Hello Tom,
> I like having a central DB. In fact I think the central DB should be
> queryable (eg submit signatures and get feedback if they are already
> superceded but other detections)
I don't think this is technically feasible: there is no easy way to say
whether a particular signature is superseded by another.
> On a similar line I suggested to Luca a while ago that it would be go if
> you maintained a DB of MD5 signatures of files that you have processed.
[snip]
> As far as an MD5 DB, I would like it to include the following status: in
> queue, verified benign, and in work. This would allow me to know that you
> have it and know when something is benign. I know you must have something
> like this internally if for any reason to cull dups and to checkout or
As I explained to you via private email, we do NOT have such
information.
Our sigmakers only do two things when reviewing malware samples: either
they generate a signature that detects the sample, or they discard the
sample.
In the past, they used to set the status of the sample to "in work",
"verified malware"/"verified benign" (to use your naming conventions),
but now they don't do it any longer, due to the amount of samples we
receive every day (between 2 and 3 GBs).
> signature creation so adding some exposure of the DB shouldn't be an
> issue.
It would be possible to expose it - although not easy due to security
policies - if we had it. But we don't.
Regards,
--
Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit
[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it
PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
(text/plain)