09-13-2010 05:13 AM
Both vulnerabilities and spyware have descriptions are useful in understanding what those signatures correspond to. But the Viruses do not contain a description. Is there any reason for that ? It would be usefull to associate them with atleast the well known names of the viruses these signatures correspond to.
09-13-2010 09:48 AM
Hi Sunil,
We are looking into this. The challenge, however, is that there is no consistency in nomenclature of viruses amongst A/V vendors which makes correlating viruses info amongst vendors quite tricky. Can you let us know how you are correlating this info lets say amongst your host-based A/V solutions (assuming you are using more than 1 host-based A/V solution in your network).
Thanks for your feedback,
Sandeep
10-21-2010 02:22 PM
Hi Sandeep,
Thanks for that. I assumed there was a standard, the closest I can get to it is http://maec.mitre.org/about/index.html. But I dont know if this can be used here. If anyone else has any sujjestions , please provide them.
Regards,
Sunil
10-21-2010 04:14 PM
Hi Sunil,
MAEC is a relatively new standard that is still being discussed and is intended more to "describe" malware than define a nomenclature. e.g., lets say malware A (a virus sample file) has following attributes: changes registry keys, create files in a certain location on the computer etc., it would be described in MAEC language something like following:
<registry behavior/>
modifies key a,b, and c
<file behavior>
<file1> created file file1 at location location1
<file 2> created file file2 at location location 2
... the idea behind MAEC is that a standard way of describing a malware will help quicker exchange of information amongst security researchers.
It does not however address the problem of "nomenclature" which I think was your question... e.g., above malware may still be referred using different names by each vendor.
Also, can you describe your use case scenario so that I can see if there is any other better way to address it.
Thanks,
Sandeep
10-22-2010 01:50 AM
Hi Sandeep,
Yes , my query does relate to nomenclature. Here is the problem I am trying to solve.
Palo Alto sits at the perimeter and provides me information of viruses that are being detected/blocked by the AV component. What I am trying to see is if I can map this back to the actual host based AV solutions that might be using on the endpoints within my network. E.g. Sophos/ Macfee etc. Based on your comments I do realise this would be a difficult scenario for any solution that uses different AV engines, but there are vendors that do something similar , e.g. Ironport publishes this infomation at http://www.ironport.com/toc/. They used to provide the corresponding singnature ID's from the other AV vendors, but I dont see that info now.I know they have tieups with Sophos and Macfee for their signatures but Trend Micro and Symantec , i am not sure.
I reffered to MAEC becuase that is the closest I could get to a standard that could bring some interoprability between the vendors. If the description field in Palo Alto AV could include at least the information related to what would be used in MAEC standard , then that would give us some more visibility into the actual virus that is being blocked , and maybe use that to find the corresponding in other AV solutions.
But the best would be if I could actually map the AV signatures provided by Palo Alto to other host based AV solution like Ironport does (or at least used to do, i know this is difficult untill there is a proper standard).
Regards,
Sunil
10-22-2010 02:01 PM
Hi Sunil,
Thanks for the explaining your requirement in detail. I understand it better now. We don't have the correlation information as of now but let me see how best to provide it.
Thanks,
Sandeep
01-20-2011 08:59 AM
Any further insight into this?
Where does Palo Alto Networks pull the threat information from? Or do they have their own nomenclature? It is very difficult to correlate threats identified on the Palo Alto devices to our endpoint solution.
03-11-2011 07:26 AM
Bump..
I agree this is one weakness with the product.
07-28-2011 06:01 AM
Nomenclature provided here
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
