On 05/25/2010 08:21 PM, Nathan Gibbs wrote: > * Török Edwin wrote: >> >> Shouldn't Good_file be considered malicious in this case? >> It was created for the purpose of hash collision with Bad_file ... >> > What if however, good_file was never created for that purpose. > More fodder for the FP DB. > :-) > > The question isn't, why was this created?
For hash collisions it matters how it was created. A lot. If you create two files A and B with the same hash, that is a hash collision. If you have a file A, and want to create another file B that is called a preimage attack, and that is *significantly* harder to do than a mere hash collision. And I don't just mean orders of magnitude harder, but usually N^2 harder. Google for 'birthday paradox' and cryptography to see why a collision is easier than a preimage attack. > The question is, is this file a virus? > > > Until we have a loaded & clean file that are the same size and have the same > MD5 checksum, this discussion is just theoretical. > > We need the test case outlined above to "blow up" the current Engine. Until > someone builds it, this won't get fixed. I sincerely hope the "good guys" > build it first. Well I guess we could have a switch so you can turn off caching if you want to be paranoid. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
