ngseclists at gmail
Jun 7, 2012, 8:10 AM
Post #3 of 3
Thank you for the information. I'll proceed with an alternative mechanism
to accomplish this (basically run the scan twice, one with md5 db and one
with the hex db).
On Thu, Jun 7, 2012 at 7:36 AM, David Raynor <draynor [at] sourcefire> wrote:
> The scanning functions inside libclamav run in a certain order, and once it
> detects an infection inside a file it short-circuits further scanning. For
> example, smaller offsets are checked before larger offsets. There is no way
> to change the order by changing configuration.
> Dave R.
> Dave Raynor
> Senior Research Engineer, VRT
> On Wed, Jun 6, 2012 at 7:37 PM, ng seclists <ngseclists [at] gmail> wrote:
> > Folks,
> > I'm using clamscan 0.97.4 on Centos 5.8.
> > Hello, I'm trying to accomplish something specific using my custom
> > databases. I have two custom databases, one matching on MD5 sums and
> > another matching on hex strings. When I run a scan using these databases,
> > it always matches the hex strings first and doesn't match the md5
> > I know the md5 strings match and also the hex strings match as I've
> > to ensure it's not a stupid mistake on my part.
> > I've tested differing filenames, and passing one first to the CLI vs
> > another and there's no change.
> > My question is, is there a way to force database priority, i.e. if
> > a match in the md5 database, skip checking that file in the hex database.
> > It really doesn't even have to exclusively match on the md5, if it
> > both that would be fine too. The debug output for running the scan with
> > only the md5 then only with the hex databases doesn't appear any
> > when it gets to the file matching section.
> > Is this even possible or will I have to run the scan twice, first
> > md5 and next matching hex?
> > Why do I want to do this? Because I'm working on a project with
> > requirements to do it this way. Other suggestions would be helpful,
> > I need to match on md5 first, then match on hex.
> > If this isn't clear or if any additional information is required, please
> > let me know.
> > Thanks in advance,
> > Nathan
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> > http://www.clamav.net/support/ml
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net