Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:
Hi - thanks to everyone for the replies. I have seen 2 replies now and it
may well be that I have not been clear enough because both are at cross
purposes.

Then it might help if you alaborated on what you meant.

Unfortunately I don't have further time to invest in this topic but I do
hope that someone at ClamAV sees value in the suggestions.

They might if they could understand what the suggestions were. It;s clear from 
your response that what people took away from your post is not what you meant. 
Hence it's unlikely that anyone will see value in something they haven't seen.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Dennis Peterson]

On 1/12/13 5:22 AM, Pancho wrote:

All in all for me there is a fairly compelling argument for going this route
so I thought I would put it out there to see what others think.

Kind regards

Ricki
Is there something about real-time day one virus outbreaks and US 
government involvement that you see as productive?


There are certain bragging rights that go along with being first to 
detect a new virus, and the flag you wave is the name you assign to it. 
Keep the government out of it.


dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Simon Hobson]

Pancho wrote:

While I understand the comment, it makes it risky I believe from a security
perspective to tell users anything more than  file contains virus. 

I say this because if we find a virus and provide the message file contains
virus with name ClamAV proprietary virus name XYZ then malicious users
can effectively deduce our virus engine simply by using the custom name.
See the site http://virusscan.jotti.org/en for a very easy illustration of
how to do this.

Once the malicious user knows this again, it is a fairly straightforward
thing for them to test exploits against a site like jotti until they find
one not detected by ClamAV - then submit that exploit to our site knowing
that it will successfully bypass our anti virus.

AFAIK ClamAV doesn't tell outside users anything - that is up to the software 
that calls it and the administrator that set it up.

For example, suppose we are using ClamAV to scan inbound mail - using Amavis as 
integration software as that's a fairly common setup. So when the email is 
submitted by the outside MTA, our MTA hands off the message the Amavis, and 
Amavis (amongst other things) halds it off to ClamAV.

The response sent to the outside MTA can be anything from message blocked at 
one extreme to ClamAV found XXX at the other - and where in that spectrum is 
down to not just ClamAV (which should correctly identify what it found IMO), 
but also the config of Amavis and the config of our MTA.

Of course, what is reported to the outside MTA can be different to what is 
logged in our mail log. We may just report blocked to outside while logging 
full details (as is usually the case) in the mail log so that the administrator 
has more information if the reason is queried.

Much the same applies if you scan innbound file on a web site that allows 
uploads - what ClamAV reports to your software, and what your software reports 
to the end user may be different things.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Pancho]

Hi - thanks to everyone for the replies. I have seen 2 replies now and it
may well be that I have not been clear enough because both are at cross
purposes.

Unfortunately I don't have further time to invest in this topic but I do
hope that someone at ClamAV sees value in the suggestions.

If not, well such is life.

-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson
Sent: 12 January 2013 06:32 PM
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Virus names - a rose by any name?

Pancho wrote:

While I understand the comment, it makes it risky I believe from a 
security perspective to tell users anything more than  file contains
virus.

I say this because if we find a virus and provide the message file 
contains virus with name ClamAV proprietary virus name XYZ then 
malicious users can effectively deduce our virus engine simply by using the
custom name.
See the site http://virusscan.jotti.org/en for a very easy illustration 
of how to do this.

Once the malicious user knows this again, it is a fairly 
straightforward thing for them to test exploits against a site like 
jotti until they find one not detected by ClamAV - then submit that 
exploit to our site knowing that it will successfully bypass our anti
virus.

AFAIK ClamAV doesn't tell outside users anything - that is up to the
software that calls it and the administrator that set it up.

For example, suppose we are using ClamAV to scan inbound mail - using Amavis
as integration software as that's a fairly common setup. So when the email
is submitted by the outside MTA, our MTA hands off the message the Amavis,
and Amavis (amongst other things) halds it off to ClamAV.

The response sent to the outside MTA can be anything from message blocked
at one extreme to ClamAV found XXX at the other - and where in that
spectrum is down to not just ClamAV (which should correctly identify what it
found IMO), but also the config of Amavis and the config of our MTA.

Of course, what is reported to the outside MTA can be different to what is
logged in our mail log. We may just report blocked to outside while
logging full details (as is usually the case) in the mail log so that the
administrator has more information if the reason is queried.

Much the same applies if you scan innbound file on a web site that allows
uploads - what ClamAV reports to your software, and what your software
reports to the end user may be different things.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Joel Esler]

So what you want is for us to change the millions of Names we have for Trojans 
to match one of our competitors? So when people look up the open source 
detection that we provide in our open signature format, they instead get 
pointed to a competitor with closed proprietary detection?   

Even leaving our competitors out of this, how does this make sense to go and 
change millions of signatures for no functionally viable reason?

--
Joel Esler
Sent from my iPhone 

On Jan 12, 2013, at 3:42 PM, Pancho p...@originsystems.co.za wrote:

 Hi - thanks to everyone for the replies. I have seen 2 replies now and it
 may well be that I have not been clear enough because both are at cross
 purposes.
 
 Unfortunately I don't have further time to invest in this topic but I do
 hope that someone at ClamAV sees value in the suggestions.
 
 If not, well such is life.
 
 -Original Message-
 From: clamav-users-boun...@lists.clamav.net
 [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson
 Sent: 12 January 2013 06:32 PM
 To: clamav-users@lists.clamav.net
 Subject: Re: [clamav-users] Virus names - a rose by any name?
 
 Pancho wrote:
 
 While I understand the comment, it makes it risky I believe from a 
 security perspective to tell users anything more than  file contains
 virus.
 
 I say this because if we find a virus and provide the message file 
 contains virus with name ClamAV proprietary virus name XYZ then 
 malicious users can effectively deduce our virus engine simply by using the
 custom name.
 See the site http://virusscan.jotti.org/en for a very easy illustration 
 of how to do this.
 
 Once the malicious user knows this again, it is a fairly 
 straightforward thing for them to test exploits against a site like 
 jotti until they find one not detected by ClamAV - then submit that 
 exploit to our site knowing that it will successfully bypass our anti
 virus.
 
 AFAIK ClamAV doesn't tell outside users anything - that is up to the
 software that calls it and the administrator that set it up.
 
 For example, suppose we are using ClamAV to scan inbound mail - using Amavis
 as integration software as that's a fairly common setup. So when the email
 is submitted by the outside MTA, our MTA hands off the message the Amavis,
 and Amavis (amongst other things) halds it off to ClamAV.
 
 The response sent to the outside MTA can be anything from message blocked
 at one extreme to ClamAV found XXX at the other - and where in that
 spectrum is down to not just ClamAV (which should correctly identify what it
 found IMO), but also the config of Amavis and the config of our MTA.
 
