On Wed, 10 Nov 2004 at 11:47:59 +0300, George Chelidze wrote: > Tomasz Kojm wrote: > > > >The way libclamav works in the case of executable files is: > > > >1. check the file against the signature database and stop scanning if > >virus is found > > > >2. run PE parser (report broken executables; try to guess and unpack > >compressed files) > > One additional question here: > > I get several messages a day which are marked as broken executables by > clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to > Worm.SomeFool.N. Why clam doesn't detect known signature and falls to > step 2? (Maybe a part of signature is missing because a file it's > broken?)
I believe so. To be sure, the samples would have to be examined. > I don't think clamav and kav use signatures which differs a > lot, do they? They surely differ. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
