my test:
virus sample : 1147 virus.
test1. virus database : main.cld + daily.cld
the virus count be found :338
test2. virus database : main.cld + daily.cld , but exclude main.mdb ,exclude
daily.mdb
the virus count be found :193
test3. virus database : main.mdb + daily.mdb
the virus count be found :235
test4. virus database : main.mdb + daily.mdb + bytecode
the virus count be found :235
test5. virus database : bytecode + main.cld + daily.cld , but exclude main.mdb
,exclude daily.mdb
the virus count be found :230
test6. virus database : bytecode + main.cld + daily.cld
the virus count be found :351
test7. virus database : bytecode
the virus count be found :1
my questions:
1. Observe test1 , test2 and test3.
Is there exist overlap signatures between db1 and db2 ?
db1 : main.cld exclude main.mdb + daily.cld exclude daily.mdb
db2 : main.mdb + daily.mdb (193 + 235 != 338)
2. Observe test2 , test5 and test7 or observe test1 , test6 and test7
why only one virus be found when only load bytecode
(230 - 193 != 1) or (351 - 338 != 1)
3. Observe test3 , test5
why the hit rate of mdb is so low but the size rate of it so high ,
in cvd, the size rate of mdb (mail.mdb + daily.mdb) is close to 98%.
Is that normal ?
why the combination vdb(bytecode + main.cld + daily.cld , exclude main.mdb
,exclude daily.mdb)
can find so many virus when the size of it so little?
thanks
tom
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
