'," 95% of all questions would be covered. Personally, I don't understand why this particular name has not been changed, given the prevalence of this worm. A comprehensive web site would certainly be a nice feature, but I think it's really overkill while resources are limited. Statistics being broken, it would create "transient" viruses that in reality were just renamed, adds to the cruft of multiple names floating around in lists and search engines, A central repository of cross-references would probably be the best and most resilient solution. I think this is what the "big boys" do in the corporate AV world...you look up the virus in their knowledge bases and it can list the aliases (although I see the quality of their knowledge bases/encyclopedias seem to be rapidly going downhill in the past couple years...) --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wednesday 14 April 2004 1:09 am, jef moskot wrote: > On Wed, 14 Apr 2004, Antony Stone wrote: > > The problem here is that it's only possible to measure "prevalence" once > > there's been quite a lot of it under the old name... > > Other viruses/worms have been renamed in the past, and while I recognize > that there'd be issues with renaming this one at this time, NOT renaming > it continues to create nuisances. I think your suggestion to place a notice on the ClamAV web page is a good one, and the right solution for anyone who regards the name discrepancy as a problem. I don't agree with the proposal to change the name in ClamAV after so much time has passed, and after so many variants have been identified. If people whose email is being protected by ClamAV can't figure out what Worm.SomeFool means by now, then they need to reassess their information resources, I think. Regards, Antony. -- Microsoft may sell more software than any other company, but McDonald's sell more burgers than any other company, and I think the other similarities are obvious... Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Antony Stone wrote: > The problem here is that it's only possible to measure "prevalence" once > there's been quite a lot of it under the old name... I agree with this in principle, but I think this is a special case. There's no denying that this is one of the most "popular" differently-named worms ClamAV has ever dealt with. I think it deserves re-examination at this point, as it continues to be an issue. Other viruses/worms have been renamed in the past, and while I recognize that there'd be issues with renaming this one at this time, NOT renaming it continues to create nuisances. My personal take on the situation is that renaming would eliminate more issues than it would create, although I could be completely wrong. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wednesday 14 April 2004 12:16 am, jef moskot wrote: > I think if the website just said "What we call 'SomeFool' others call > 'Netsky'," 95% of all questions would be covered. That seems like a good idea to me. > Personally, I don't understand why this particular name has not been > changed, given the prevalence of this worm. The problem here is that it's only possible to measure "prevalence" once there's been quite a lot of it under the old name, and that in itself becomes the very reason why the name cannot easily be changed - people have seen lots of examples of the original name, logfiles and analysers have started recording the original name, and end users have got used to the fact that they're seeing messages saying it's blocked. Change any of those and you tend to end up causing more problems than you solve. If the rest of the industry were 100% consistent about their names for viruses and worms then there would be an argument for ClamAV to fall in line, even after creating an original signature first, however that is very much not the case, so until there's any form of consensus, ClamAV's names remain as valid as any others. I'm happy for my mail server to be blocking all the instances of Worm.SomeFool.x - I couldn't care less about NetSky, because I never see it. Just my 2 units of currency, Regards, Antony. -- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Wed, 14 Apr 2004, Jesper Juhl wrote: > I've been working on a website to allow users to do exactely that, but > due to being overworked and various other issues it has not progressed > as fast as I had hoped - still working on it when I have a chance > though, so expect something like that in the future. I think if the website just said "What we call 'SomeFool' others call 'Netsky'," 95% of all questions would be covered. Personally, I don't understand why this particular name has not been changed, given the prevalence of this worm. A comprehensive web site would certainly be a nice feature, but I think it's really overkill while resources are limited. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Tue, 13 Apr 2004, Henry Harvey wrote: > I hope this is not a redundant question here. > I joined this list just recently so I hope > somebody can point me in the right direction. > > Is there anywhere I can check the corresponding > virus names for ClamAV? Not currently, no. I've been working on a website to allow users to do exactely that, but due to being overworked and various other issues it has not progressed as fast as I had hoped - still working on it when I have a chance though, so expect something like that in the future. -- Jesper Juhl <[EMAIL PROTECTED]> Sysadmin, Danmarks Idræts-Forbund / Sports Confederation of Denmark Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html Plain text mails only, please http://www.expita.com/nomime.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
Henry Harvey wrote: I'm looking at the ClamAV website and can't find info. Where do I check how ClamAV calls these viruses? The best place right now is the archive for the virus db update list. You can search there for the Clam name, often names of commercial products are mentioned there. http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb There's also work being done on a web site with just the info you're requesting. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.29.7, SpamAssassin 2.63 + DCC 1.2.39, ClamAV 0.70RC + GMP 4.1.2, MailStats 0.25 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus names (any reference?)
