Do you give risk assessments of each and every "virus" caught, then?
That would be a complete waste of time. But, just to let you know the risks we're talking about here: eCard stuff: emails containing either a link to a website pushing Trojans onto the PCs of those stupid enough to visit; or a .zip attachment containing a Trojan. The risk? Malware on your PC, data harvesting, turning PC into a spambot, etc. The phishing ones usually contain links to fake bank sites in an attempt to harvest people's usernames and passwords, and thence their money. The risk is of your staff being fleeced, quickly followed by legal action by them against management for failure in their duty of care for their employees (by not blocking these phishing emails they are aiding and abetting the criminals). And if you really have to argue the case individually for each and every virus pattern in your antivirus products' databases, you should start seeking a new job right now. Cheers, Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gomes, Rich Sent: 25 October 2007 18:20 To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Dennis, Thanks for the reply. I understand all of what you are saying, having worked as a sysadmin for many years now. My issue is that even with most vendors using different naming conventions, they are "usually" cross-reference in any technical info that is out there. I can't find any data on these messages and would like to know what other malware names they match up to so I can present it to management. At this point I can't even give a risk assessment. Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Thursday, October 25, 2007 12:54 PM To: ClamAV users ML Subject: Re: [Clamav-users] Recent viruses Gomes, Rich wrote: > I received some emails yesterday matching the following: > > Infected messages: > Email.Ecard-28: 2 Message(s) > Email.Phishing.RB-1804: 2 Message(s) > Email.Phishing.RB-1806: 2 Message(s) > > > I think these are ClamAV-specific names, how can I find out more detailed info on each one? I do not see them anywhere on the web. > > > Any help would be greatly appreciated. There are no naming standards and it doesn't look like any initiative to create one is going anywhere. The problem is each AV vendor has to call it something (I actually don't agree with this, but sexy names sell product). So what do you call a virus you've not seen before? I suppose you could submit it to all the other vendors' systems to see if they have a name for it and adopt that, but then that's a lot of work and there are no returns. And what if you are the first to discover it? You can't wait around for a committee to come up with a name so you call it something and release the update. As you know, within a day all the vendors will have discovered that same virus and will also go through this same drill. If you think about it, vendor A using vendor B's names is an admission that vendor A was not the first to discover it, and that means vendor B is going to look better in reviews. My bottom line is, I really don't care what they're called. A simple serial number would be fine with me. The names mean more to the popular press than anyone else on the planet because they make great headlines. A name that is also the date discovered would be even better as I could voluntarily remove any old virus patterns I think are obsolete. This addresses another issue - AV vendors get a big plus for showing they have a bizzillion patterns in their database. I don't care - if that represents something that was an issue in 1987 it is not a problem for me today. Get rid of it. How to get more detail? You can translate (they're hex encoded) the record for the the virus name and read what the pattern is. This is especially true for the phishing and text based "viruses". Less useful for viruses found in executable files. One final point: phishing and scam mails will not necessarily have a corresponding identity with other vendors. They may not provide phishing and scam protection, for one thing, and for another the manner of detecting them is entirely arbitrary. Vendor A might look for embedded URL's in the message where vendor B might look for repeating misspelled words or unusual phrasing in the same message. In other words there is no guarantee of a match with any other vendor. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
