It is relatively tempting to want to name malicious code based on its date of activation, this can create confusing duplication of names. For instance, if we were to name every new virus with some word derived from its payload, like “March6”, “January Friday 13th” or “CrashWindows” the fictional exchange illustrated below could become commonplace:
(A1 - Analyst1, works for the respectable AV company C1)
(A2 - Analyst2, works for the most respectable AV company C2)
(A3 - Analyst3, works for the (even more) respectable AV company C3)
A1: “Hey A2, have you seen that new beast, the ‘Newyork’ virus?”
A2: “You mean the one which fills all the files on disk with ‘New York’?”
A1: “No, that’s the ‘NYFiller’ virus, I mean the one which shows a message box with the text ‘New York New York’”
A2: “Could be, I remember having seen two of them, one was a macro virus and the other one infecting Linux ELF files”
A1: “Hm, the ‘Newyork’ I was thinking of actually infects Windows PE files”
A2: “Ah, but I think I know what you mean, however, the one I’ve seen shows a message box stating ‘New Orleans New Orleans’. We are calling it ‘NewOrleans’, of course.”
A1: “Hm, that must be a new version of our ‘NewYork’ virus with a modified message. I think you should rename your ‘NewOrleans’ virus to something like ‘NewYork(version:Orleans)’.”
A2: “Hey, wait a minute, why not rename your virus to ‘NewOrleans(York)’?”
A3: “Hey guys, have you seen the new virus which fills all the files on disk with ‘New Delhi’? We’re calling it ‘NewDelhi’, of course.”
A1: “Arghhh…”
A2: “Who designed this stupid payload-based naming scheme anyway…?”
Another question , do avast automated system identify the malware type for those sample that don’t require human to check ? (such as trojan or ransomeware and what if it is a trojan and ransome at same time ?)
And do avast automated system auto unzip the zip file ?
Isn’t this a bit of a joke, doesn’t GData use two other companies virus engine/database ?
Even then there really is no way there is ever going to be standardisation in malware naming when the method of detection is in many cases are different.
When you are talking of heuristic, generic, artificial, machine learning methods of detection when one signature detects multiple variants of the same/similar malware.
As Asyn’s link shows.
So I rather doubt that Avast is alone in this development it would make it near impossible for any standardisation on malware naming.
so , can anyone tell avast team to add a option to disable the local sandbox analysis ? since it is pretty useless , and will allow the malware run on the user computer. https://forum.avast.com/index.php?topic=273698.0
or they can make the analysis longer (such as 1 minute or 30 seconds so it can actually detect malicious software)
the reason i say they should add the option is because do a sample need to send to avast when the sandbox can’t indefinite is a sample malicious or clean , however because the analysis time is too short , the sandbox will be easily bypass by malware.