Mark Dymond has been troubleshooting computers on and off for the last ten years. He manages a network comprising 27 computers and is responsible for testing new software, helping to determine what new software/hardware should be bought and generating IT policies. In addition to providing technical support to end users, Mark ensures that all patches, service packs, drivers, etc. are installed and kept up-to-date.
In the article
If a standard for naming viruses cannot be implemented because it is 'too hard', then predefined names should be available from a central source (a naming body), which a company can use. Perhaps the process could be as follows:
- The virus is identified.
- Once a definition is made, information defining the characteristics of the virus are forwarded online to a central naming body.
- The naming body supplies a unique name from a predefined list to the lab that identified the virus. This allows for immediate naming and dissemination of the virus definition. These characteristics and the name are then automatically forwarded to every other antivirus provider.
- The naming body then examines the characteristics and provides a professional name.
- Should another lab identify a variation of the same virus and forward the characteristics, then the naming body's online database compares the data against it's dataset and immediately provides the second lab with the same name, plus a variation letter e.g. A, B, C etc.
This means that each virus would have two names: a user name (e.g. Easter bomb) and a professional name (e.g. W32.update.worm.). The user name is the one that would appear in the press and virus definition list. If IT professionals then require more information about the virus, they are able to access the central database maintained by the naming body, which provides the professional name and other data about the virus in question. All professional names are constructed using a standard criteria.
This seems to be an area that needs tighter control. I noted that the article also mentions that samples of viruses are exchanged all the time. Are they exchanged between all companies or only a few? The exchanging of data should ideally be done through a central body. This would introduce a more disciplined approach and ensure that every vendor is immediately aware of a new virus/variant and can then get on with the job of tailoring a definition for their product. If politics really are playing a role in this extremely important aspect of IT security, then it is the vendors themselves who are causing the confusion without regard for their clients, thereby effectively shooting themselves in the foot.
The hyperbole surrounding virus protection has elevated it to such importance in the normal users' eyes, that the end user has come to expect a professional streamlined approach to this problem, and obviously this is not the case. The whole point of virus protection is to enable a user to work without worry, knowing that their data is protected. How can a user have peace of mind if they cannot be 100% sure they are protected?
I must admit I do not have the experience to enable a more professional approach to this problem. I have no idea how difficult it is to identify and understand a virus, but expect that it must be pretty hard. Therefore, it would seem I have no choice but to believe the statement that naming a virus is 'too difficult' to adopt a standard approach. Sure, if I was born yesterday!
Antivirus companies have been working with this for years. I think they must bite the bullet and agree to the formation of a central naming body. Obviously, there will be many kinks to iron out, and the online identification of a new or existing virus will presumably take a lot of effort before it is foolproof. However, with all the experience these companies have, much of the hard work will surely already have been done.
The role of the body should only extend to the naming of viruses -- it should have nothing to do with creating the definitions nor should it interfere with the antivirus vendor at all. In other words, the naming body should not be considered the king of the antivirus castle. Are the antivirus companies concerned that they may be viewed as less than worthy if they are no longer allowed to name viruses? Is the naming game really a points game?
Come on you guys, your clients pay for your products and expect said products to provide protection from viruses. That expectation should also provide peace of mind. We should not have to contact our respective antivirus providers to enquire whether we are protected, simply because a provider has decided to give a publicized virus an alternate unpublicized name.
For more information, visit these resources:
- Virus Prevention Tip: Time to stop inventing virus wheels
- News & Analysis: The virus name game
- Security Decisions 2003: Learn more about fighting malware in the enterprise
This was first published in May 2003