Why does Threat Database not include any details in the description of viruses ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Why does Threat Database not include any details in the description of viruses ?

L3 Networker

Both vulnerabilities and spyware have descriptions are useful in understanding what those signatures correspond to. But the Viruses do not contain a description. Is there any reason for that ? It would be usefull to associate them with atleast the well known names of the viruses these signatures correspond to.

8 REPLIES 8

L0 Member

Hi Sunil,

We are looking into this. The challenge, however, is that there is no consistency in nomenclature of viruses amongst A/V vendors which makes correlating viruses info amongst vendors quite tricky. Can you let us know how you are correlating this info lets say amongst your host-based A/V solutions (assuming you are using more than 1 host-based A/V solution in your network).

Thanks for your feedback,

Sandeep

Hi Sandeep,

Thanks for that.  I assumed there was a standard, the closest I can get to it is http://maec.mitre.org/about/index.html. But I dont know if this can be used here. If anyone else has any sujjestions , please provide them.

Regards,

Sunil

Hi Sunil,

MAEC is a relatively new standard that is still being discussed and is intended more to "describe" malware than define a nomenclature. e.g., lets say malware A (a virus sample file) has following attributes: changes registry keys, create files in a certain location on the computer etc., it would be described in MAEC language something like following:

<registry behavior/>

  modifies key a,b, and c

<file behavior>

  <file1> created file file1 at location location1

  <file 2> created file file2 at location location 2

... the idea behind MAEC is that a standard way of describing a malware will help quicker exchange of information amongst security researchers.

It does not however address the problem of "nomenclature" which I think was your question... e.g., above malware may still be referred using different names by each vendor.

Also, can you describe your use case scenario so that I can see if there is any other better way to address it.

Thanks,
Sandeep

Hi Sandeep,

Yes , my query does relate to nomenclature. Here is the problem I am trying to solve.

Palo Alto sits at the perimeter and provides me information of viruses that are being detected/blocked by the AV component. What I am trying to see is if I can map this back to the actual host based AV solutions that might be using on the endpoints within my network. E.g. Sophos/ Macfee etc. Based on your comments I do realise this would be a difficult scenario for any solution that uses different AV engines, but there are vendors that do something similar , e.g. Ironport publishes this infomation at http://www.ironport.com/toc/. They used to provide the corresponding singnature ID's from the other AV vendors, but I dont see that info now.I know they have tieups with Sophos and Macfee for their signatures but Trend Micro and Symantec , i am not sure.

I reffered to MAEC becuase that is the closest I could get to a standard that could bring some interoprability between the vendors. If the description field in Palo Alto AV could include at least the information related to what would be used in MAEC standard , then that would give us some more visibility into the actual virus that is being blocked , and maybe use that to find the corresponding in other AV solutions.

But the best would be if I could actually map the AV signatures provided by Palo Alto to other host based AV solution like Ironport does (or at least used to do, i know this is difficult untill there is a proper standard).

Regards,

Sunil

Hi Sunil,

Thanks for the explaining your requirement in detail. I understand it better now. We don't have the correlation information as of now but let me see how best to provide it.

Thanks,
Sandeep

Any further insight into this?

Where does Palo Alto Networks pull the threat information from? Or do they have their own nomenclature? It is very difficult to correlate threats identified on the Palo Alto devices to our endpoint solution.

Not applicable

Bump..

I agree this is one weakness with the product. 

  • 3532 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!