Thanks Dave and Al for spending time answering my questions.. I did go through the two documents before but did not understand how the different database get deployed.. I was under the (wrong) impression that all the databases would contain signatures for all malware.. I saw the different formats as one evolving from another in response to the sophistication malware were undergoing, guess that was wrong.
Apologize for my misunderstanding, guess thats coming from me having no background on computer security. Given that a malware's signature gets captured in one and only of the different formats, now my questions is: 1) Can ldb (more effectively) represent a malware's signature than ndb or mdb or hdb? Also, is it true that databases which contain(allow) regular expression,like ndb or ldb, would lead to a decrease in the size of the database as variants of the malware can be easily captured by fewer signatures? If yes, why do we need mdb,hdb or ndb? Is it for legacy reasons (or) for code performance (or) something else? 2) What are the factors that an expert signature author would consider before deciding on the format of the signature? 3) How do the different formats get handled by the antivirus coder at design and compilation? I mean if we were mapping a string matching algorithm which is targeted for fixed length strings(mdb signatures for instance) that could be designed/optimized differently compared to an algorithm that handles variable length regular expressions(ldb, ndb). thanks a lot! -Kaushik On Wed, Jan 23, 2013 at 7:03 PM, David Raynor <dray...@sourcefire.com>wrote: > On Wed, Jan 23, 2013 at 9:56 PM, Al Varnell <alvarn...@mac.com> wrote: > > > On 1/23/13 5:52 PM, "Kaushik Vaidyanathan" wrote: > > > > > I had a couple of basic questions: > > > a) Of the different signature formats in the cvd file(like mdb, ldb, > ndb) > > > which format does clamav use? Does it pick a format(ldb, mdb, ndb > > > etc.) depending on the nature of the file under inspection? > > > > > It uses all of them, but some are format dependant. > > > > > b) I guess ldb files are tough to create automatically. If thats true, > > then > > > is the ldb file as complete as the mdb file? > > > > > My impression is that there is little, if any automation involved in the > > creation of a signature. I believe they are all done manually and then > > checked thorough an automated process. > > > > > c) Which signature database(ldb or ndb or mdb etc.) is best tradeoff > > > between size of database Vs false positives? > > > > > They serve different purposes, so I don't understand what sort of > tradeoff > > you would be interested in, if there are even statistics available to > > determine the answer. > > > > Have you read through the documentation at > > <http://www.clamav.net/doc/webinars/Webinar-Alain-2009-03-04.pdf> > > and > > <http://www.clamav.net/doc/latest/signatures.pdf>? > > > > > > -Al- > > > > -- > > Al Varnell > > Mountain View, CA > > > > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > > > > ClamAV loads the entire CVD, with the possible exception of signatures > which are only loaded if you turn on certain features (e.g. PUA scanning, > phishing checks, etc.). The 3 filetypes you list are always loaded. What > kind of signature is written to detect a malware is a choice the signature > author makes. > > Knowing those things may change the way you think about your questions. So > I agree with Al. The 2 references he is suggesting would probably be a > helpful read. > Dave R. > > -- > --- > Dave Raynor > Sourcefire Vulnerability Research Team > dray...@sourcefire.com > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