On Tuesday 13 April 2004 9:51 pm, Henry Harvey wrote: > Is there anywhere I can check the corresponding > virus names for ClamAV? I understand that > the names from some other AVs are not the > same as how ClamAV calls it. Like Netsky.P > is actually in SomeFool.P in ClamAV. > > I'm looking at the ClamAV website and can't > find info. Where do I check how ClamAV > calls these viruses? http://sourceforge.net/mailarchive/forum.php?forum=clamav-virusdb http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb Regards, Antony -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of B. van > Ouwerkerk > Sent: Wednesday, April 07, 2004 2:00 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > > I don't fancy the idea of doing the same job someone else does > but I could > do it if no one else does or has dropped the idea. > This would be a good way for me to do something in return for > using Clamav. me either. I'd certainly be willing to help with something along those lines as well - even if it's only hosting a mirror! I think the idea makes sense to me, but I keep hearing that the clamav format will support some sort of alias system - just not sure what, or how, or if it is enough information. I'd IDEALLY like a system that allows us (collaboratively) to map viruses to all commercial products - PARTICULARLY those maintaining virus information databases, and then allow us to create a diff-based distribution of this database - like the clamav datafile, and also a simple lookup page which could use a template, and the database to return cross references / links to information on the virii as documented by other systems. m/ --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
Stuart Mycock Sent: Wednesday, April 07, 2004 4:24 AM > I'd prefer to adopt the approach of letting the Clam team get a def out > with any name they want and have a non-developer publish basic virus > info on an area of the Clam site, and on that page you'd just have the > blurb on "SomeFool.Q" for example, along with a short description (only > brief, tho, there's plenty of viral analysis on other sites) of the > virus with an "Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q", etc. How about a Wiki? cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Eric Rostetter at 2004-04-06 15:37 from [EMAIL PROTECTED] wrote: >But changing the name after the fact would just confuse people >more. We can't go merrily along for a week or so until the AV people or >the media -- and often it is the media who decide -- come up with the most >popular name, and then rename it. What would that do to any kind of >tracking people do? What would that do to users (last week I got somefool, >but now I'm getting a new virus netsky?) It would cause caos. And much >more caos than having multiple names for a single virus. I agree with this completely. I'd rather do some additional research on the 'Net than have my logs all messed up. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Apr 6, 2004, at 4:31 PM, Eric Rostetter wrote: Quoting jef moskot <[EMAIL PROTECTED]>: On Tue, 6 Apr 2004, Eric Rostetter wrote: But changing the name after the fact would just confuse people more. I completely disagree. Hardcore Clam users are more likely to understand the reality of the situation and realize that the ClamAV team has to call the viruses SOMETHING. Usually, that's the same name everyone else uses, but sometimes it isn't. Great for netsky since almost everyone uses it. But what about viruses that have multiple names from the other vendors and the media? For the first week, SCO (clamd) was called novarg by most, until the media took off with mydoom and that became the new name. Should clamav have migrated along from SCO to NOVARG to MYDOOM just because the others came along later and in that order? That is the name that is popularized by the media after the fact...I think many "larger" AV vendors put the aliases in their virus encyclopedias online, don't they? There's maybe a small amount of confusion for a couple days, and that's that. Most viruses don't last for more than a few days anyway, so this only applies to the rare cases (like lately with the virus wars over netsky et al). Tell that to my web server...I still see hits from blaster... But we are constantly being asked by casual (or new) users why ClamAV doesn't pick up Netsky Yes, but the user is just being stupid. They are not getting infected with netsky, so obviously it is picking it up. Hardly. Sometimes when justifying to the PHBs that ClamAV is just as good, if not better than, other solutions you need to answer the questions the PHBs get when they watch the evening news. It would be helpful if you could point them to a knowledge base article or encyclopedia from Clam saying "it's an alias for virus FooBarsays so right here, added on ya ya ya in database version X...and we're protected because our signature version is Y." what the heck "SomeFool" is, etc. Many of those You don't think you'll get that question even if you use the more common name for viruses? It's not the question, it's enabling users to easily find the answer. The question will still get asked, but seeing that most of the admins running ClamAV are hopefully a little more skilled than the average user, most of the questions should be answered at the local administrator level rather than the Clam team level. If the answer were a simple site lookup of an entry for a virus name that was cross-referenced (or put on a separate server that could be CVS'd or Rsynced for a local copy...) On top of that, we have our database being freshclammed several times a day. Since most of the Windows viruses are now fully automated, what happens in the hours between a virus getting released and then discovered then added to the