Tomasz Papszun wrote:
On Wed, 10 Nov 2004 at 11:47:59 +0300, George Chelidze wrote:
Tomasz Kojm wrote:
The way libclamav works in the case of executable files is:
1. check the file against the signature database and stop scanning if virus is found
2. run PE parser (report broken executables; try to guess and unpack compressed files)
One additional question here:
I get several messages a day which are marked as broken executables by clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to Worm.SomeFool.N. Why clam doesn't detect known signature and falls to step 2? (Maybe a part of signature is missing because a file it's broken?)
I believe so. To be sure, the samples would have to be examined.
I know your team is very busy, but anyway if you are interested in samples I can provide them.
I don't think clamav and kav use signatures which differs a lot, do they?
They surely differ.
Thanks for your time and your great product.
Best Regards, -- George Chelidze _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
