Hi Salim,
I'll try to explain one of the many reasons which are behind this:
xyz1_Worm pattern 111111a:
xyz2_Worm pattern 111111b:
xyz3_Worm pattern 111111c:
xyz4_Worm pattern 111111d:
xyz5_Worm pattern 111111e:
Given the above scenario, I can choose to write 5 different (specific)
signatures to detect these worms or can write one generic signature which can
detect all of them (this can be done by just looking for the pattern 111111,
which is common for all).
Now, this approach may not fit all possible scenarios (false positive issues)
and moreover it has its own pros and cons.
to give you an example:
advantage:
It will stop any new xyz variant which has a similar pattern (so I get
zero-day attack protection without doing anything extra)
disadvantage
less info: the concern that you are facing.
Vipul Kumra
-----Original Message-----
From: Hussain Salim [mailto:bo_ali90@hotmail.com]
Sent: Thursday, July 07, 2005 10:38 AM
To: focus-virus@securityfocus.com
Subject: generic detection
hi,
i want to know somenthing about generic detecion for example symantec detect
some viruses and trojans as trojan.horse or backdoor.trojan why? why don't
they detect them as a special name to know more information about them to
fix what they do and thx.
im asking this question because i got many trojan.horse and backdoor.trojan
and there is no technical details for them to know more information to fix
what they do in my computer :( .
_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
http://toolbar.msn.co.uk/