 Of course, what is reported to the outside MTA can be different to what is
 logged in our mail log. We may just report blocked to outside while
 logging full details (as is usually the case) in the mail log so that the
 administrator has more information if the reason is queried.
 
 Much the same applies if you scan innbound file on a web site that allows
 uploads - what ClamAV reports to your software, and what your software
 reports to the end user may be different things.
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://www.clamav.net/support/ml
 
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Pancho]

It is not an attack on ClamAV Joel - but I tell you what, delete the post if it 
makes you happier.

Truly I'm sorry I wasted the effort trying to contribute, and you can relax 
because I certainly won't again.


-Original Message-
From: clamav-users-boun...@lists.clamav.net 
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler
Sent: 12 January 2013 11:02 PM
To: ClamAV users ML
Cc: ClamAV users ML
Subject: Re: [clamav-users] Virus names - a rose by any name?

So what you want is for us to change the millions of Names we have for Trojans 
to match one of our competitors? So when people look up the open source 
detection that we provide in our open signature format, they instead get 
pointed to a competitor with closed proprietary detection?   

Even leaving our competitors out of this, how does this make sense to go and 
change millions of signatures for no functionally viable reason?

--
Joel Esler
Sent from my iPhone 

On Jan 12, 2013, at 3:42 PM, Pancho p...@originsystems.co.za wrote:

 Hi - thanks to everyone for the replies. I have seen 2 replies now and 
 it may well be that I have not been clear enough because both are at 
 cross purposes.
 
 Unfortunately I don't have further time to invest in this topic but I 
 do hope that someone at ClamAV sees value in the suggestions.
 
 If not, well such is life.
 
 -Original Message-
 From: clamav-users-boun...@lists.clamav.net
 [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon 
 Hobson
 Sent: 12 January 2013 06:32 PM
 To: clamav-users@lists.clamav.net
 Subject: Re: [clamav-users] Virus names - a rose by any name?
 
 Pancho wrote:
 
 While I understand the comment, it makes it risky I believe from a 
 security perspective to tell users anything more than  file contains
 virus.
 
 I say this because if we find a virus and provide the message file 
 contains virus with name ClamAV proprietary virus name XYZ then 
 malicious users can effectively deduce our virus engine simply by 
 using the
 custom name.
 See the site http://virusscan.jotti.org/en for a very easy 
 illustration of how to do this.
 
 Once the malicious user knows this again, it is a fairly 
 straightforward thing for them to test exploits against a site like 
 jotti until they find one not detected by ClamAV - then submit that 
 exploit to our site knowing that it will successfully bypass our anti
 virus.
 
 AFAIK ClamAV doesn't tell outside users anything - that is up to the 
 software that calls it and the administrator that set it up.
 
 For example, suppose we are using ClamAV to scan inbound mail - using 
 Amavis as integration software as that's a fairly common setup. So 
 when the email is submitted by the outside MTA, our MTA hands off the 
 message the Amavis, and Amavis (amongst other things) halds it off to ClamAV.
 
 The response sent to the outside MTA can be anything from message blocked
 at one extreme to ClamAV found XXX at the other - and where in that 
 spectrum is down to not just ClamAV (which should correctly identify 
 what it found IMO), but also the config of Amavis and the config of our MTA.
 
 Of course, what is reported to the outside MTA can be different to 
 what is logged in our mail log. We may just report blocked to 
 outside while logging full details (as is usually the case) in the 
 mail log so that the administrator has more information if the reason is 
 queried.
 
 Much the same applies if you scan innbound file on a web site that 
 allows uploads - what ClamAV reports to your software, and what your 
 software reports to the end user may be different things.
 ___
 Help us build a comprehensive ClamAV guide: visit 
 http://wiki.clamav.net http://www.clamav.net/support/ml
 
 ___
 Help us build a comprehensive ClamAV guide: visit 
 http://wiki.clamav.net http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net 
http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Shawn Webb]

In addition to having the same sentiments Joel has, I'd like to explain why
not displaying the name of the virus does not add any extra security for a
number of reasons:

1. Attackers can already deduce ClamAV's engine because it's opensource.
They have the blueprints. They already know how it works.
2. Security through obscurity is not security.
3. If an attacker is trying to practice evasion techniques, all the
attacker cares about is whether his malware evades AVs. The attacker
doesn't care what name the AV engine gives (or doesn't give) his malware.
4. It's already common practice for malware authors to do point #3 using
services like VirusTotal.

Thanks,

Shawn


On Sat, Jan 12, 2013 at 4:01 PM, Joel Esler jes...@sourcefire.com wrote:

 So what you want is for us to change the millions of Names we have for
 Trojans to match one of our competitors? So when people look up the open
 source detection that we provide in our open signature format, they instead
 get pointed to a competitor with closed proprietary detection?

 Even leaving our competitors out of this, how does this make sense to go
 and change millions of signatures for no functionally viable reason?

 --
 Joel Esler
 Sent from my iPhone 

 On Jan 12, 2013, at 3:42 PM, Pancho p...@originsystems.co.za wrote:

  Hi - thanks to everyone for the replies. I have seen 2 replies now and it
  may well be that I have not been clear enough because both are at cross
  purposes.
 
  Unfortunately I don't have further time to invest in this topic but I do
  hope that someone at ClamAV sees value in the suggestions.
 
  If not, well such is life.
 
  -Original Message-
  From: clamav-users-boun...@lists.clamav.net
  [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon Hobson
  Sent: 12 January 2013 06:32 PM
  To: clamav-users@lists.clamav.net
  Subject: Re: [clamav-users] Virus names - a rose by any name?
 
  Pancho wrote:
 
  While I understand the comment, it makes it risky I believe from a
  security perspective to tell users anything more than  file contains
  virus.
 
  I say this because if we find a virus and provide the message file
  contains virus with name ClamAV proprietary virus name XYZ then
  malicious users can effectively deduce our virus engine simply by using
 the
  custom name.
  See the site http://virusscan.jotti.org/en for a very easy illustration
  of how to do this.
 
  Once the malicious user knows this again, it is a fairly
  straightforward thing for them to test exploits against a site like
  jotti until they find one not detected by ClamAV - then submit that
  exploit to our site knowing that it will successfully bypass our anti
  virus.
 
  AFAIK ClamAV doesn't tell outside users anything - that is up to the
  software that calls it and the administrator that set it up.
 
  For example, suppose we are using ClamAV to scan inbound mail - using
 Amavis
  as integration software as that's a fairly common setup. So when the
 email
  is submitted by the outside MTA, our MTA hands off the message the
 Amavis,
  and Amavis (amongst other things) halds it off to ClamAV.
 
  The response sent to the outside MTA can be anything from message
 blocked
  at one extreme to ClamAV found XXX at the other - and where in that
  spectrum is down to not just ClamAV (which should correctly identify
 what it
  found IMO), but also the config of Amavis and the config of our MTA.
 
  Of course, what is reported to the outside MTA can be different to what
 is
  logged in our mail log. We may just report blocked to outside while
  logging full details (as is usually the case) in the mail log so that the
  administrator has more information if the reason is queried.
 
  Much the same applies if you scan innbound file on a web site that allows
  uploads - what ClamAV reports to your software, and what your software
  reports to the end user may be different things.
  ___
  Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
  http://www.clamav.net/support/ml
 
  ___
  Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
  http://www.clamav.net/support/ml
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Virus names - a rose by any name?

[Pancho]

Again I believe you are talking at cross purposes but regardless I am entirely 
comfortable if you disagree with the suggestion I made. 

As I mentioned to Joel, please feel free to throw it away.

Thanks





-Original Message-
From: clamav-users-boun...@lists.clamav.net 
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Shawn Webb
Sent: 12 January 2013 11:37 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Virus names - a rose by any name?

In addition to having the same sentiments Joel has, I'd like to explain why not 
displaying the name of the virus does not add any extra security for a number 
of reasons:

1. Attackers can already deduce ClamAV's engine because it's opensource.  
They have the blueprints. They already know how it works.
2. Security through obscurity is not security.
3. If an attacker is trying to practice evasion techniques, all the attacker 
cares about is whether his malware evades AVs. The attacker doesn't care what 
name the AV engine gives (or doesn't give) his malware.
4. It's already common practice for malware authors to do point #3 using 
services like VirusTotal.

Thanks,

Shawn


On Sat, Jan 12, 2013 at 4:01 PM, Joel Esler jes...@sourcefire.com wrote:

 So what you want is for us to change the millions of Names we have for 
 Trojans to match one of our competitors? So when people look up the 
 open source detection that we provide in our open signature format, 
 they instead get pointed to a competitor with closed proprietary detection?

 Even leaving our competitors out of this, how does this make sense to 
 go and change millions of signatures for no functionally viable reason?

 --
 Joel Esler
 Sent from my iPhone 

 On Jan 12, 2013, at 3:42 PM, Pancho p...@originsystems.co.za wrote:

  Hi - thanks to everyone for the replies. I have seen 2 replies now 
  and it may well be that I have not been clear enough because both 
  are at cross purposes.
 
  Unfortunately I don't have further time to invest in this topic but 
  I do hope that someone at ClamAV sees value in the suggestions.
 
  If not, well such is life.
 
  -Original Message-
  From: clamav-users-boun...@lists.clamav.net
  [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Simon 
  Hobson
  Sent: 12 January 2013 06:32 PM
  To: clamav-users@lists.clamav.net
  Subject: Re: [clamav-users] Virus names - a rose by any name?
 
  Pancho wrote:
 
  While I understand the comment, it makes it risky I believe from a 
  security perspective to tell users anything more than  file 
  contains
  virus.
 
  I say this because if we find a virus and provide the message file 
  contains virus with name ClamAV proprietary virus name XYZ then 
  malicious users can effectively deduce our virus engine simply by 
  using
 the
  custom name.
  See the site http://virusscan.jotti.org/en for a very easy 
  illustration of how to do this.
 
  Once the malicious user knows this again, it is a fairly 
  straightforward thing for them to test exploits against a site like 
  jotti until they find one not detected by ClamAV - then submit that 
  exploit to our site knowing that it will successfully bypass our 
  anti
  virus.
 
  AFAIK ClamAV doesn't tell outside users anything - that is up to the 
  software that calls it and the administrator that set it up.
 
  For example, suppose we are using ClamAV to scan inbound mail - 
  using
 Amavis
  as integration software as that's a fairly common setup. So when the
 email
  is submitted by the outside MTA, our MTA hands off the message the
 Amavis,
  and Amavis (amongst other things) halds it off to ClamAV.
 
  The response sent to the outside MTA can be anything from message
 blocked
  at one extreme to ClamAV found XXX at the other - and where in 
  that spectrum is down to not just ClamAV (which should correctly 
  identify
 what it
  found IMO), but also the config of Amavis and the config of our MTA.
 
  Of course, what is reported to the outside MTA can be different to 
  what
 is
  logged in our mail log. We may just report blocked to outside 
  while logging full details (as is usually the case) in the mail log 
  so that the administrator has more information if the reason is queried.
 
  Much the same applies if you scan innbound file on a web site that 
  allows uploads - what ClamAV reports to your software, and what your 
  software reports to the end user may be different things.
  ___
  Help us build a comprehensive ClamAV guide: visit 
  http://wiki.clamav.net http://www.clamav.net/support/ml
 
  ___
  Help us build a comprehensive ClamAV guide: visit 
  http://wiki.clamav.net http://www.clamav.net/support/ml
 ___
 Help us build a comprehensive ClamAV guide: visit 
 http://wiki.clamav.net http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV

Re: [clamav-users] Virus names - a rose by any name?

[Ralf Quint]

At 02:02 PM 1/12/2013, Pancho wrote:
Again I believe you are talking at cross purposes but regardless I 
am entirely comfortable if you disagree with the suggestion I made. 
As I mentioned to Joel, please feel free to throw it away.


Wow, you don't like any criticsm, don't you?

Seriously, whatever a malware is called, it just doesn't matter. 
Certainly any virus author couldn't care less.
AV software doesn't detect malware by it's name, but by code 
signatures. And with at least a couple hundred AV products out there, 
there are at least a hundred different names. Do you really think 
that the name matters in any way, to anyone?


Ralf

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] virus names (any reference?)

[jef moskot]

On Wed, 14 Apr 2004, Bart Silverstrim wrote:
 On Apr 13, 2004, at 7:16 PM, jef moskot wrote:
  Personally, I don't understand why this particular name has not been
  changed, given the prevalence of this worm.
 Statistics being broken, it would create transient viruses that in
 reality were just renamed, adds to the cruft of multiple names floating
 around in lists and search engines,

I'm only talking about the seriously ridiculous differently-named worms
here.  Let's say, for example, one we're all probably receiving (at least)
a couple hundred of each day.  (I don't even think there's another example
in the ClamAV database.)

The broken statistics argument is the only one I think carries any
weight.  I personally don't care about this one, and even if I did, it
doesn't sound like anything that can't be fixed with a simple search and
replace, but I understand how this could be a big deal for some of us.

If you want to get rid of cruft, eliminating SomeFool would be a good
way to do it.  Actually, I think it should have been done a long time ago,
once it became obvious that this one's going to be with us for a long
time.

To me, the only question is:  is the continuing confusion worse than the
work necessary to change those databases?  I don't suppose we actually
have the data to answer that question.

But, as I said before, if a new user who is considering using ClamAV
checks to see if the worm that's currently slamming his server is detected
by ClamAV and he does the most reasonable search possible, it's going to
look like ClamAV doesn't do the job.  If another crappy magazine reviews
ClamAV, a hack writer could check the database and write Ha, it doesn't
even catch Netsky!.

I think a concern with image is legitimate.  Calling a well-known worm
something else for no immediately obvious purpose (yes, it makes sense
when you explain it to someone, but most users wouldn't get that on their
own) makes the product seem a little dicey.  It might make admins ask,
Should I put nonconformist software on my production server?

 A central repository of cross-references would probably be the best and
 most resilient solution.

I definitely agree, but that's a lot of work.

I know I keep saying the same thing here (and I'll stop now, if nothing
new is brought up), but this seems like a real no-brainer to me.  It might
be different if we weren't constantly getting questions on this list the
whoel SomeFool/Netsky issue.

I just don't understand why we're insisting on going against the grain on
this one...

Sorry to go on about this so much, because it really is a minor point, but
it seems like we're being a little silly with this one.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[B. van Ouwerkerk]

 A central repository of cross-references would probably be the best and
 most resilient solution.
I definitely agree, but that's a lot of work.
I partially disagree. It would be possible to fill a database with the 
announcements on the virusdb list without user intervention.. procmail and 
PHP is a nice combination but Perl or python would be fine too.

All it would take are a few users who keep an eye on the database and enter 
additional information if they have it.

I have a few thoughts about this but since someone else is already building 
a solution I'd rather wait and see what comes out. No fun in doubling 
someone elses work.

I know I keep saying the same thing here (and I'll stop now, if nothing
new is brought up), but this seems like a real no-brainer to me.  It might
be different if we weren't constantly getting questions on this list the
whoel SomeFool/Netsky issue.
This will probably happen with each new and famous virus too.

I just don't understand why we're insisting on going against the grain on
this one...
As long as there is no agreement in the AV industry it's an illusion that 
all AV software will give a virus the same name.



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Eric Rostetter]

Quoting jef moskot [EMAIL PROTECTED]:

I think a concern with image is legitimate.  Calling a well-known worm
something else for no immediately obvious purpose (yes, it makes sense
How many times must we endure this incorrect statement?

when you explain it to someone, but most users wouldn't get that on their
own) makes the product seem a little dicey.  It might make admins ask,
Should I put nonconformist software on my production server?
That isn't the right question.  The real question is:

Should I put this non-release pre-version-one still-under-development
software on my *production server*?
And you think they are going to worry about the name of one virus, rather
than the fact that the software hasn't even reached version 1.0 yet?  If
so, don't hire them.  If you're going to decide on running pre-1.0 software
you are going to have to put some time into investigating it, and if you
put any time into investigating or testing ClamAV you will find out it
the netsky issue and how to solve it.
Come on, let's be real here.

A central repository of cross-references would probably be the best and
most resilient solution.
I definitely agree, but that's a lot of work.
Not really.  But there are other issues (machine/hardware to run it on,
bandwidth to support it, etc).
But if you are going to complain about some missing feature in an open source
project, you better be willing to step up and help provide the feature!
I know I keep saying the same thing here (and I'll stop now, if nothing
new is brought up), but this seems like a real no-brainer to me.  It might
be different if we weren't constantly getting questions on this list the
whoel SomeFool/Netsky issue.
I just don't understand why we're insisting on going against the grain on
this one...
Are you sure he's going against the grain, and not you?

Sorry to go on about this so much, because it really is a minor point, but
it seems like we're being a little silly with this one.
Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Antony Stone]

On Tuesday 13 April 2004 9:51 pm, Henry Harvey wrote:

 Is there anywhere I can check the corresponding
 virus names for ClamAV? I understand that
 the names from some other AVs are not the
 same as how ClamAV calls it. Like Netsky.P
 is actually in SomeFool.P in ClamAV.

 I'm looking at the ClamAV website and can't
 find info. Where do I check how ClamAV
 calls these viruses?

http://sourceforge.net/mailarchive/forum.php?forum=clamav-virusdb

http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb

Regards,

Antony

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Peter Bonivart]

Henry Harvey wrote:
I'm looking at the ClamAV website and can't
find info. Where do I check how ClamAV
calls these viruses?
The best place right now is the archive for the virus db update list. 
You can search there for the Clam name, often names of commercial 
products are mentioned there.

http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb

There's also work being done on a web site with just the info you're 
requesting.

--
/Peter Bonivart
--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.29.7,
SpamAssassin 2.63 + DCC 1.2.39, ClamAV 0.70RC + GMP 4.1.2, MailStats 0.25
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Jesper Juhl]

On Tue, 13 Apr 2004, Henry Harvey wrote:

 I hope this is not a redundant question here.
 I joined this list just recently so I hope
 somebody can point me in the right direction.

 Is there anywhere I can check the corresponding
 virus names for ClamAV?

Not currently, no.  I've been working on a website to allow users to do
exactely that, but due to being overworked and various other issues it has
not progressed as fast as I had hoped - still working on it when I have a
chance though, so expect something like that in the future.


--
Jesper Juhl [EMAIL PROTECTED]
Sysadmin,  Danmarks Idræts-Forbund / Sports Confederation of Denmark
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please  http://www.expita.com/nomime.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[jef moskot]

On Wed, 14 Apr 2004, Jesper Juhl wrote:
 I've been working on a website to allow users to do exactely that, but
 due to being overworked and various other issues it has not progressed
 as fast as I had hoped - still working on it when I have a chance
 though, so expect something like that in the future.

I think if the website just said What we call 'SomeFool' others call
'Netsky', 95% of all questions would be covered.

Personally, I don't understand why this particular name has not been
changed, given the prevalence of this worm.  A comprehensive web site
would certainly be a nice feature, but I think it's really overkill while
resources are limited.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Antony Stone]

On Wednesday 14 April 2004 12:16 am, jef moskot wrote:

 I think if the website just said What we call 'SomeFool' others call
 'Netsky', 95% of all questions would be covered.

That seems like a good idea to me.

 Personally, I don't understand why this particular name has not been
 changed, given the prevalence of this worm.

The problem here is that it's only possible to measure prevalence once 
there's been quite a lot of it under the old name, and that in itself becomes 
the very reason why the name cannot easily be changed - people have seen lots 
of examples of the original name, logfiles and analysers have started 
recording the original name, and end users have got used to the fact that 
they're seeing messages saying it's blocked.   Change any of those and you 
tend to end up causing more problems than you solve.

If the rest of the industry were 100% consistent about their names for viruses 
and worms then there would be an argument for ClamAV to fall in line, even 
after creating an original signature first, however that is very much not the 
case, so until there's any form of consensus, ClamAV's names remain as valid 
as any others.

I'm happy for my mail server to be blocking all the instances of 
Worm.SomeFool.x - I couldn't care less about NetSky, because I never see it.

Just my 2 units of currency,

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[jef moskot]

On Wed, 14 Apr 2004, Antony Stone wrote:
 The problem here is that it's only possible to measure prevalence once
 there's been quite a lot of it under the old name...

I agree with this in principle, but I think this is a special case.
There's no denying that this is one of the most popular
differently-named worms ClamAV has ever dealt with.  I think it deserves
re-examination at this point, as it continues to be an issue.

Other viruses/worms have been renamed in the past, and while I recognize
that there'd be issues with renaming this one at this time, NOT renaming
it continues to create nuisances.

My personal take on the situation is that renaming would eliminate more
issues than it would create, although I could be completely wrong.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus names (any reference?)

[Antony Stone]

On Wednesday 14 April 2004 1:09 am, jef moskot wrote:

 On Wed, 14 Apr 2004, Antony Stone wrote:
  The problem here is that it's only possible to measure prevalence once
  there's been quite a lot of it under the old name...

 Other viruses/worms have been renamed in the past, and while I recognize
 that there'd be issues with renaming this one at this time, NOT renaming
 it continues to create nuisances.

I think your suggestion to place a notice on the ClamAV web page is a good 
one, and the right solution for anyone who regards the name discrepancy as a 
problem.

I don't agree with the proposal to change the name in ClamAV after so much 
time has passed, and after so many variants have been identified.

If people whose email is being protected by ClamAV can't figure out what 
Worm.SomeFool means by now, then they need to reassess their information 
resources, I think.

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell 
more burgers than any other company, and I think the other similarities are 
obvious...

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Stuart Mycock]

I'm behind the Clam team in that they focus on getting sigs out before 
worrying about the name.

I don't know if this is a technical limitation of the virus db's (and 
not sure if this has been mentioned previously, sorry) but what's to 
stop the name of the virus being changed in the virus db once a 'common' 
name has been determined?

My problem with doing that is that it requires a developer to update the 
DB when he could be busy beating the pants off Sophos analysing new wild 
viruses, and frankly I'd rather live with an AKA and have 
up-to-the-minute protection than wait a couple of hours until the other 
AV's have had their little waffle about cool names. ;)

I'd prefer to adopt the approach of letting the Clam team get a def out 
with any name they want and have a non-developer publish basic virus 
info on an area of the Clam site, and on that page you'd just have the 
blurb on SomeFool.Q for example, along with a short description (only 
brief, tho, there's plenty of viral analysis on other sites) of the 
virus with an Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q, etc.

I forget now, but someone had posted a brief list of AKA's, perhaps it 
can be integrated into the Clam website, or a new section created on 
clamav.net?

It would free-up the developers from having to think about common names, 
it would only take a couple of Clam admins to update it after doing some 
queries with other AV's, and all you'd need to do is direct your 
end-users to the virus info page so they can find out for themselves 
what SomeFool is according to the other AV's.

Stuart.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[B. van Ouwerkerk]

At 22:12 06-04-2004 +0200, you wrote:
Diego d'Ambra wrote:
And that is what we'll (try to) do in the future (if a common name has
been established).
But that would break statistics. I don't mind if the name is different as 
long as it can be cross-referenced. Someone was working on a web site with 
just that but I haven't heard of any news for some time.
I'm curious about the status..

I have been looking at the latest announcements and it should be possible 
to parse them into a MySQL or PG database. A simple lookup page and a link 
in the warning to the user should fix it. And a page for a few trusted 
persons to add any information to viri, or allow any user to do so..

I don't fancy the idea of doing the same job someone else does but I could 
do it if no one else does or has dropped the idea.
This would be a good way for me to do something in return for using Clamav.



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bart Silverstrim]

On Apr 6, 2004, at 3:23 PM, Diego d'Ambra wrote:

-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of jef moskot
Sent: 6. april 2004 19:08
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote:
If netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
But when something is this much of a phenomenon, why not just change
the
name?  I know it's been done for other worms in the past.

And that is what we'll (try to) do in the future (if a common name has
been established).
With all due respect, this may be a bad idea, if I understand you 
correctly...you're saying that when a virus is found by the clamav team 
and it's called foo, then other companies get ahold of it and call it 
bar, the clam team should call it bar also, correct?

This would mean that floating around out there in googleland (and for 
awhile unupdated databases) would be the name foo.  People researching 
will find extremely short-lived virus names floating around because it 
is one that was renamed...

I'm sure there's  a simple solution and I'm probably just worrying too 
much over it, but I would still think it would be better to have a wiki 
or some kind of knowledge base set up where people could put in 
information on the virus.  The ClamAV name, and a list of aliases from 
other companies, and maybe a breakdown of the behavior/payload/etc. of 
the virus, when it was added to the clamav database, etc. and just 
reference it that way.  It would mean minimal changes to clamav, a 
volunteer group (or the whole user community) could contribute 
separately from the programming team...would that work?

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bart Silverstrim]

On Apr 6, 2004, at 4:31 PM, Eric Rostetter wrote:

Quoting jef moskot [EMAIL PROTECTED]:

On Tue, 6 Apr 2004, Eric Rostetter wrote:
But changing the name after the fact would just confuse people more.
I completely disagree.  Hardcore Clam users are more likely to 
understand
the reality of the situation and realize that the ClamAV team has to 
call
the viruses SOMETHING.  Usually, that's the same name everyone else 
uses,
but sometimes it isn't.
Great for netsky since almost everyone uses it.  But what about viruses
that have multiple names from the other vendors and the media?  For the
first week, SCO (clamd) was called novarg by most, until the media took
off with mydoom and that became the new name.  Should clamav have 
migrated
along from SCO to NOVARG to MYDOOM just because the others came along
later and in that order?
That is the name that is popularized by the media after the fact...I 
think many larger AV vendors put the aliases in their virus 
encyclopedias online, don't they?


There's maybe a small amount of confusion for a couple days, and 
that's
that.
Most viruses don't last for more than a few days anyway, so this only
applies to the rare cases (like lately with the virus wars over netsky
et al).
Tell that to my web server...I still see hits from blaster...

But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky
Yes, but the user is just being stupid.  They are not getting infected
with netsky, so obviously it is picking it up.
Hardly.  Sometimes when justifying to the PHBs that ClamAV is just as 
good, if not better than, other solutions you need to answer the 
questions the PHBs get when they watch the evening news.  It would be 
helpful if you could point them to a knowledge base article or 
encyclopedia from Clam saying it's an alias for virus FooBarsays 
so right here, added on ya ya ya in database version X...and we're 
protected because our signature version is Y.

what the heck SomeFool is, etc.  Many of those
You don't think you'll get that question even if you use the more 
common
name for viruses?

