Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: Standarized virus signatures
Message-ID: <0010.9103131701.AA15339@ubu.cert.sei.cmu.edu>
Date: 13 Mar 91 08:41:53 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 16
Approved: krvw@sei.cmu.edu

Should virus identification strings be published in hex form ?

My personal opinion is that they should be kept secret or published in
an encrypted form.

The reason is quite simple - anybody who obtains a copy of the virus
can easily patch the section containing the published signature
string, in order to make it non-detectable by any scanner using that
string.

Another danger of publishing the strings is that several scanners
might use the same strings - so no extra security would be gained by
using multiple scanners - if a new variant of an old virus appears,
they would all fail or all succeed in finding it.

- -frisk