database then our server getting refreshed? Not everyone is running freshclam on the mail server...we're using it to scan incoming mail then forward the mail to our internal mail server. That means that if the WindowsDeath virus comes in before our database holds it, it will get to our internal servers...where a "backup scanner" has to catch it. Then we get into the aliases of viruses problem...we get a report of virus WindowFool being in the message. Are we protected now, it was just something that slipped in between updates? Or is it something we need to worry about? Or...? The process becomes more time-consuming to verify than it needs to be. That's just the price to pay for a solution as flexible as ClamAV... Other than some kind of issue with logging things by virus name, are there any sensible reasons to not use the same name everyone else in the computer community is using? It adds overhead to a volunteer project. Let the other vendors have their fun renaming things with the proprietary name games. It would probably be easiest if the Clam group responded by just making an alias encyclopedia, in my opinion... Also, as I've pointed out, not all the AV vendors agree on the names. It usually isn't clamav against the world (as it appears with netsky). It is more normal that there are 2, 3, or 4 other names for the virus. And you never know which will become the most popular until days or weeks after you name it. worse are the games where a minor minor variant comes out, they slap a new name on it, and then promote their product as catching x,000 viruses while neglecting to mention that 200 of them are the same virus, only instead of having "screw you" embedded in it it has "screw you!", "No, screw YoU!",...etc. etc. etc. Oh well. That's my view, anyway... -Bart --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3
Re: [Clamav-users] Virus Names
On Apr 6, 2004, at 3:23 PM, Diego d'Ambra wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of jef moskot Sent: 6. april 2004 19:08 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Virus Names On Tue, 6 Apr 2004, Eric Rostetter wrote: If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? But when something is this much of a phenomenon, why not just change the name? I know it's been done for other worms in the past. And that is what we'll (try to) do in the future (if a common name has been established). With all due respect, this may be a bad idea, if I understand you correctly...you're saying that when a virus is found by the clamav team and it's called foo, then other companies get ahold of it and call it bar, the clam team should call it bar also, correct? This would mean that floating around out there in googleland (and for awhile unupdated databases) would be the name foo. People researching will find extremely short-lived virus names floating around because it is one that was renamed... I'm sure there's a simple solution and I'm probably just worrying too much over it, but I would still think it would be better to have a wiki or some kind of knowledge base set up where people could put in information on the virus. The ClamAV name, and a list of aliases from other companies, and maybe a breakdown of the behavior/payload/etc. of the virus, when it was added to the clamav database, etc. and just reference it that way. It would mean minimal changes to clamav, a volunteer group (or the whole user community) could contribute separately from the programming team...would that work? -Bart --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
At 22:12 06-04-2004 +0200, you wrote: Diego d'Ambra wrote: And that is what we'll (try to) do in the future (if a common name has been established). But that would break statistics. I don't mind if the name is different as long as it can be cross-referenced. Someone was working on a web site with just that but I haven't heard of any news for some time. I'm curious about the status.. I have been looking at the latest announcements and it should be possible to parse them into a MySQL or PG database. A simple lookup page and a link in the warning to the user should fix it. And a page for a few trusted persons to add any information to viri, or allow any user to do so.. I don't fancy the idea of doing the same job someone else does but I could do it if no one else does or has dropped the idea. This would be a good way for me to do something in return for using Clamav. B. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
I'm behind the Clam team in that they focus on getting sigs out before worrying about the name. I don't know if this is a technical limitation of the virus db's (and not sure if this has been mentioned previously, sorry) but what's to stop the name of the virus being changed in the virus db once a 'common' name has been determined? My problem with doing that is that it requires a developer to update the DB when he could be busy beating the pants off Sophos analysing new wild viruses, and frankly I'd rather live with an AKA and have up-to-the-minute protection than wait a couple of hours until the other AV's have had their little waffle about cool names. ;) I'd prefer to adopt the approach of letting the Clam team get a def out with any name they want and have a non-developer publish basic virus info on an area of the Clam site, and on that page you'd just have the blurb on "SomeFool.Q" for example, along with a short description (only brief, tho, there's plenty of viral analysis on other sites) of the virus with an "Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q", etc. I forget now, but someone had posted a brief list of AKA's, perhaps it can be integrated into the Clam website, or a new section created on clamav.net? It would free-up the developers from having to think about common names, it would only take a couple of Clam admins to update it after doing some queries with other AV's, and all you'd need to do is direct your end-users to the virus info page so they can find out for themselves what SomeFool is according to the other AV's. Stuart. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Antony Stone wrote: > There are many examples of the commercial A-V vendors having different > names for the same virus... That's true, but when that's the case for an extremely prevalent virus, it's usually noted in the media. Using the well-known naming convention is a much simpler and more logical response to the real world. At such time as everyone else in the world becomes wise to ClamAV's superior ways, then it would make sense to just use our own word for whatever threat comes along. But in THIS world, it's easier for just about everyone involved (including all the admins who keep dropping in here asking about Netsky and their users) to take the path of least resistance. > I do not agree with criticising the product because it is better than > its competitors. I'm not criticizing it, I'm just trying to be practical. If a some admin who has never heard of this mailing list or our political crusade to educate the world about worms is looking into ClamAV (some free product he might be suspicious of on principle, but is checking out because the price is right), checks the database to see if it handles one of his biggest problems and it turns out it's not in the database...then we've lost one potential ClamAV user and done a disservice to the open source community. > It cannot be too hard to explain to a clueless user how viruses get > named... It's not too hard to explain to one user, but this situation is repeated over and over, probably many times a day. It's not hard, but it's unnecessary and we don't gain much by making a pointless stand. Users aren't incapable of understanding the process, but being different for no purpose doesn't make any sense. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 9:44 pm, jef moskot wrote: > > The focus of the product is to stop viruses, not to name them with a > > popular name. > > Yes, but this is not best accomplished by calling users "stupid" (even > when they are). That may be true, however it's no excuse for allowing stupid users to continue with their misguided notions, without some attempt at education and correction. ClamAV is focused on detecting viruses, sure, and you're right that this is not best accomplished by telling stupid users that they're stupid, however it doesn't condone pandering to their preconceived misconceptions about viruses and worms (such as "they should each have only one name") either. There are many examples of the commercial A-V vendors having different names for the same virus, and ClamAV happens to be showing this characteristic recently simply because the signature development team is doing such a good job (and, it should be noted, without the cooperation of commercial vendors providing the ClamAV team with newly discovered virus samples through their exclusive partnerships). I do not agree with criticising the product because it is better than its competitors. It cannot be too hard to explain to a clueless user how viruses get named, and hope that at least some proportion of those people might understand that this inevitably leads to different names for the same thing found in different places at about the same time. And, if that doesn't work, give them a courgette and ask them whether it's a zucchini, give them a football and see if they kick it or carry it, ask them how to pronounce tomato, ask them which side of the road it is correct to drive on, put them on the pavement and see if they want to walk or drive on it, check whether they stop at traffic light or robots, or even ask them to do something momentarily. Regards, Antony. -- There's no such thing as bad weather - only the wrong clothes. - Billy Connolly Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Peter Bonivart > Sent: 6. april 2004 22:12 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > Diego d'Ambra wrote: > > And that is what we'll (try to) do in the future (if a common name has > > been established). > > But that would break statistics. I don't mind if the name is different > as long as it can be cross-referenced. Someone was working on a web site > with just that but I haven't heard of any news for some time. > Yes, sorry. People calculating statistics will have to create some sort of mapping between old and new name. Currently e-mail with update announcement will contain the needed information. ---snip, sample from daily version 239--- Submission: n/a Notes: Change of virus name to reflect most common used name. Old virus name: Worm.VB.C New virus name: Worm.Sober.F ---snip-- Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > Great for netsky since almost everyone uses it. Exactly. > Should clamav have migrated along from SCO to NOVARG to MYDOOM just > because the others came along later and in that order? It could easily be taken on a case-by-case basis. But, as even you admit, Netsky/SomeFool is a slam dunk. > Most viruses don't last for more than a few days anyway, so this only > applies to the rare cases (like lately with the virus wars over netsky > et al). I agree. > The focus of the product is to stop viruses, not to name them with a > popular name. Yes, but this is not best accomplished by calling users "stupid" (even when they are). We don't want to make something available to people and then insult them when they use it in good faith. The larger issue it that the more people who use anti-virus methods and the more well-informed users we have, the better it is for everyone. