clamav-users May 2010 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Reload process

Re: [Clamav-users] Reload process

From: Nathan Gibbs <nathan_at_nospam>
Date: Tue May 25 2010 - 01:39:00 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

* Sarocet wrote:
> Tomasz Kojm wrote:
>> These are poor examples, which are almost identical (only 6 bytes
>> differ). Now, take a notepad.exe and create a malicious file with the
>> same file size and MD5.
>>
>> Thanks,
>>
>
> Read again the scenario.

Scan the scenario. Neither file has a virus.
:-)

Seriously, I'll agree with you that using MD5 for this isn't the best idea.
It may not get them today, but it will get them. The ClamAV Team should
consider using a better algorithm. However, until someone does this right and
pulls one over on the Engine, I don't think that will happen.

So, minds smarter than me, what we need is as follows.

A non-lethally loaded ( EICAR or ClamAV Test ) and a clean file.

That each have the same size, and have the same MD5 checksum.

Lets see how many feature reqs we can wring out of this thread.
I think the count is at 2 already.
:-)
LOL

-- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml