Gomes, Rich wrote: > I received some emails yesterday matching the following: > > Infected messages: > Email.Ecard-28: 2 Message(s) > Email.Phishing.RB-1804: 2 Message(s) > Email.Phishing.RB-1806: 2 Message(s) > > > I think these are ClamAV-specific names, how can I find out more detailed > info on each one? I do not see them anywhere on the web. > > > Any help would be greatly appreciated.
There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based "viruses". Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
