Excellent Open Letter
Results 1 to 3 of 3

Thread: Excellent Open Letter

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Excellent Open Letter

    This is _exactly_ why I don't trust the AV "solutions" any more..... It's reactive... and if you can't react quickly enough then you have a problem.....

    source: http://isc.sans.org

    Open Letter to Anti-Virus Software Companies

    The following letter was provided to us by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. I think many of us can relate to the grief caused by the virus name game described in his letter. Note these the thoughts and opinions in this letter are those of the author and not necessarily those of the Internet Storm Center or the SANS Insitute. Thanks Chris.


    -----BEGIN LETTER-----
    As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus.
    Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know.
    The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.

    Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could. When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center (http://isc.sans.org/index.php), Secunia’s Virus Information page (http://secunia.com/virus_information/), VGrep Online (http://www.virusbtn.com/resources/vgrep/index.xml), MyITforum’s Security message boards (http://myitforum.techtarget.com/foru...t.asp?catApp=2), ! and AntiVirus e-mail list (http://myitforum.techtarget.com/arti...ew.asp?id=1301).

    This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.

    While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.

    Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.

    Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers were left in the dark again. For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.

    I think I can speak for everyone in the security community when I say; "dealing with it" is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected. We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.

    Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT,http://www.us-cert.gov/). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.

    However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to do accomplish this and keep your customers better informed about how they are protected.

    Thank you for your time and attention,
    Chris Mosby
    SMS Administrator
    MyITforum Security Message Board Moderator.
    -----END LETTER-----
    Sourceexactly
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2


    I have a problem with the current naming conventions... and the way AV is handled as well. I posted a thread regarding my other beef here:
    http://www.antionline.com/showthread...ght=signatures

    This would require all AV vendors to create signatures that follow a standard, so scanners can be developed to load any file. This way, a customer can subscribe to multiple vendor def's for better protection if they like. They could also subscribe to "specialized" signature groups that may provide solutions for adware, or trojans or whatever.

    I think the only things that stand in front of this are heuristics and realtime protection.

    Now, my suggestion would be tough. Naming conventions, on the other hand, sounds easy. I agree with this:
    Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT,http://www.us-cert.gov/). The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.
    This could also include the vendor name that spotted it first (probably will), and will give an awesome view of AV vendor activity. You would be able to see who is pumping out those def's the fastest. (ClamAV is quick as hell, btw )

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well Tiger~ that is what I have been saying for years, and several times on this forum..........AV products are largely reactive rather than proactive. I think that is why we all emphasise how important it is to keep the definitions/patterns up to date. These days the first thing I do is check for security software updates when I go on the net. OK it takes 15 minutes out of my life, but that is how things are today?

    I liken the situation to a fruit machine (one-armed bandit)........the house get 30% and the punters are just playing for eachother's losings......a virus gets out, people get infected, the AV company release a solution..........if you don't get that update you could be another Luser. Same goes for software patches. You are winning from someone else's misfortune are you not?

    My main gripe about AV companies is they don't have the balls to ship their product with the security settings on maximum (I am talking home, SOHOproducts here). You have to go in and activate heuristic scanning, scan all files, scan compressed files etc. I would guess that 80% of users have no idea what all that means or the implications?

    I think the author of that article was rather shallow and trite............they call them different names? so what? does a guy who has just been shot in the head care if it was a .308 Winchester or a 30-06 Springfield?............do you care about the name of the hurricane that just trashed your house?.............I think not

    I am surprised he missed the fact that some AV companies give each and every virus variant its own name, whereas others just say "generic". Actually it takes courage to describe them as "generic" because that implies that your product should have detected the threat and dealt with it. Calling it a new name does not, and hides the fact that a rival product did a better job three days earlier (ME...........cynical?)

    Yes it is competitive. And whilst he appears unaware that the major AV companies do share threat information, he is naive in thinking that they would share solution information. Would Ford help out GM?...........but if the government came out with some new road safety regulations they would probably work together because that is just like sharing a tax bill?

    I personally think that the article does more harm than good, because it over emphasises the naming convention issue at the expense of what I would consider to be far more important shortcomings in the AV industry today.

    Well that's my £0.02...........nah, £0.03..Saturday: time and a half

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •