Re: [Clamav-users] Virus aliases

[jef moskot]

On Thu, 11 Mar 2004, Dave Ewart wrote:
> ClamAV is a fabulous project - wish I could find some way to contribute.

Well, there's always: http://clamav.net/donate.php#pagestart

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

[Tomasz Kojm]

On Thu, 11 Mar 2004 07:52:44 -0800
"Mitch (WebCob)" <[EMAIL PROTECTED]> wrote:


> Maybe I spoke to soon... if you guys are already working on this great
> - how will aliases be identified and submissions be processed?
> 
> I've heard that the bigger manufacturers often copy the first known
> name - is there a way to get in that peer group?
> 
> Will the system handle multiple aliases in the event it occurs?

The idea is to include aliases in a signature and allow clamscan/clamd
to print them optionally, eg.

clamscan foo
foo: Worm.SomeFool FOUND

clamscan --aliases foo
foo: Worm.SomeFool W32.Netsky FOUND

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 19:41:13 CET 2004


pgp0.pgp
Description: PGP signature

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

> -Original Message-
> From: Tomasz Kojm
>
> On Thu, 11 Mar 2004 10:15:50 +
> Dave Ewart <[EMAIL PROTECTED]> wrote:
>
> > 2. Can the alias details be extracted from the .cvd files?  If not
> > currently, is there any way to add this detail?
>
> Virus aliases will be supported in signatures in the near future.
>

Maybe I spoke to soon... if you guys are already working on this great - how
will aliases be identified and submissions be processed?

I've heard that the bigger manufacturers often copy the first known name -
is there a way to get in that peer group?

Will the system handle multiple aliases in the event it occurs?

Will the system identify the "owner" of the alias (like norton / sophos /
etc.)

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

[Mitch \(WebCob\)]

> No idea how easy this would be to implement but here goes:
>
> As well as the virus signature databases, how about having an alias
> database which would contain a record for each virus, indicating its
> ClamAV name along with those used by the more mainstream AV software
> like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
> accept a commandline switch to indicate your preferred naming. That way,
> if you also use Sopos/McAfee/whatever on internal servers you could get
> ClamAV to report an infection using the same naming as internally.  Of
> course, as the Clam sigs are usually ahead of the rest, the aliases for
> a particular virus would all be set to ClamAV's chosen name. Then, as
> the other vendors get their signatures out the aliases could be updated
> accordingly.
>
> Workable/unworkable/insane idea?
>
> Paul

I like it!

Should be quite simple to implement and very workable - depending on the
will of the powers that be to maintain...

A little more complex idea would be to create a cololaborative maintenance
system allowing the users to update and complete the information - a simple
voting system could accept mutliple submissions from confirmed contributors
as validation...

With such a database (downloadable like freshclam currently maintains
regular virus db) we could issue warnings that make more sense to users of
bigger name commercial products, and even generate links to their
educational content on the virii...

The feeling I get is that clam detects the virus - generates the sig and
done... Norton, etc. decode it and see what it does and then publish the
info - when the link between the clam viruss and the norton name is made
(for example) a link to that content would let the clam user know what they
found and what potential damage it could or might have already caused.

The developers of clam already have probably got their plates full with clam
issues... I could (as I imagine many others) consider building and hosting
something like this if there was enough support for it - thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

[Dave Ewart]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday, 11.03.2004 at 13:52 +0100, Tomasz Kojm wrote:

> On Thu, 11 Mar 2004 10:15:50 + Dave Ewart
> <[EMAIL PROTECTED]> wrote:
> 
> > 2. Can the alias details be extracted from the .cvd files?  If not
> > currently, is there any way to add this detail?
> 
> Virus aliases will be supported in signatures in the near future.

Excellent news!  ClamAV is a fabulous project - wish I could find some
way to contribute.

At the moment, all I'm managing is word-of-mouth praise etc.

Cheers,

Dave.
- -- 
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAUGlEbpQs/WlN43ARAlXXAKCxVz8Cl3kfVFmkSFKw7msX+dPwygCgwTwu
X92mp+3brsZ1pLL5K9E6qxY=
=I5hu
-END PGP SIGNATURE-


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

[Tomasz Kojm]

On Thu, 11 Mar 2004 10:15:50 +
Dave Ewart <[EMAIL PROTECTED]> wrote:

> 2. Can the alias details be extracted from the .cvd files?  If not
> currently, is there any way to add this detail?

Virus aliases will be supported in signatures in the near future.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 13:51:55 CET 2004


pgp0.pgp
Description: PGP signature

RE: [Clamav-users] Virus aliases

[Paul Walsh]

No idea how easy this would be to implement but here goes:

As well as the virus signature databases, how about having an alias
database which would contain a record for each virus, indicating its
ClamAV name along with those used by the more mainstream AV software
like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
accept a commandline switch to indicate your preferred naming. That way,
if you also use Sopos/McAfee/whatever on internal servers you could get
ClamAV to report an infection using the same naming as internally.  Of
course, as the Clam sigs are usually ahead of the rest, the aliases for
a particular virus would all be set to ClamAV's chosen name. Then, as
the other vendors get their signatures out the aliases could be updated
accordingly.

Workable/unworkable/insane idea?

Paul


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users