Hello Edwin, Thank you for useful information. I have a question as well:
1) Is PE section MD5 signature created from a particular section like code or data or it can be any section. Thanks. Regards, Ibraheem 2009/7/3 Török Edwin <[email protected]> > On 2009-07-02 23:10, Sang Kil Cha wrote: > > Hello, > > > > When I look at ClamAV's signatures, most of them are md5 signatures. > Also, when I download older version of ClamAV like 0.90, to compare the > signature database, number of md5 signatures have been grown dramatically. > > 0.90 did not support PE section MD5 signatures (.mdb files), it was > introduced in 0.92 IIRC. > PE section MD5 signatures are more useful than md5 signatures of the > entire file (because it allows the other section of the PE to vary, thus > catching > more samples with a single signature). > > > Is there any special reason for this? I guess one of the reasons will be > that it is the most quickest way to update signatures. Am I thinking it > correct? Any other reasons for the expanding md5 signatures? > > > > Signatures can be updated just as quickly if they are .ndb. MD5 > signatures are quicker to create though than .ndb. > > Best regards, > --Edwin > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
