* Tomasz Kojm wrote: > On Mon, 24 May 2010 22:22:46 +0200 Sarocet <saro...@gmail.com> wrote: >> Török Edwin wrote: >>> A simpler form of this is already implemented in 0.96 :) >>> >>> If a file is determined to be clean, its MD5 is added to an in-memory cache. >>> When scanning a new file, its MD5 is computed and looked up in the >>> cache. If found, it is considered clean. >>> On DB reload the entire cache is cleared. >> Create two files with a colliding md5. One is innocuous, the other is >> infected.
I wondered about that scenario. >> Send the clean one first. clamav will note it is clean and cache the md5. > > The cache also checks file sizes > >> Send the malicious one after a while. The hash in on the cache so it >> bypasses the AV. >> Profit. > > Good luck, > Doh; Pwned by the ClamAV Team. :-) I though about it, but figured there'd be a card up a sleeve somewhere. That was great, esp since I would have tried the same thing a few months back. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
