On Tue, 25 May 2010 07:56:17 -0700 Dennis Peterson <denni...@inetnw.com> wrote: > On 5/25/10 7:51 AM, Tomasz Kojm wrote: >> On Tue, 25 May 2010 16:27:48 +0200 Sarocet<saro...@gmail.com> wrote: >>> Tomasz Kojm wrote: >>>> This scenario makes no much sense to me. First of all, as I wrote in >>>> the >>>> previous email the files you provided as example are almost identical >>>> (they only differ in high nibbles of six bytes) and they share the same >>>> "payload", this means that both of them should be detected by the AV as >>>> malicious (in this case even using a single MD5 signature!). Due to the >>>> nature of MD5 weaknesses it's pretty much impossible to create a >>>> working >>>> malicious file that would have the same MD5 as, let's say notepad.exe. >>>> >>> What if it's an autoextracted file? ClamAV detects the inner compressed >>> virus >>> but not the executable heading. >> >> I don't get it.. if ClamAV detects a virus in any extracted file it >> marks the whole container infected >> > > I think the suggested scenario is a file is placed on a system by some > means. ClamAV sees it, makes a note of the MD5 hash, and the file size. > It finds no payload inside. Time marches on and a second file with the > same hash and size arrives. ClamAV doesn't bother scanning it as it > believes it already has determined it is clean. A miracle occurs and the > second file is executed and takes over the system.
What you described is the "original scenario", which doesn't make sense anyway (see my explanation above) -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 25 17:03:27 CEST 2010 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
