From: Brian Keefer To: rforno [at] infowarrior [dot] org Subject: Re: Anti-virus industry: white knight or black hat? Date: 16 Feb 2004 12:38:20 -0800 Mr. Forno, I read your opinion piece posted on The Register (http://www.theregister.com/content/55/35579.html) and found it to be long on the ranting and raving, but precious short on relevance. One of [In retrospect, the opening statement is overly harsh and I wish to retract them so as not to taint the rest of my comments. Brian] your main complaints seems to be that Anti-Virus software creates a backlash of notification messages, often to innocent third parties. What you fail to realize is that this is largely a failing of site administrators, or the result of short-sighted corporate policy, and not the fault of the software creators. Most current A-V software that I'm aware of (for e-mail servers and gateways) has a setting to either turn off notifications completely, or only direct them to users that are internal to the organization. If e-mail and security admins would only just make use of this feature, it would nearly wipe out the effective DoS attacks that are the result of having one's e-mail address spoofed by a virus or worm. In other cases it's not administrator laziness/ignorance, but company policy that causes these notifications to be sent. Some times corporate policy dictates that notifications must be sent "in case an important business communication is blocked". The theory goes that if an important business contact from outside the organization accidentally sends a document that is infected with a virus, and said message is dropped, then they want to notify the sender to this fact so they can take the appropriate action. That being said, you do have a point in the case of the outsourced/hosted scanning providers, since they very certainly do want to bombard people with notifications that carry their branding; Often every single message sent through these services has a large footer at the bottom proclaiming that the message has been scanned by such and such a service and received their stamp of approval. This is of course because hosting providers generally operate on a per-user subscription basis and they would love to sign up more users. On the other hand, perhaps some of the fault still lies with the company that agreed to act as a billboard for these companies and have all their corporate communications wear the logo or slogan of another company. Due care should be taken in selecting a solution to corporate e-mail maladies, methinks. Last, as to the naming convention for virii and worms, you alluded to it yourself. The reason for all the different names is that each vendor has their own internal naming convention that they use. The different vendors are in a very real race to disect the latest threat and put out an update, so they aren't exactly going to take the time to stop and have a conference call with all their competitors over what exactly they should call it. Besides that, it's a competitive business. Vendors wouldn't want to tip each other off if they have the scoop on the latest evil tidbits making their rounds. They have to call the code something in the mean time, so they use their own names. If you would like to write an RFC to standardize malware naming conventions, I'm all for it. Just don't expect A-V vendors to jump for joy, since they have no incentive to do things any differently than they do now. You may be interested in glancing over my own e-mail security site, that has practical advice to e-mail and security administrators. It's temporarily located at: http://www.amaunetsgothique.com/chort/email-sec/ Of course a casual look at my .sig will reveal that I work for one of those eeeeevil e-mail security companies. Draw whatever conclusions you like. -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com