Antivirus firms rebut naming accusations

Viruses being given different names causes confusion, says MessageLabs, but antivirus vendors have defended their policies

Antivirus companies have defended themselves against accusations that the fragmented naming system for viruses causes confusion among computer users, and may leave them exposed to danger.

The charges were made in a report published by email services company MessageLabs, which claims that the recent release of three different strains of the Yaha virus in the space of 11 days, causing havoc with the naming conventions used by the antivirus industry. Although the three versions had names ranging from Yaha.J to Yaha.M, antivirus companies could not agree on which name went with which version of the virus.

"When the antivirus vendors brought their initial virus signatures out for Yaha.J, not all products were able to detect all three variants. Some could detect one, others two; and a few, all three," read the report. "This causes problems for end users, who check their vendor Web site to make sure they are protected against Yaha.J, but find it sailing through their defences."

All antivirus companies contacted by ZDNet Australia disagreed that this was a problem for the industry.

"Broadly [virus names] are the same but over a period of time they align," said David Banes, regional manager for Symantec Security Response, Asia Pacific. "Often there is plain disagreement over what something will be called, and one vendor will stick to a different thing. Or we'll think that it's not a variant, then learn that it is, or think something is new and then later realise it's a variant."

However, the confusion over names was not seen by any antivirus company to hinder protection. "If the user is up-to-date and protected, would it really matter if one vendor calls it variant X and another labels it variant Z?" said Central Command product manager Steven Sundermeier. "The only important issue is if it got stopped."

Sundermeier admitted that, like all antivirus companies, the Central Command support department often had to respond to queries over viruses that had been named differently by a competitor, but was unconcerned. "In my opinion, its the users that are not subscribed to various newsletters, that do not have multiple [antivirus] sites bookmarked and are not staying on top of things, asking about differences in virus naming, etc., that are usually not up-to-date and who cause our support teams the biggest headaches."

This sentiment is echoed by Steinar Wigtil, R&D manager for Norman ASA, who claimed that users did not need to know the name of a virus. "When you buy antivirus software, you also buy the expertise of the antivirus company, which has a sizeable staff of experts to do this job for you," he said.

"Any virus defence that presupposes defensive action by the user from case to case, is totally inadequate and irresponsible in today's virus scene," said Wigtil. "Any modern antivirus software must update itself automatically, with no user intervention what-so-ever."

Most antivirus vendors support the Computer Antivirus Research Organisation (CARO) naming convention. Despite this, it can sometimes take weeks to standardise on a name, according to Banes.

"In the early days you'd get one sample and it would spread so slowly that everyone would have a copy before it was an issue," said Banes. "Now it spreads so quickly the vendors are not going to wait until there is a name, they want to get it out as soon as possible."

Banes said a lot of people in the industry are discussing the naming of viruses at the moment, such as the Association of antivirus Asia Researchers (AVAR), which will hold its annual meeting in Australia early next year.

"What we're trying to do is come up with a naming convention to do two things which contradict each other," said Banes. "We want the names to be descriptive and easy to understand."

Although most antivirus companies support a system to standardise virus names in principle, none of them expect to see any advancement in this area anytime soon.

"Naming criteria has been improved and that evolution can be seen today," said Luis Corrons, lab director for Panda Software. "We believe (and hope) that it will come close to standard, but it is too difficult to find "the standard" nowadays. In one hand viruses reach different countries at the same time and the solutions need to be out at once, so there is not much time to spend to name the virus."

"On the other hand, the IT industry has opened certain communication channels that allow them to gather information rather quickly and agree on a name in certain cases," he added.

Sundermeier said the difference in detection abilities and corporate policies of various companies meant that it would take a considerable time to agree on the surrounding issues, and would not be likely to happen in the near future.

Others pointed out a standardised naming system still wouldn't avoid the problems created when several variants of a virus are released close together.

"Even if an independent body to name viruses is formed, we will not avoid the naming chaos we got for Yaha in the last two weeks of December 2002, when at least ten new variants were released simultaneously or within a very short time span," said Wigtil. "For the antivirus industry, detection will always come before naming issues."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.