Re: [Clamav-devel] Why MD5 signatures prevail?
Ibraheem Khan wrote: > Hello Edwin, > > Thank you for useful information. I have a question as well: > > 1) Is PE section MD5 signature created from a particular section like code > or data or it can be any section. Can be any section. -acab ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Why MD5 signatures prevail?
Hello Edwin, Thank you for useful information. I have a question as well: 1) Is PE section MD5 signature created from a particular section like code or data or it can be any section. Thanks. Regards, Ibraheem 2009/7/3 Török Edwin > On 2009-07-02 23:10, Sang Kil Cha wrote: > > Hello, > > > > When I look at ClamAV's signatures, most of them are md5 signatures. > Also, when I download older version of ClamAV like 0.90, to compare the > signature database, number of md5 signatures have been grown dramatically. > > 0.90 did not support PE section MD5 signatures (.mdb files), it was > introduced in 0.92 IIRC. > PE section MD5 signatures are more useful than md5 signatures of the > entire file (because it allows the other section of the PE to vary, thus > catching > more samples with a single signature). > > > Is there any special reason for this? I guess one of the reasons will be > that it is the most quickest way to update signatures. Am I thinking it > correct? Any other reasons for the expanding md5 signatures? > > > > Signatures can be updated just as quickly if they are .ndb. MD5 > signatures are quicker to create though than .ndb. > > Best regards, > --Edwin > ___ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Why MD5 signatures prevail?
On 2009-07-02 23:10, Sang Kil Cha wrote: > Hello, > > When I look at ClamAV's signatures, most of them are md5 signatures. Also, > when I download older version of ClamAV like 0.90, to compare the signature > database, number of md5 signatures have been grown dramatically. 0.90 did not support PE section MD5 signatures (.mdb files), it was introduced in 0.92 IIRC. PE section MD5 signatures are more useful than md5 signatures of the entire file (because it allows the other section of the PE to vary, thus catching more samples with a single signature). > Is there any special reason for this? I guess one of the reasons will be > that it is the most quickest way to update signatures. Am I thinking it > correct? Any other reasons for the expanding md5 signatures? > Signatures can be updated just as quickly if they are .ndb. MD5 signatures are quicker to create though than .ndb. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
