Clueless anti-virus products/vendors (was Re: Sober)
Larry Smith
lesmith at ecsis.net
Mon Dec 5 03:44:08 UTC 2005
On Sunday 04 December 2005 21:27, Church, Chuck wrote:
> What about all the viruses out there that don't forge addresses?
> Sending a warning message makes sense for these. Unless someone has
> done the research to determine the majority of viruses forge addresses,
> you really can't complain about the fact that the default is to warn.
> Calling vendors 'clueless' because a default doesn't match your needs is
> a little extreme, don't you think? The ideal solution would be for the
> scanning software to send a warning only if the virus detected is known
> to use real addresses, otherwise it won't warn.
True, but the "capability" has been in most AV software for quite a long time
now to know which ones "forge" and which do not. Clamav has a "list" of
which virii are "forging" and which are not - I am reasonably certain that
most other AV products have the same information at hand (a quick search of
Symantec confirms that they know [ref sober worm, para 23, From:
(spoofed)). So while I agree with your basic concept of notifying someone
that they are infected - when you can notify the "right" person - blanket
notifications are more trouble than the virus itself in many cases. And yes,
as of yesterday I have more "blowback" from sober than from the worm
itself....
--
Larry Smith
SysAd ECSIS.NET
sysad at ecsis.net
More information about the NANOG
mailing list