Monday, October 10, 2005

what the Common Malware Enumeration really is

i was not the least bit impressed by what i read in the comments to Schneier on Security: Computer Malware to Have Uniform Names... clearly people don't understand what the CME is or what it will be able to do...

first and foremost it is NOT a new naming scheme, it won't replace existing names or displace existing naming conventions... anti-virus companies will continue to name viruses in exactly the same way as they have been - the Common Malware Enumeration won't change that... at best the CME will provide a well coordinated alias for malware of significant interest...

the CME will not solve the naming problem... the naming problem is a byproduct of the commercial anti-virus environment - many competing organizations working in parallel on their own products necessitates that they come up with names themselves in order to get signatures to their customers as quickly as possible... waiting for some centralized body to give the malware a standard name means that they'd be leaving their customers exposed to the threat without protection for longer (because of the "deconfliction" process) which would ultimately hurt their bottom-line...

the CME isn't necessarily going to improve the situation for users... not only are average users not going to be aware of what the CME is or what the CME number for a particular peice of malware can be used for, but it will likely have a similar effect on the anti-virus community that project vgrep had - it's presence will make naming consistency seem less important... it won't actually be less important, CME's will be numbers and thus will be next to unusable by real people except as an index to use when looking something up - names will still be used when discussing things or calling up tech support, etc... names are what people actually remember, not numbers, and with less motivation to be consistent with other organizations when it comes to naming the naming problem is likely to get worse instead of better...

this won't lead to better protection, it won't even guarantee less confusion... it'll be a big help to those of us who know what's what (and hopefully it won't go in the brain-dead direction project vgrep did by requiring registration in order to do lookups) but that's about it...