An encouraging level of initial support was expressed by researchers from several of the largest antivirus developers when the idea of this modifier was first floated, and it quickly gained sufficient acceptance, at least in theory, that its adoption into the standard has been agreed.
The point of this modifier is that technically it is not part of an FSMN. So, why would a standard specifying how to devise FSMNs bother with specifying a non-standard component? Simple — history shows that no matter how much some developers have wanted to conform to the earlier naming standard, they (or their customers) always managed to find situations in which they needed to step outside the standard. If the standard specifies an accepted way to indicate such an ‘extension’ to a reported name it explicitly gives the developers an element of necessary flexibility. It also means that if some new and unexpected malware technique is devised that the naming standard may not adequately handle without revision, antivirus developers can deal with the situation. The vendor-specific comment modifier gives developers the ability to add whatever they feel is appropriate to the name their products will report, while the researchers collaboratively decide the ‘correct’ way to officially extend the naming scheme should there be agreement that this new development ‘deserves’ special naming consideration.
Vendor-specific comments also act as a catch all for the many non-standard modifier strings that many developers currently seem insistent on reporting as part of a name. This is the place to put those things like ‘.dam’ (meaning ’it’s a damaged/non-replicable sample’); ‘.hcr’ (‘half-cocked repair’), ‘.ow’ (‘overwriter’), ‘.cmp’ (‘companion virus’), ‘.enc’ (’it’s encoded/encrypted in some way’), ‘.worm’, etc, etc, etc.
The vendor-specific comment, if accepted into the standard, will always, regardless of future extensions to the naming scheme, be required to be the last (rightmost) component of a name, if present. The first ‘!’ separator while parsing a name left to right delimits the beginning of the vendor-specific comment. Everything to the right of that first ‘!’ can be ‘dropped’ from the actual name string for various parsing purposes (searches of online ‘virus encyclopedias’, automated log processing and so on). There are no restrictions on the vendor-specific comment except that it must only be composed of characters valid in identifiers, delimiters or the set notation described in Specifying multiple values in a single name component. Vendor-specific comments can be ‘recursive’ or ‘stacked’, so ‘!ow!worm’, ‘!{ow,worm}’ or ‘!ow,worm’ are all valid.