alvarnell at mac
Dec 5, 2011, 3:16 AM
Post #2 of 2
On 12/4/11 2:46 PM, "pritha srivastava" <pritha_srivastava [at] yahoo> wrote:
> 1. What do you mean by static malware. Why is MD5 based signature matching
> suitable for static malware?
Static malware is not likely to change over time, so hash signatures don't
have to be constantly updated. More and more, we are seeing malware that is
being periodically changed, either to provide new features, fix bugs or
simply to defeat AV software. With such dynamic malware, new hash signatures
would have to be published with each change. In some cases malware authors
have found ways to change the hash signature with each and every download,
making identification using MD5 impossible.
> 3. In the scan summary, the data scanned is lesser than the data read. Is the
> data read include the data base also?
My understanding is that there are maximum limits on the file size, archive
size, number of files within an archive, etc. Files that exceed these
maximums are included as read but not scanned. I do not believe the database
is included in these numbers.
Mountain View, CA
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net