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting jef moskot <[EMAIL PROTECTED]>: On Tue, 6 Apr 2004, Eric Rostetter wrote: But changing the name after the fact would just confuse people more. I completely disagree. Hardcore Clam users are more likely to understand the reality of the situation and realize that the ClamAV team has to call the viruses SOMETHING. Usually, that's the same name everyone else uses, but sometimes it isn't. Great for netsky since almost everyone uses it. But what about viruses that have multiple names from the other vendors and the media? For the first week, SCO (clamd) was called novarg by most, until the media took off with mydoom and that became the new name. Should clamav have migrated along from SCO to NOVARG to MYDOOM just because the others came along later and in that order? There's maybe a small amount of confusion for a couple days, and that's that. Most viruses don't last for more than a few days anyway, so this only applies to the rare cases (like lately with the virus wars over netsky et al). But we are constantly being asked by casual (or new) users why ClamAV doesn't pick up Netsky Yes, but the user is just being stupid. They are not getting infected with netsky, so obviously it is picking it up. what the heck "SomeFool" is, etc. Many of those You don't think you'll get that question even if you use the more common name for viruses? Google hits are "WTF is SomeFool?". A lot of work could be saved by being more user-friendly. Try looking at them again. Seriously, what have we to gain from using an obscure name? OK, so, we have the moral high ground, but that's not really the focus of the product. The focus of the product is to stop viruses, not to name them with a popular name. Other than some kind of issue with logging things by virus name, are there any sensible reasons to not use the same name everyone else in the computer community is using? Only when clamav names it before anyone else. Even then, clamav is willing to rename it if it can be done quickly, before the current name becomes established, in my experience. It is only when there is a large gap between the clamav name and the popular name that they don't rename it. Also, as I've pointed out, not all the AV vendors agree on the names. It usually isn't clamav against the world (as it appears with netsky). It is more normal that there are 2, 3, or 4 other names for the virus. And you never know which will become the most popular until days or weeks after you name it. Jeffrey Moskot System Administrator [EMAIL PROTECTED] -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > But changing the name after the fact would just confuse people more. I completely disagree. Hardcore Clam users are more likely to understand the reality of the situation and realize that the ClamAV team has to call the viruses SOMETHING. Usually, that's the same name everyone else uses, but sometimes it isn't. There's maybe a small amount of confusion for a couple days, and that's that. But we are constantly being asked by casual (or new) users why ClamAV doesn't pick up Netsky, what the heck "SomeFool" is, etc. Many of those Google hits are "WTF is SomeFool?". A lot of work could be saved by being more user-friendly. Seriously, what have we to gain from using an obscure name? OK, so, we have the moral high ground, but that's not really the focus of the product. Other than some kind of issue with logging things by virus name, are there any sensible reasons to not use the same name everyone else in the computer community is using? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Diego d'Ambra wrote: And that is what we'll (try to) do in the future (if a common name has been established). But that would break statistics. I don't mind if the name is different as long as it can be cross-referenced. Someone was working on a web site with just that but I haven't heard of any news for some time. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting Antony Stone <[EMAIL PROTECTED]>: On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote: Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > Question: > If Worm.SomeFool is Netsky, then why is not labeled as netsky? Answer: If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Do you call people Eskimos or Inuits? Irrelevant. > Basically that's because the users keep complaning about the virus names > that cannot be found anywhere else (like the virus databse from > TrendMicro). If they want to use the name TrendMicro uses, then they should use the TrendMicro software. No, many people are interested to know more about the viruses which are being detected. So? If you do a Google search for "NetSky virus" you get 308,000 results. If you do a Google search for "SomeFool virus" you get 2,080. And 2,080 isn't enough? The first of those 2080 suggests netsky == somefool. The second confirms it. So then you can read more about somefool, or redo the search for netsky. Where's the problem? Therefore knowing the more common name for a virus is useful to people who use ClamAV. Yes, it is. But changing the name after the fact would just confuse people more. We can't go merrily along for a week or so until the AV people or the media -- and often it is the media who decide -- come up with the most popular name, and then rename it. What would that do to any kind of tracking people do? What would that do to users (last week I got somefool, but now I'm getting a new virus netsky?) It would cause caos. And much more caos than having multiple names for a single virus. Regards, Antony. -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of jef moskot > Sent: 6. april 2004 19:08 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > On Tue, 6 Apr 2004, Eric Rostetter wrote: > > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? > > But when something is this much of a phenomenon, why not just change the > name? I know it's been done for other worms in the past. > And that is what we'll (try to) do in the future (if a common name has been established). Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Virus Names
