topic Re: Why does Threat Database not include any details in the description of viruses ? in General Topics

Why does Threat Database not include any details in the description of viruses ?

sunilsadanandan — Mon, 13 Sep 2010 12:13:58 GMT

Both vulnerabilities and spyware have descriptions are useful in understanding what those signatures correspond to. But the Viruses do not contain a description. Is there any reason for that ? It would be usefull to associate them with atleast the well known names of the viruses these signatures correspond to.

Re: Why does Threat Database not include any details in the description of viruses ?

migration — Mon, 13 Sep 2010 16:48:58 GMT

Hi Sunil,

We are looking into this. The challenge, however, is that there is no consistency in nomenclature of viruses amongst A/V vendors which makes correlating viruses info amongst vendors quite tricky. Can you let us know how you are correlating this info lets say amongst your host-based A/V solutions (assuming you are using more than 1 host-based A/V solution in your network).

Thanks for your feedback,

Sandeep

Re: Why does Threat Database not include any details in the description of viruses ?

sunilsadanandan — Thu, 21 Oct 2010 21:22:58 GMT

Hi Sandeep,

Thanks for that. I assumed there was a standard, the closest I can get to it is http://maec.mitre.org/about/index.html. But I dont know if this can be used here. If anyone else has any sujjestions , please provide them.

Regards,

Sunil

Re: Why does Threat Database not include any details in the description of viruses ?

migration — Thu, 21 Oct 2010 23:14:57 GMT

Hi Sunil,

MAEC is a relatively new standard that is still being discussed and is intended more to "describe" malware than define a nomenclature. e.g., lets say malware A (a virus sample file) has following attributes: changes registry keys, create files in a certain location on the computer etc., it would be described in MAEC language something like following:

modifies key a,b, and c

<file1> created file file1 at location location1

<file 2> created file file2 at location location 2

... the idea behind MAEC is that a standard way of describing a malware will help quicker exchange of information amongst security researchers.

It does not however address the problem of "nomenclature" which I think was your question... e.g., above malware may still be referred using different names by each vendor.

Also, can you describe your use case scenario so that I can see if there is any other better way to address it.

Thanks,
Sandeep

Re: Why does Threat Database not include any details in the description of viruses ?

sunilsadanandan — Fri, 22 Oct 2010 08:50:20 GMT

Hi Sandeep,

Yes , my query does relate to nomenclature. Here is the problem I am trying to solve.

Palo Alto sits at the perimeter and provides me information of viruses that are being detected/blocked by the AV component. What I am trying to see is if I can map this back to the actual host based AV solutions that might be using on the endpoints within my network. E.g. Sophos/ Macfee etc. Based on your comments I do realise this would be a difficult scenario for any solution that uses different AV engines, but there are vendors that do something similar , e.g. Ironport publishes this infomation at http://www.ironport.com/toc/. They used to provide the corresponding singnature ID's from the other AV vendors, but I dont see that info now.I know they have tieups with Sophos and Macfee for their signatures but Trend Micro and Symantec , i am not sure.

I reffered to MAEC becuase that is the closest I could get to a standard that could bring some interoprability between the vendors. If the description field in Palo Alto AV could include at least the information related to what would be used in MAEC standard , then that would give us some more visibility into the actual virus that is being blocked , and maybe use that to find the corresponding in other AV solutions.

But the best would be if I could actually map the AV signatures provided by Palo Alto to other host based AV solution like Ironport does (or at least used to do, i know this is difficult untill there is a proper standard).

Regards,

Sunil

Re: Why does Threat Database not include any details in the description of viruses ?

migration — Fri, 22 Oct 2010 21:01:05 GMT

Hi Sunil,

Thanks for the explaining your requirement in detail. I understand it better now. We don't have the correlation information as of now but let me see how best to provide it.

Thanks,
Sandeep

Re: Why does Threat Database not include any details in the description of viruses ?

ss — Thu, 20 Jan 2011 16:59:58 GMT

Any further insight into this?

Where does Palo Alto Networks pull the threat information from? Or do they have their own nomenclature? It is very difficult to correlate threats identified on the Palo Alto devices to our endpoint solution.

Re: Why does Threat Database not include any details in the description of viruses ?

jickfoo — Fri, 11 Mar 2011 15:26:11 GMT

Bump..

I agree this is one weakness with the product.

Re: Why does Threat Database not include any details in the description of viruses ?

sunilsadanandan — Thu, 28 Jul 2011 13:01:50 GMT

Nomenclature provided here

https://live.paloaltonetworks.com/docs/DOC-1469