On 2009-07-02 23:10, Sang Kil Cha wrote: > Hello, > > When I look at ClamAV's signatures, most of them are md5 signatures. Also, > when I download older version of ClamAV like 0.90, to compare the signature > database, number of md5 signatures have been grown dramatically.
0.90 did not support PE section MD5 signatures (.mdb files), it was introduced in 0.92 IIRC. PE section MD5 signatures are more useful than md5 signatures of the entire file (because it allows the other section of the PE to vary, thus catching more samples with a single signature). > Is there any special reason for this? I guess one of the reasons will be > that it is the most quickest way to update signatures. Am I thinking it > correct? Any other reasons for the expanding md5 signatures? > Signatures can be updated just as quickly if they are .ndb. MD5 signatures are quicker to create though than .ndb. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