On Tue, 06 Apr 2004 at 12:17:05 -0400, Hanford, Seth wrote: > > If we had as part of the submission process an additional field noting > what name the detecting AV called it There is such a field! And if it's too short, you can add more names/details/URLs in the description field (that big area below). > (For example, worm.notagoodguy passes through clam, but is picked up by > trend as WORM.BADGUY). Any aliases that we come up with could get submitted > right alongside such a sample. We include aliases in our announcements. Unfortunately, while submitting, many people fail to write the name (according to other scanner), though they select that the sample is detected by other scanner and sometimes they even write which scanner (but no virus name). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
While I can and do understand what Eric was saying, I have to agree with Erick. http://www.bitdefender.com/index.php - Bitdefender http://www.grisoft.com/us/us_index.php - AVG http://www.pandasoftware.com/home/ - Panda http://www.symantec.com/ - Norton http://us.mcafee.com/default.asp - Mcafee http://www.trendmicro.com - Trendmicro http://viruslist.com/eng/ -- Virus List While different, all have 1 thing in common with each other. CVID's (Common Virus Identifiers), granted some list "netsky" as worm-i/netsky, or w32/netsky, but in the end you (the user/administrator) know what was stopped, and thus have the ability to see what's being identified and or do research on what the virus/worm did (the function) Not complaining.. just expressing my 2 cents ;) - Original Message - From: "Eric Rostetter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 06, 2004 10:58 AM Subject: Re: [Clamav-users] Virus Names > Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > > > Question: > > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > > Answer: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? > > > Basically that's because the users keep complaning about the virus names > > that cannot be found anywhere else (like the virus databse from TrendMicro). > > If they want to use the name TrendMicro uses, then they should use the > TrendMicro software. > > > Thanks, > > Erick > > -- > Eric Rostetter > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? While I agree with this in principle, I think for instances where a question like this pops up at least once a week just on this list, it might be worth it to just bite the bullet and go along with the herd. I understand that when the ClamAV (as it often does) discovers a worm before there's a common name for it, that it's not just inconvenient, it's impossible to choose the name that everyone else will eventually use. But when something is this much of a phenomenon, why not just change the name? I know it's been done for other worms in the past. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
> > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Rhetoric aside, this is obviously an itch that needs scratched. Clam does a wonderful job and (as was the case with SomeFool) does it faster than most. Perhaps we might be able to scratch up support for an alias correlation database, planting the seed with Clam. > No, many people are interested to know more about the viruses which are being > detected. > > If you do a Google search for "NetSky virus" you get 308,000 results. If you > do a Google search for "SomeFool virus" you get 2,080. > > Therefore knowing the more common name for a virus is useful to people who use > ClamAV. I think that, for our purposes, we need only search on the Clam name for a virus. All other names are potentially worthless work--AFAIK, the clam DB contains only (or mostly) viruses in the wild. If we had as part of the submission process an additional field noting what name the detecting AV called it (For example, worm.notagoodguy passes through clam, but is picked up by trend as WORM.BADGUY). Any aliases that we come up with could get submitted right alongside such a sample. Our search really only needs to be one-way, to keep it in scope. There's no need to support searching everyone else's names, only Clam's. Everyone's talking about NetSky? If you're not receiving SomeFool, then why do you care? If you are, look up SomeFool. If you're getting files and Clam doesn't detect them, then submit them. They'll be named, and you'll be able to search. --Seth --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote: > Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > > Question: > > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > > Answer: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Do you call people Eskimos or Inuits? They're still the same people, but looking up one or other in some information resource may provide different results. > > Basically that's because the users keep complaning about the virus names > > that cannot be found anywhere else (like the virus databse from > > TrendMicro). > > If they want to use the name TrendMicro uses, then they should use the > TrendMicro software. No, many people are interested to know more about the viruses which are being detected. If you do a Google search for "NetSky virus" you get 308,000 results. If you do a Google search for "SomeFool virus" you get 2,080. Therefore knowing the more common name for a virus is useful to people who use ClamAV. Regards, Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting Graham Murray <[EMAIL PROTECTED]>: So maybe, as