It's not the question, it's enabling users to easily find the answer.  
The question will still get asked, but seeing that most of the admins 
running ClamAV are hopefully a little more skilled than the average 
user, most of the questions should be answered at the local 
administrator level rather than the Clam team level.  If the answer 
were a simple site lookup of an entry for a virus name that was 
cross-referenced (or put on a separate server that could be CVS'd or 
Rsynced for a local copy...)

On top of that, we have our database being freshclammed several times a 
day.  Since most of the Windows viruses are now fully automated, what 
happens in the hours between a virus getting released and then 
discovered then added to the database then our server getting 
refreshed?  Not everyone is running freshclam on the mail 
server...we're using it to scan incoming mail then forward the mail to 
our internal mail server.  That means that if the WindowsDeath virus 
comes in before our database holds it, it will get to our internal 
servers...where a backup scanner has to catch it.  Then we get into 
the aliases of viruses problem...we get a report of virus WindowFool 
being in the message. Are we protected now, it was just something that 
slipped in between updates?  Or is it something we need to worry about? 
Or...?

The process becomes more time-consuming to verify than it needs to be.  
That's just the price to pay for a solution as flexible as ClamAV...

Other than some kind of issue with logging things by virus name, are 
there
any sensible reasons to not use the same name everyone else in the
computer community is using?

It adds overhead to a volunteer project.  Let the other vendors have 
their fun renaming things with the proprietary name games.  It would 
probably be easiest if the Clam group responded by just making an alias 
encyclopedia, in my opinion...

Also, as I've pointed out, not all the AV vendors agree on the names.  
It
usually isn't clamav against the world (as it appears with netsky).  
It is
more normal that there are 2, 3, or 4 other names for the virus.  And 
you
never know which will become the most popular until days or weeks after
you name it.

worse are the games where a minor minor variant comes out, they slap a 
new name on it, and then promote their product as catching x,000 
viruses while neglecting to mention that 200 of them are the same 
virus, only instead of having screw you embedded in it it has screw 
you!, No, screw YoU!,...etc. etc. etc.

Oh well.  That's my view, anyway...

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

Re: [Clamav-users] Virus Names

[The Count of CipherSpace]

Eric Rostetter at 2004-04-06 15:37 from [EMAIL PROTECTED] wrote:

But changing the name after the fact would just confuse people
more.   We can't go merrily along for a week or so until the AV people or
the media -- and often it is the media who decide -- come up with the most
popular name, and then rename it.  What would that do to any kind of
tracking people do?  What would that do to users (last week I got somefool,
but now I'm getting a new virus netsky?)  It would cause caos.  And much
more caos than having multiple names for a single virus.

I agree with this completely.  I'd rather do some additional research on 
the 'Net than have my logs all messed up.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Colin A. Bartlett]

Stuart Mycock Sent: Wednesday, April 07, 2004 4:24 AM

 I'd prefer to adopt the approach of letting the Clam team get a def out 
 with any name they want and have a non-developer publish basic virus 
 info on an area of the Clam site, and on that page you'd just have the 
 blurb on SomeFool.Q for example, along with a short description (only 
 brief, tho, there's plenty of viral analysis on other sites) of the 
 virus with an Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q, etc.

How about a Wiki?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of B. van
 Ouwerkerk
 Sent: Wednesday, April 07, 2004 2:00 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus Names


 I don't fancy the idea of doing the same job someone else does
 but I could
 do it if no one else does or has dropped the idea.
 This would be a good way for me to do something in return for
 using Clamav.

me either.

I'd certainly be willing to help with something along those lines as well -
even if it's only hosting a mirror!

I think the idea makes sense to me, but I keep hearing that the clamav
format will support some sort of alias system - just not sure what, or how,
or if it is enough information.

I'd IDEALLY like a system that allows us (collaboratively) to map viruses to
all commercial products - PARTICULARLY those maintaining virus information
databases, and then allow us to create a diff-based distribution of this
database - like the clamav datafile, and also a simple lookup page which
could use a template, and the database to return cross references / links to
information on the virii as documented by other systems.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Korchmenuk Nickolay]

On Mon, 5 Apr 2004 23:38:08 -0500
Erick Perez - Vision Media [EMAIL PROTECTED] wrote:

 Question:
 If Worm.SomeFool is Netsky, then why is not labeled as netsky?
 Also, is there a way to make an alias in the virus database so my users can
 see netsky instead of Worm.Somefool?
It's time to place answer for this question into faq.

-- 
 Korchmenuk Nickolay
06 Apr 2004 14:25:24


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:

Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?
Answer:
If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?
Basically that's because the users keep complaning about the virus names
that cannot be found anywhere else (like the virus databse from TrendMicro).
If they want to use the name TrendMicro uses, then they should use the
TrendMicro software.
Thanks,
Erick
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting Graham Murray [EMAIL PROTECTED]:

So maybe, as with celestial objects, there should be agreement that
the first AV 'vendor' to publish a detection for a virus should be
given the honour of naming it and the other vendors adopt the same
name rather than inventing their own (and potentially causing
confusion). So if Clamav is first, other vendors should adopt its
name and if some other vendor is first then Clamav should use the name
that vendor gives it.
This is exactly what ClamAV does.  Now you just need to get the rest
of the AV vendors to follow that rule.  Good luck with that!
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote:

 Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:
  Question:
  If Worm.SomeFool is Netsky, then why is not labeled as netsky?

 Answer:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

Do you call people Eskimos or Inuits?   They're still the same people, but 
looking up one or other in some information resource may provide different 
results.

  Basically that's because the users keep complaning about the virus names
  that cannot be found anywhere else (like the virus databse from
  TrendMicro).

 If they want to use the name TrendMicro uses, then they should use the
 TrendMicro software.

No, many people are interested to know more about the viruses which are being 
detected.

If you do a Google search for NetSky virus you get 308,000 results.   If you 
do a Google search for SomeFool virus you get 2,080.

Therefore knowing the more common name for a virus is useful to people who use 
ClamAV.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Hanford, Seth]

  If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

Rhetoric aside, this is obviously an itch that needs scratched.  Clam does a
wonderful job and (as was the case with SomeFool) does it faster than most.
Perhaps we might be able to scratch up support for an alias correlation
database, planting the seed with Clam.

 No, many people are interested to know more about the viruses which are
being
 detected.

 If you do a Google search for NetSky virus you get 308,000 results.   If
you
 do a Google search for SomeFool virus you get 2,080.

 Therefore knowing the more common name for a virus is useful to people who
use
 ClamAV.

