Again I believe you are talking at cross purposes but regardless I am entirely comfortable if you disagree with the suggestion I made.
As I mentioned to Joel, please feel free to throw it away. Thanks -----Original Message----- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Shawn Webb Sent: 12 January 2013 11:37 PM To: ClamAV users ML Subject: Re: [clamav-users] Virus names - a rose by any name? In addition to having the same sentiments Joel has, I'd like to explain why not displaying the name of the virus does not add any extra security for a number of reasons: 1. Attackers can already "deduce" ClamAV's engine because it's opensource. They have the blueprints. They already know how it works. 2. Security through obscurity is not security. 3. If an attacker is trying to practice evasion techniques, all the attacker cares about is whether his malware evades AVs. The attacker doesn't care what name the AV engine gives (or doesn't give) his malware. 4. It's already common practice for malware authors to do point #3 using services like VirusTotal. Thanks, Shawn On Sat, Jan 12, 2013 at 4:01 PM, Joel Esler <jes...@sourcefire.com> wrote: > So what you want is for us to change the millions of Names we have for > Trojans to match one of our competitors? So when people look up the > open source detection that we provide in our open signature format, > they instead get pointed to a competitor with closed proprietary detection? > > Even leaving our competitors out of this, how does this make sense to > go and change millions of signatures for no functionally viable reason? > > -- > Joel Esler > Sent from my iPhone > > On Jan 12, 2013, at 3:42 PM, "Pancho" <p...@originsystems.co.za> wrote: > > > Hi - thanks to everyone for the replies. I have seen 2 replies now > > and it may well be that I have not been clear enough because both > > are at cross purposes. > > > > Unfortunately I don't have further time to invest in this topic but > > I do hope that someone at ClamAV sees value in the suggestions. > > > > If not, well such is life. > > > > -----Original Message----- > > From: clamav-users-boun...@lists.clamav.net > > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon > > Hobson > > Sent: 12 January 2013 06:32 PM > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] Virus names - a rose by any name? > > > > "Pancho" wrote: > > > >> While I understand the comment, it makes it risky I believe from a > >> security perspective to tell users anything more than " file > >> contains > > virus". > >> > >> I say this because if we find a virus and provide the message "file > >> contains virus with name <ClamAV proprietary virus name XYZ>" then > >> malicious users can effectively deduce our virus engine simply by > >> using > the > > custom name. > >> See the site http://virusscan.jotti.org/en for a very easy > >> illustration of how to do this. > >> > >> Once the malicious user knows this again, it is a fairly > >> straightforward thing for them to test exploits against a site like > >> jotti until they find one not detected by ClamAV - then submit that > >> exploit to our site knowing that it will successfully bypass our > >> anti > > virus. > > > > AFAIK ClamAV doesn't tell outside users anything - that is up to the > > software that calls it and the administrator that set it up. > > > > For example, suppose we are using ClamAV to scan inbound mail - > > using > Amavis > > as integration software as that's a fairly common setup. So when the > email > > is submitted by the outside MTA, our MTA hands off the message the > Amavis, > > and Amavis (amongst other things) halds it off to ClamAV. > > > > The response sent to the outside MTA can be anything from "message > blocked" > > at one extreme to "ClamAV found XXX" at the other - and where in > > that spectrum is down to not just ClamAV (which should correctly > > identify > what it > > found IMO), but also the config of Amavis and the config of our MTA. > > > > Of course, what is reported to the outside MTA can be different to > > what > is > > logged in our mail log. We may just report "blocked" to outside > > while logging full details (as is usually the case) in the mail log > > so that the administrator has more information if the reason is queried. > > > > Much the same applies if you scan innbound file on a web site that > > allows uploads - what ClamAV reports to your software, and what your > > software reports to the end user may be different things. > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit > > http://wiki.clamav.net http://www.clamav.net/support/ml > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit > > http://wiki.clamav.net http://www.clamav.net/support/ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
