Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 19 subscribers
  • Views 4682 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat Analyses

QC

As continuation of Fake Antivirus malware from the SBS board.

There's still the notion that there be concise lists of threats (ideally using their household names or the ones they give themselves) as well as detailed descriptions (where from, how they spread, what they do in detail and so on). With the rate of new detections this is not feasible for any vendor.IDEs and their corresponding analyses are OTOH very "engineering -centric". Nowadays many threats exist only for a short time and writing a correctly detailed description is - if feasible at all - not worth the effort. 

What is - IMO - "wrong" as it is now:

  1. For some identity names no analysis page exists at all (I don't have an example at hand so you have to take my word for it)
  2. A wildcard search by threat name (like */FakeAV-B*) is not possible or doesn't give meaningful results. Searching for a part of the name might or might not turn up something useful (like "Fake AV" turning up thousands of matches)
  3. The More information tab often gives rather meaningless information- take a recent example: Troj/PDFJs-TA - what do I do with this information? And the Summary just has "for Windows" and a pointer to How to remove trojans, worms, viruses, and other malware with Sophos Anti-Virus. Admitted - this is what you should do, but it is very very general. But this is not what users expect when you have a specific page for each threat (or none at all - see 1.).

What should be changed?

The primary audience for the analyses are Sophos Administrators (I don't know if some part of Sophos has a different view) trying to deal with an infection. Starting with the last point - IMO the (not-so-)new design and the analysis contents don't go together too well. After all, in many cases there is not much information to give (other than a link to the general but detailed instructions)- To be blunt, the layout  sucks. The "advertising" and related links might be useful for the occasional visitor but if you are looking for technical information it's distracting. And More Information should only be there when warranted .

Now what might be added could be (links to) a very few articles which explain why it is unfeasible (and most of the time unnecessary) to give information about the malware ("doing this", "changing that" - especially if it is contracted and doesn't spread), how to deal with it (the above mentioned article is very useful but perhaps hard to read) and how to go about obtaining additional samples if necessary.

Everything else probably requires changes in the underlying database(s).

That's not much ideas for now, I fear. But perhaps there are only a few who aren't happy with the analyses as they are now.

Christian

:19967


This thread was automatically locked due to age.
Unfiltered HTML