I think that, for our purposes, we need only search on the Clam name for a
virus.  All other names are potentially worthless work--AFAIK, the clam DB
contains only (or mostly) viruses in the wild.  If we had as part of the
submission process an additional field noting what name the detecting AV
called it
(For example, worm.notagoodguy passes through clam, but is picked up by
trend as WORM.BADGUY).  Any aliases that we come up with could get submitted
right alongside such a sample.

Our search really only needs to be one-way, to keep it in scope.  There's no
need to support searching everyone else's names, only Clam's.  Everyone's
talking about NetSky?  If you're not receiving SomeFool, then why do you
care?  If you are, look up SomeFool.  If you're getting files and Clam
doesn't detect them, then submit them.  They'll be named, and you'll be able
to search.

--Seth



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

While I agree with this in principle, I think for instances where a
question like this pops up at least once a week just on this list, it
might be worth it to just bite the bullet and go along with the herd.

I understand that when the ClamAV (as it often does) discovers a worm
before there's a common name for it, that it's not just inconvenient, it's
impossible to choose the name that everyone else will eventually use.

But when something is this much of a phenomenon, why not just change the
name?  I know it's been done for other worms in the past.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bit Fuzzy]

While I can and do understand what Eric was saying, I have to agree with
Erick.

http://www.bitdefender.com/index.php - Bitdefender
http://www.grisoft.com/us/us_index.php - AVG
http://www.pandasoftware.com/home/ - Panda
http://www.symantec.com/ - Norton
http://us.mcafee.com/default.asp - Mcafee
http://www.trendmicro.com - Trendmicro
http://viruslist.com/eng/ -- Virus List

While different, all have 1 thing in common with each other.
CVID's (Common Virus Identifiers), granted some list netsky as
worm-i/netsky, or w32/netsky,
but in the end you (the user/administrator) know what was stopped, and thus
have the ability to see
what's being identified and or do research on what the virus/worm did (the
function)

Not complaining.. just expressing my 2 cents ;)

- Original Message - 
From: Eric Rostetter [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 10:58 AM
Subject: Re: [Clamav-users] Virus Names


 Quoting Erick Perez - Vision Media [EMAIL PROTECTED]:

  Question:
  If Worm.SomeFool is Netsky, then why is not labeled as netsky?

 Answer:
 If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?

  Basically that's because the users keep complaning about the virus names
  that cannot be found anywhere else (like the virus databse from
TrendMicro).

 If they want to use the name TrendMicro uses, then they should use the
 TrendMicro software.

  Thanks,
  Erick

 --
 Eric Rostetter


 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Tomasz Papszun]

On Tue, 06 Apr 2004 at 12:17:05 -0400, Hanford, Seth wrote:
 
 If we had as part of the submission process an additional field noting
 what name the detecting AV called it

There is such a field! And if it's too short, you can add more
names/details/URLs in the description field (that big area below).

 (For example, worm.notagoodguy passes through clam, but is picked up by
 trend as WORM.BADGUY).  Any aliases that we come up with could get submitted
 right alongside such a sample.

We include aliases in our announcements. Unfortunately, while
submitting, many people fail to write the name (according to other
scanner), though they select that the sample is detected by other
scanner and sometimes they even write which scanner (but no virus name).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]  | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of jef moskot
 Sent: 6. april 2004 19:08
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus Names
 
 On Tue, 6 Apr 2004, Eric Rostetter wrote:
  If netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
 
 But when something is this much of a phenomenon, why not just change
the
 name?  I know it's been done for other worms in the past.
 

And that is what we'll (try to) do in the future (if a common name has
been established). 

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] Virus Names

[Peter Bonivart]

Diego d'Ambra wrote:
And that is what we'll (try to) do in the future (if a common name has
been established). 
But that would break statistics. I don't mind if the name is different 
as long as it can be cross-referenced. Someone was working on a web site 
with just that but I haven't heard of any news for some time.

--
/Peter Bonivart
--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 But changing the name after the fact would just confuse people more.

I completely disagree.  Hardcore Clam users are more likely to understand
the reality of the situation and realize that the ClamAV team has to call
the viruses SOMETHING.  Usually, that's the same name everyone else uses,
but sometimes it isn't.

There's maybe a small amount of confusion for a couple days, and that's
that.

But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky, what the heck SomeFool is, etc.  Many of those
Google hits are WTF is SomeFool?.  A lot of work could be saved by being
more user-friendly.

Seriously, what have we to gain from using an obscure name?  OK, so, we
have the moral high ground, but that's not really the focus of the
product.

Other than some kind of issue with logging things by virus name, are there
any sensible reasons to not use the same name everyone else in the
computer community is using?

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Eric Rostetter]

Quoting jef moskot [EMAIL PROTECTED]:

On Tue, 6 Apr 2004, Eric Rostetter wrote:
But changing the name after the fact would just confuse people more.
I completely disagree.  Hardcore Clam users are more likely to understand
the reality of the situation and realize that the ClamAV team has to call
the viruses SOMETHING.  Usually, that's the same name everyone else uses,
but sometimes it isn't.
Great for netsky since almost everyone uses it.  But what about viruses
that have multiple names from the other vendors and the media?  For the
first week, SCO (clamd) was called novarg by most, until the media took
off with mydoom and that became the new name.  Should clamav have migrated
along from SCO to NOVARG to MYDOOM just because the others came along
later and in that order?
There's maybe a small amount of confusion for a couple days, and that's
that.
Most viruses don't last for more than a few days anyway, so this only
applies to the rare cases (like lately with the virus wars over netsky
et al).
But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky
Yes, but the user is just being stupid.  They are not getting infected
with netsky, so obviously it is picking it up.
what the heck SomeFool is, etc.  Many of those
You don't think you'll get that question even if you use the more common
name for viruses?
Google hits are WTF is SomeFool?.  A lot of work could be saved by being
more user-friendly.
Try looking at them again.

Seriously, what have we to gain from using an obscure name?  OK, so, we
have the moral high ground, but that's not really the focus of the
product.
The focus of the product is to stop viruses, not to name them with a
popular name.
Other than some kind of issue with logging things by virus name, are there
any sensible reasons to not use the same name everyone else in the
computer community is using?
Only when clamav names it before anyone else.  Even then, clamav is willing
to rename it if it can be done quickly, before the current name becomes
established, in my experience.  It is only when there is a large gap between
the clamav name and the popular name that they don't rename it.
Also, as I've pointed out, not all the AV vendors agree on the names.  It
usually isn't clamav against the world (as it appears with netsky).  It is
more normal that there are 2, 3, or 4 other names for the virus.  And you
never know which will become the most popular until days or weeks after
you name it.
Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
--
Eric Rostetter
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Eric Rostetter wrote:
 Great for netsky since almost everyone uses it.

Exactly.

 Should clamav have migrated along from SCO to NOVARG to MYDOOM just
 because the others came along later and in that order?

