Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
Why MD5 signatures prevail?
hellogil at naver
Jul 2, 2009, 1:10 PM
Post #1 of 4 (2973 views)
Permalink
Hello,

When I look at ClamAV's signatures, most of them are md5 signatures. Also, when I download older version of ClamAV like 0.90, to compare the signature database, number of md5 signatures have been grown dramatically. Is there any special reason for this? I guess one of the reasons will be that it is the most quickest way to update signatures. Am I thinking it correct? Any other reasons for the expanding md5 signatures?

Thank you in advance !
------------------------------------------------------------------------
NAVER :: Korea's No.1 search portal
www.naver.com
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Why MD5 signatures prevail? [ In reply to ]
edwintorok at gmail
Jul 3, 2009, 1:34 AM
Post #2 of 4 (2848 views)
Permalink
On 2009-07-02 23:10, Sang Kil Cha wrote:
> Hello,
>
> When I look at ClamAV's signatures, most of them are md5 signatures. Also, when I download older version of ClamAV like 0.90, to compare the signature database, number of md5 signatures have been grown dramatically.

0.90 did not support PE section MD5 signatures (.mdb files), it was
introduced in 0.92 IIRC.
PE section MD5 signatures are more useful than md5 signatures of the
entire file (because it allows the other section of the PE to vary, thus
catching
more samples with a single signature).

> Is there any special reason for this? I guess one of the reasons will be that it is the most quickest way to update signatures. Am I thinking it correct? Any other reasons for the expanding md5 signatures?
>

Signatures can be updated just as quickly if they are .ndb. MD5
signatures are quicker to create though than .ndb.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Why MD5 signatures prevail? [ In reply to ]
ibraheemkhan at gmail
Jul 3, 2009, 1:41 AM
Post #3 of 4 (2849 views)
Permalink
Hello Edwin,

Thank you for useful information. I have a question as well:

1) Is PE section MD5 signature created from a particular section like code
or data or it can be any section.

Thanks.

Regards,
Ibraheem

2009/7/3 Török Edwin <edwintorok@gmail.com>

> On 2009-07-02 23:10, Sang Kil Cha wrote:
> > Hello,
> >
> > When I look at ClamAV's signatures, most of them are md5 signatures.
> Also, when I download older version of ClamAV like 0.90, to compare the
> signature database, number of md5 signatures have been grown dramatically.
>
> 0.90 did not support PE section MD5 signatures (.mdb files), it was
> introduced in 0.92 IIRC.
> PE section MD5 signatures are more useful than md5 signatures of the
> entire file (because it allows the other section of the PE to vary, thus
> catching
> more samples with a single signature).
>
> > Is there any special reason for this? I guess one of the reasons will be
> that it is the most quickest way to update signatures. Am I thinking it
> correct? Any other reasons for the expanding md5 signatures?
> >
>
> Signatures can be updated just as quickly if they are .ndb. MD5
> signatures are quicker to create though than .ndb.
>
> Best regards,
> --Edwin
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Why MD5 signatures prevail? [ In reply to ]
acabng at digitalfuture
Jul 6, 2009, 11:05 AM
Post #4 of 4 (2828 views)
Permalink
Ibraheem Khan wrote:
> Hello Edwin,
>
> Thank you for useful information. I have a question as well:
>
> 1) Is PE section MD5 signature created from a particular section like code
> or data or it can be any section.

Can be any section.

-acab
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal