[funsec] CME: A Total Failure -- Throw in the Towel
Drsolly
drsollyp at drsolly.com
Mon Mar 13 08:26:08 CST 2006
On Sun, 12 Mar 2006, Blue Boar wrote:
> Drsolly wrote:
> > OK. My favourite antivirus scanner says that "This specimen resembles
> > Yellow Wheelbarrow". Now what? I still don't know if it's CME-24 or not.
>
> You scanner spits out the string "CME-24" somewhere next to "Yellow
> Wheelbarrow",
But it doesn't ...
> and/or you go to the CME site and type in
> "Win95.YellowWheelbarror at mm-wtfbbq", and it gives you back CME-24.
How do the CME people determine that what Wonder Antivirus calls Yelly
Wheelbarrow, is identical to what they call CME-24?
> Or were you instead asking about something more complicated, related to
> partial matches, and the fact that one AV may identify two files as two
> things, probably in the same family, while a second scanner says they
> are the same thing?
That's part of it. Are there any products today that do exact
identification by checksumming the static bytes of the malware?
More information about the funsec
mailing list