It could easily be taken on a case-by-case basis.  But, as even you admit,
Netsky/SomeFool is a slam dunk.

 Most viruses don't last for more than a few days anyway, so this only
 applies to the rare cases (like lately with the virus wars over netsky
 et al).

I agree.

 The focus of the product is to stop viruses, not to name them with a
 popular name.

Yes, but this is not best accomplished by calling users stupid (even
when they are).  We don't want to make something available to people and
then insult them when they use it in good faith.  The larger issue it that
the more people who use anti-virus methods and the more well-informed
users we have, the better it is for everyone.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 9:44 pm, jef moskot wrote:

  The focus of the product is to stop viruses, not to name them with a
  popular name.

 Yes, but this is not best accomplished by calling users stupid (even
 when they are).

That may be true, however it's no excuse for allowing stupid users to continue 
with their misguided notions, without some attempt at education and 
correction.

ClamAV is focused on detecting viruses, sure, and you're right that this is 
not best accomplished by telling stupid users that they're stupid, however it 
doesn't condone pandering to their preconceived misconceptions about viruses 
and worms (such as they should each have only one name) either.

There are many examples of the commercial A-V vendors having different names 
for the same virus, and ClamAV happens to be showing this characteristic 
recently simply because the signature development team is doing such a good 
job (and, it should be noted, without the cooperation of commercial vendors 
providing the ClamAV team with newly discovered virus samples through their 
exclusive partnerships).   I do not agree with criticising the product 
because it is better than its competitors.

It cannot be too hard to explain to a clueless user how viruses get named, and 
hope that at least some proportion of those people might understand that this 
inevitably leads to different names for the same thing found in different 
places at about the same time.

And, if that doesn't work, give them a courgette and ask them whether it's a 
zucchini, give them a football and see if they kick it or carry it, ask them 
how to pronounce tomato, ask them which side of the road it is correct to 
drive on, put them on the pavement and see if they want to walk or drive on 
it, check whether they stop at traffic light or robots, or even ask them to 
do something momentarily.

Regards,

Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[jef moskot]

On Tue, 6 Apr 2004, Antony Stone wrote:
 There are many examples of the commercial A-V vendors having different
 names for the same virus...

That's true, but when that's the case for an extremely prevalent virus,
it's usually noted in the media.

Using the well-known naming convention is a much simpler and more logical
response to the real world.  At such time as everyone else in the world
becomes wise to ClamAV's superior ways, then it would make sense to just
use our own word for whatever threat comes along.  But in THIS world, it's
easier for just about everyone involved (including all the admins who keep
dropping in here asking about Netsky and their users) to take the path of
least resistance.

 I do not agree with criticising the product because it is better than
 its competitors.

I'm not criticizing it, I'm just trying to be practical.  If a some admin
who has never heard of this mailing list or our political crusade to
educate the world about worms is looking into ClamAV (some free product he
might be suspicious of on principle, but is checking out because the price
is right), checks the database to see if it handles one of his biggest
problems and it turns out it's not in the database...then we've lost one
potential ClamAV user and done a disservice to the open source community.

 It cannot be too hard to explain to a clueless user how viruses get
 named...

It's not too hard to explain to one user, but this situation is repeated
over and over, probably many times a day.  It's not hard, but it's
unnecessary and we don't gain much by making a pointless stand.

Users aren't incapable of understanding the process, but being different
for no purpose doesn't make any sense.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[B. van Ouwerkerk]

At 23:38 05-04-2004 -0500, you wrote:
Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?
Also, is there a way to make an alias in the virus database so my users can
see netsky instead of Worm.Somefool?
Basically that's because the users keep complaning about the virus names
that cannot be found anywhere else (like the virus databse from TrendMicro).
It would be good if all AV software would use the same names. Still, most 
commercial AV vendors are using their own naming conventions and so does 
Clamav.

Somefool at least describes the sender of the virus :)



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Fisher]

B. van Ouwerkerk wrote:

At 23:38 05-04-2004 -0500, you wrote:

Question:
If Worm.SomeFool is Netsky, then why is not labeled as netsky?


It would be good if all AV software would use the same names. Still, 
most commercial AV vendors are using their own naming conventions and 
so does Clamav.
Actually, it is usually happen the Clamav recognises the virii before 
the other AV vendors so no well-known name was available. See the 
archive for the more detailed answers, this question already answered here.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Graham Murray]

Fisher [EMAIL PROTECTED] writes:

 Actually, it is usually happen the Clamav recognises the virii before
 the other AV vendors so no well-known name was available. See the
 archive for the more detailed answers, this question already answered
 here.

So maybe, as with celestial objects, there should be agreement that
the first AV 'vendor' to publish a detection for a virus should be
given the honour of naming it and the other vendors adopt the same
name rather than inventing their own (and potentially causing
confusion). So if Clamav is first, other vendors should adopt its
name and if some other vendor is first then Clamav should use the name
that vendor gives it.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Antony Stone]

On Tuesday 06 April 2004 9:48 am, Graham Murray wrote:

 Fisher [EMAIL PROTECTED] writes:
  Actually, it is usually happen the Clamav recognises the virii before
  the other AV vendors so no well-known name was available. See the
  archive for the more detailed answers, this question already answered
  here.

 So maybe, as with celestial objects, there should be agreement that
 the first AV 'vendor' to publish a detection for a virus should be
 given the honour of naming it and the other vendors adopt the same
 name rather than inventing their own (and potentially causing
 confusion).

Celestial objects do not commonly appear and need an agreed name within the 
urgent timescale of computer viruses :)

Whilst your proposal makes excellent sense, it assumes:
a) cooperation between the commercial A-V vendors and Open Source developers 
(there is often a blockage in one direction here)
b) that it's easy to tell if the virus one person's given a name to is the 
same as the virus someone else has just named
c) that the time taken to cooperate over the name is very short compared to 
the time to get a signature out under the corresponding name

Basically, it comes down to the fact that the commercial A-V vendors don't 
want to share their new virus samples with the Open Source community, so we 
have no way of knowing whether the virus we've just named is the same one 
that they have.

I think the best we'll ever achieve is a cross-reference database.

Regards,

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Randal, Phil]

Graham Murray wrote:

 So maybe, as with celestial objects, there should be 
 agreement that the first AV 'vendor' to publish a detection 
 for a virus should be given the honour of naming it and the 
 other vendors adopt the same name rather than inventing their 
 own (and potentially causing confusion). So if Clamav is 
 first, other vendors should adopt its name and if some other 
 vendor is first then Clamav should use the name that vendor gives it.

Viruses are discovered a darned sight more rapidly than celestial objects.

Let's not waste the antivirus folks' time by making them jump through hoops
over naming protocols.  I'd rather priorities were given to protecting us
the darned things instead of worrying about what the vendors call them.

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users