Re: [clamav-users] Does Filesize(HDB) or PESectionSize(MDB) of executables play any role in virus pattern matching?
On Wed, Feb 13, 2013 at 9:32 PM, Kaushik Vaidyanathan kvaid...@andrew.cmu.edu wrote: Hi Do the FileSize field in a HDB signature serve any purpose during pattern matching, or pattern matching relies only on the MD5 checksum? File size serves the purpose of making sure we are looking at the right file. Similarly for the MDB signature whats the role of PESectionSize in pattern matching? Does PESectionSize get used while filtering and/or preprocessing during the pattern matching? Same as above. I have read through the signatures document and could not figure this out? Do you have to step through the code to understand this? Unfortunately, there is no such documentation at this time. The code is your friend :-) Is there notes/document which specifies the different types of filtering(AC, Wu-Manber, Bloom Filters) and preprocessing ClamAV does on the input file before proceeding to the exact match? If not any suggestions on how I could figure this out quickly from the source code? If this question is not suitable for this list, where should I post this question? Thank you! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml - Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Does Filesize(HDB) or PESectionSize(MDB) of executables play any role in virus pattern matching?
Hi Alain Thanks Alain. Is the FileSize or PESectionSize used as a pre-processing(or filtering) step while scanning files? What I mean is does ClamAV use the size of the file to filter out all virus patterns that dont have the same filesize as that of the file under inspection? After finding a subset of virus patterns(using the FileSize field in HDB) that do match the size of the file does it then proceed to actual signature matching using WM or AC string matching algorithms? Is the same true with PESectionSize for a MDB file? Just that it would probably get PESectionSize information in the Header/SectionTable fields of the PE file under inspection? Thanks a lot! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Does Filesize(HDB) or PESectionSize(MDB) of executables play any role in virus pattern matching?
Hi Do the FileSize field in a HDB signature serve any purpose during pattern matching, or pattern matching relies only on the MD5 checksum? Similarly for the MDB signature whats the role of PESectionSize in pattern matching? Does PESectionSize get used while filtering and/or preprocessing during the pattern matching? I have read through the signatures document and could not figure this out? Do you have to step through the code to understand this? Is there notes/document which specifies the different types of filtering(AC, Wu-Manber, Bloom Filters) and preprocessing ClamAV does on the input file before proceeding to the exact match? If not any suggestions on how I could figure this out quickly from the source code? If this question is not suitable for this list, where should I post this question? Thank you! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml