On Sunday 04 December 2005 21:27, Church, Chuck wrote:
What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn.
True, but the "capability" has been in most AV software for quite a long time now to know which ones "forge" and which do not. Clamav has a "list" of which virii are "forging" and which are not - I am reasonably certain that most other AV products have the same information at hand (a quick search of Symantec confirms that they know [ref sober worm, para 23, From: (spoofed)). So while I agree with your basic concept of notifying someone that they are infected - when you can notify the "right" person - blanket notifications are more trouble than the virus itself in many cases. And yes, as of yesterday I have more "blowback" from sober than from the worm itself.... -- Larry Smith SysAd ECSIS.NET sysad@ecsis.net