On Mon, 24 May 2010 22:22:46 +0200 Sarocet <saro...@gmail.com> wrote: > Török Edwin wrote: >> A simpler form of this is already implemented in 0.96 :) >> >> If a file is determined to be clean, its MD5 is added to an in-memory cache. >> When scanning a new file, its MD5 is computed and looked up in the >> cache. If found, it is considered clean. >> On DB reload the entire cache is cleared. >> >> Best regards, >> --Edwin >> > > Create two files with a colliding md5. One is innocuous, the other is > infected. > Send the clean one first. clamav will note it is clean and cache the md5.
The cache also checks file sizes > Send the malicious one after a while. The hash in on the cache so it > bypasses the AV. > Profit. Good luck, -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon May 24 22:30:56 CEST 2010 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
