On 5/25/10 7:51 AM, Tomasz Kojm wrote:
On Tue, 25 May 2010 16:27:48 +0200 Sarocet<saro...@gmail.com> wrote:
Tomasz Kojm wrote:
This scenario makes no much sense to me. First of all, as I wrote in the
previous email the files you provided as example are almost identical
(they only differ in high nibbles of six bytes) and they share the same
"payload", this means that both of them should be detected by the AV as
malicious (in this case even using a single MD5 signature!). Due to the
nature of MD5 weaknesses it's pretty much impossible to create a working
malicious file that would have the same MD5 as, let's say notepad.exe.
What if it's an autoextracted file? ClamAV detects the inner compressed
virus
but not the executable heading.
I don't get it.. if ClamAV detects a virus in any extracted file it
marks the whole container infected
I think the suggested scenario is a file is placed on a system by some means.
ClamAV sees it, makes a note of the MD5 hash, and the file size. It finds no
payload inside. Time marches on and a second file with the same hash and size
arrives. ClamAV doesn't bother scanning it as it believes it already has
determined it is clean. A miracle occurs and the second file is executed and
takes over the system.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
