From clamav-devel-bounces@lists.clamav.net  Fri Jul  3 11:10:46 2009
Return-Path: <clamav-devel-bounces@lists.clamav.net>
X-Original-To: list@tad.clamav.net
Delivered-To: list@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Jo0u6Cv1MvwO; Fri,  3 Jul 2009 11:10:45 +0200 (CEST)
Received: from tad.clamav.net (localhost.localdomain [127.0.0.1])
	by tad.clamav.net (Postfix) with ESMTP id CCF7931C67B;
	Fri,  3 Jul 2009 11:10:44 +0200 (CEST)
X-Original-To: clamav-devel@tad.clamav.net
Delivered-To: clamav-devel@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id OKIGZAkQ5xWB for <clamav-devel@tad.clamav.net>;
	Fri,  3 Jul 2009 11:10:43 +0200 (CEST)
X-Greylist: delayed 1739 seconds by postgrey-1.31 at tad;
	Fri, 03 Jul 2009 11:10:42 CEST
Received: from mail-pz0-f178.google.com (mail-pz0-f178.google.com
	[209.85.222.178])
	by tad.clamav.net (Postfix) with ESMTP id A13CE31C1B5
	for <clamav-devel@lists.clamav.net>;
	Fri,  3 Jul 2009 11:10:42 +0200 (CEST)
Received: by pzk8 with SMTP id 8so2274103pzk.28
	for <clamav-devel@lists.clamav.net>;
	Fri, 03 Jul 2009 02:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:content-type;
	bh=92G9VsET34Y/ArVwBEVkcml/vbxDE5GXdeWesIxCQfE=;
	b=UX+I06GX7LmoQi7+PRR0ARs8WsGTtLNzC8paVw0tRkqn40ZML19R6b+l0apQry7p4N
	y0Oigvvew9cKIUSBxROXIzP1RCQ+04rIzn74E1k9gz1uQk+Tj6bNz+utFxu6gsPTV2uW
	8Ejggr2n3GXZZY4x09D18GIGcvTB7GkYlGKmU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type;
	b=KvfIrKf1PY++TJikBkdj/c4K+Tl8gDzfz4q/7CkwklNsgYDAmQ9AlOG1zB4m8eUMk6
	Tz+pUvop3pEqE7heqIdj6DbAAgp0IYzKS3WsbaPudXM2ETpvGTOqhtyaONHXv6mQQCYS
	kkKWzhNu8zcPuS5dMZttxg6MeCXBfIAVEJLFI=
MIME-Version: 1.0
Received: by 10.143.14.6 with SMTP id r6mr417042wfi.24.1246610500644; Fri, 03 
	Jul 2009 01:41:40 -0700 (PDT)
In-Reply-To: <4A4DC2AB.9050500@gmail.com>
References: <d6cceece9058aebfff1b5f127154803e@i61797>
	<4A4DC2AB.9050500@gmail.com>
Date: Fri, 3 Jul 2009 13:41:40 +0500
Message-ID: <ed0250680907030141u5c029c3ah63a7b5219b2297b2@mail.gmail.com>
From: Ibraheem Khan <ibraheemkhan@gmail.com>
To: ClamAV Development <clamav-devel@lists.clamav.net>
X-Content-Filtered-By: Mailman/MimeDel 2.1.11
Subject: Re: [Clamav-devel] Why MD5 signatures prevail?
X-BeenThere: clamav-devel@lists.clamav.net
X-Mailman-Version: 2.1.11
Precedence: list
Reply-To: ClamAV Development <clamav-devel@lists.clamav.net>
List-Id: ClamAV Development <clamav-devel.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-devel>, 
	<mailto:clamav-devel-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-devel@lists.clamav.net>
List-Help: <mailto:clamav-devel-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel>,
	<mailto:clamav-devel-request@lists.clamav.net?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: clamav-devel-bounces@lists.clamav.net
Errors-To: clamav-devel-bounces@lists.clamav.net

Hello Edwin,

Thank you for useful information. I have a question as well:

1) Is PE section MD5 signature created from a particular section like code
or data or it can be any section.

Thanks.

Regards,
Ibraheem

2009/7/3 T=F6r=F6k Edwin <edwintorok@gmail.com>

> On 2009-07-02 23:10, Sang Kil Cha wrote:
> > Hello,
> >
> > When I look at ClamAV's signatures, most of them are md5 signatures.
> Also, when I download older version of ClamAV like 0.90, to compare the
> signature database, number of md5 signatures have been grown dramatically.
>
> 0.90 did not support PE section MD5 signatures (.mdb files), it was
> introduced in 0.92 IIRC.
> PE section MD5 signatures are more useful than md5 signatures of the
> entire file (because it allows the other section of the PE to vary, thus
> catching
> more samples with a single signature).
>
> >  Is there any special reason for this? I guess one of the reasons will =
be
> that it is the most quickest way to update signatures. Am I thinking it
> correct? Any other reasons for the expanding md5 signatures?
> >
>
> Signatures can be updated just as quickly if they are .ndb. MD5
> signatures are quicker to create though than .ndb.
>
> Best regards,
> --Edwin
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net