tag:blogger.com,1999:blog-7347279.post8295236523198996059..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: what's in a malware namekurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-7347279.post-10203375663941173492010-03-19T10:04:57.767-04:002010-03-19T10:04:57.767-04:00@cdmand83:
without any other context i settled on...@cdmand83: <br />without any other context i settled on the interpretation that mike was just expressing an opinion, but in light of the new context you've brought you appear to be right about mike being up to no good.<br /><br />while i'm always slightly suspicious of comments that contain links, these comment links point to legitimate and well known vendors - and he points to 2 competing vendors, which seems an unlikely behaviour for someone getting paid by one of them. <br /><br />it's possible this person is astroturfing or maybe even trying to smear the reputation of both companies.<br /><br />at any rate, it certainly shouldn't do anything to improve either's pagerank since the rel="nofollow" attribute is set. i also doubt regular readers will be swayed by it since i think they're already quite familiar with both companies. i think i'll leave the comment as evidence.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-46446383412993654912010-03-19T09:19:36.869-04:002010-03-19T09:19:36.869-04:00@kurt: you seem to have been spammed :-) (see Mike...@kurt: you seem to have been spammed :-) (see Mikes comment above). But fear not, you are in good company ;-) (see <a href="http://technicalinfodotnet.blogspot.com/2010/03/sophos-stop-spamming-me-and-end-your.html" rel="nofollow">this</a> blogpost).Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-63694965366212457962010-03-17T14:39:25.908-04:002010-03-17T14:39:25.908-04:00You make a good point, and it is one I often make ...You make a good point, and it is one I often make about encryption. There are just too many standards out there for any smooth communication to occur. I think there are some companies who are getting it right with their approach to <a href="http://www.sophos.com/products/malware-protection/" rel="nofollow">malware</a>, but many <a href="http://www.kaspersky.com" rel="nofollow">malware</a> just can't seem to get their fundamentals down.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-29161412446005001912010-01-11T10:21:57.998-05:002010-01-11T10:21:57.998-05:00@cdman83:
i have no doubt there are many difficult...@cdman83:<br />i have no doubt there are many difficulties in the realm of "deconfliction" (which is what the CME called the process of deciding whether a particular instance was the same as an already enumerated piece of malware or not) but there was a process for it. <br /><br />whatever those problems are, however, at the end of the day if a vendor can give something a name for use in a threat report, they can also agree with other vendors about what that name should be. they don't need to do that for all of them or even most of them - threat reports show what? the top 10 or 20 pieces of malware seen throughout the year? harmonizing those names should be doable.<br /><br />- also, good point on the name interpretation. caro-compliant names never say what the malware doesn't do, they only imply some part of what it does do.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-19068139931527687132010-01-11T08:25:31.307-05:002010-01-11T08:25:31.307-05:00Well, I agree with you more than I disagree. :) Bu...Well, I agree with you more than I disagree. :) But I thought my response needed more time and space than I have here, so I blogged it at ESET.David Harleyhttp://www.eset.com/threat-center/blog/2010/01/11/malware-classification-and-the-lovely-bonesnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-78779349556870049332010-01-11T05:44:41.770-05:002010-01-11T05:44:41.770-05:00IMHO the single biggest problem in the "malwa...IMHO the single biggest problem in the "malware naming harmonization" is the one of detection methods.<br /><br />For example lets say that we have a malicious file F which is detected by to malware scanners S1 and S2. Furthermore, lets say that S1 detects the file as "Malware1" because it contains the string ".evil" in the headers and S2 detects it as "Malware2" because it contains the string ".bad". This means:<br /><br />- both scanners correctly determine that the file is malware<br />- however, because of the different detection methods, you can't make the equation "S1/Malware1" == "S2/Malware2" - there very well might be files out there which will be detected by S1 as Malware1, but by S2 as something else and vice-versa<br /><br />And I'm not even considering the problem naming "families" (ie. if you have a downloader which today downloads Malware1 but tomorrow downloads Malware2 because the second one pays better - how should it be classified? as Malware1? 2? something different?)<br /><br />To say it an other way: the set of "malicious files" detected by S1 is the reunion of smaller detections (which may be overlapping! - ie. a file might be detected by multiple heuristics/signatures) and so is the set of files detected by S2. Because they are developed separately, it isn't reasonable to expect that there would be anything like a 1 to 1 correspondence between these subsets.<br /><br />PS. IMHO one of the source of this misunderstanding is that in "the good old days" virus-writers worked separated and there were few new viruses. So (a) it was easy to isolate "family X" from "family Y" and (b) the companies had time check how others were detecting it and coming up with a similar name. These days however there is a lot of cross-pollination and variants come out very rapidly, making this process unfeasible.<br /><br />Also, I am all for giving nonsensical names to malware (such as GUIDs), because I've seen many times people imagining that the complete behavior of the malware is encoded in the name (ie. the malware is named "INF/Autorun", which means that we don't have to worry that it spreads trough IM, since it doesn't say so in the name).Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.com