with celestial objects, there should be agreement that the first AV 'vendor' to publish a detection for a virus should be given the honour of naming it and the other vendors adopt the same name rather than inventing their own (and potentially causing confusion). So if Clamav is first, other vendors should adopt its name and if some other vendor is first then Clamav should use the name that vendor gives it. This is exactly what ClamAV does. Now you just need to get the rest of the AV vendors to follow that rule. Good luck with that! -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? Answer: If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Basically that's because the users keep complaning about the virus names that cannot be found anywhere else (like the virus databse from TrendMicro). If they want to use the name TrendMicro uses, then they should use the TrendMicro software. Thanks, Erick -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Mon, 5 Apr 2004 23:38:08 -0500 "Erick Perez - Vision Media" <[EMAIL PROTECTED]> wrote: > Question: > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > Also, is there a way to make an alias in the virus database so my users can > see netsky instead of Worm.Somefool? It's time to place answer for this question into faq. -- Korchmenuk Nickolay 06 Apr 2004 14:25:24 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
Graham Murray wrote: > So maybe, as with celestial objects, there should be > agreement that the first AV 'vendor' to publish a detection > for a virus should be given the honour of naming it and the > other vendors adopt the same name rather than inventing their > own (and potentially causing confusion). So if Clamav is > first, other vendors should adopt its name and if some other > vendor is first then Clamav should use the name that vendor gives it. Viruses are discovered a darned sight more rapidly than celestial objects. Let's not waste the antivirus folks' time by making them jump through hoops over naming protocols. I'd rather priorities were given to protecting us the darned things instead of worrying about what the vendors call them. Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 9:48 am, Graham Murray wrote: > Fisher <[EMAIL PROTECTED]> writes: > > Actually, it is usually happen the Clamav recognises the virii before > > the other AV vendors so no well-known name was available. See the > > archive for the more detailed answers, this question already answered > > here. > > So maybe, as with celestial objects, there should be agreement that > the first AV 'vendor' to publish a detection for a virus should be > given the honour of naming it and the other vendors adopt the same > name rather than inventing their own (and potentially causing > confusion). Celestial objects do not commonly appear and need an agreed name within the urgent timescale of computer viruses :) Whilst your proposal makes excellent sense, it assumes: a) cooperation between the commercial A-V vendors and Open Source developers (there is often a blockage in one direction here) b) that it's easy to tell if the virus one person's given a name to is the same as the virus someone else has just named c) that the time taken to cooperate over the name is very short compared to the time to get a signature out under the corresponding name Basically, it comes down to the fact that the commercial A-V vendors don't want to share their new virus samples with the Open Source community, so we have no way of knowing whether the virus we've just named is the same one that they have. I think the best we'll ever achieve is a cross-reference database. Regards, Antony. -- These clients are often infected by viruses or other malware and need to be fixed. If not, the user at that client needs to be fixed... - Henrik Nordstrom, on Squid users' mailing list Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Fisher <[EMAIL PROTECTED]> writes: > Actually, it is usually happen the Clamav recognises the virii before > the other AV vendors so no well-known name was available. See the > archive for the more detailed answers, this question already answered > here. So maybe, as with celestial objects, there should be agreement that the first AV 'vendor' to publish a detection for a virus should be given the honour of naming it and the other vendors adopt the same name rather than inventing their own (and potentially causing confusion). So if Clamav is first, other vendors should adopt its name and if some other vendor is first then Clamav should use the name that vendor gives it. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
B. van Ouwerkerk wrote: At 23:38 05-04-2004 -0500, you wrote: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? It would be good if all AV software would use the same names. Still, most commercial AV vendors are using their own naming conventions and so does Clamav. Actually, it is usually happen the Clamav recognises the virii before the other AV vendors so no well-known name was available. See the archive for the more detailed answers, this question already answered here. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
At 23:38 05-04-2004 -0500, you wrote: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? Also, is there a way to make an alias in the virus database so my users can see netsky instead of Worm.Somefool? Basically that's because the users keep complaning about the virus names that cannot be found anywhere else (like the virus databse from TrendMicro). It would be good if all AV software would use the same names. Still, most commercial AV vendors are using their own naming conventions and so does Clamav. Somefool at least describes the sender of the virus :) B. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users