aD said:
It was by email - couldn't say I've seen it on their web site.
I got the Email too. See my reply to "Jo" for more on this...
I am comparing the relative magnitude of viral infections "detected".
I'm aware that MessageLabs has access to many more vectors I suppose you
could call it, but I was surprised to see the gap quite so large.
You are still missing the obvious.
ML reports how many "infected" Emails it sees.
SARC uses a much more conservative count because one infected machine
can very quickly produce tens of thousands of "infected" Emails.
SARC states that it does not have good evidence of more than two
different _sites_.
They state that they have evidence of no more than 49 infections. (AV
variant for example)
Please see
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
OK -- to start to make sense of those stats, you have to first read the
SARC glossary. Specifically the entries:
http://securityresponse.symantec.com/avcenter/refa.html#infect
http://securityresponse.symantec.com/avcenter/refa.html#sites
How they get their "number of infections" count is a mystery to me,
_BUT_ it's a fair bet for a mass-mailer that they _may_ use data
collected from header analysis of incoming "infected" messages at
their own Email gateways (or possibly even analysis of such data
from many customer's gateway scanners if those customers share such
data with SARC).
The "number of sites" measure is _likely_ to be corporate customer
sites that actually admit they got infected. Note also that SARC's
'Threat Assessment' scales do not have unique "zero" points for
either of the numerical ratings, so a virus they have not seen
reported from the field _AT ALL_ will also get the same rating as
Bagle.AV -- 0-49 "infections" and "0-2" sites.
I'm aware that one infection causes many emails, but you would assume
they'd only be two or three magnitudes difference.
That depends on very many things.
First, by "two or three magnitudes difference" do you mean "two or
three times" or "two or three _orders of_ magnitude" difference?
That alone is a huge difference in the scales of differences we may
be talking about...
Second, the distribution of many recently successful mass-mailers
has clearly involved some form of initial "spam-like" seeding run.
Many believe that Bagle's writers are in league with spamemrs, if in
fact are not spammers themselves. If such was the case with the
initial burst of these new Bagles, I would expect a much higher
"multiplier" effect based on the observation that spammers are
generally believed to have address lists that count in the tens to
hundreds of millions -- that is, probably easily tens to hundreds of
thousands times larger than the typical address lists that could be
"scrounged" off a typical user PC using the tricks and search
techniques of typical mass-mailers.
If one AV firm says "We've had shedloads of virus x detected" and
another doesn't, wouldn't you wonder if the other just wasn't keeping
its site up-to-date? I could be talking tripe though, I'm well aware of
this
I have a feeling that the "Threat Assessments" at SARC are "fixed"
in the sense that one is posted with each description but the data
these are based on is only occasionally -- if ever in many cases --
altered...
However, to address your first point above, the data SARC reports,
and that of ML are not directly comparable. What would _really_
help would be for ML to post a breakdown of initial sending IP. I
know there are some problems in trying to automate this reliably and
so on, but such data would be truly helpful in working out how fast
(or even _IF_) something was actually spreading...
Ah - this is what I was asking in a way, though I can see how I worded
my post asking if SARC was wrong. I've not compared previous "outbreaks"
between vendor's reports before and was wondering if such difference was
normal.
As I said, it helps to be very clear on both what the stats are
reporting, and any of their idiosyncracies (e.g. the "zero to many"
nature of some of SARC's scales).
If an AV firm can say "Ooh, ooh! We stopped x million emails with this
in it!" it's purely co-incidental it makes them look "good", eh? ;-)
Sadly, the "media law of big numbers" does tend to apply...
). According to SARC the