ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic

Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
There are several types of signatures, and all of them are subject to false positives. Some types have a specific length/size. The most specific signature is a hash of the entire file, which iprovides a unique sig (there is a very small chance an MD5 hash can have an evil twin, however), but this will catch only a specific version of a virus file. If the file is changed just a little bit (and virus writers can change them often), the sig will not be any good. So the sigmakers try to get a signature that will be used again--entry point, packer, main executable, program code. The specific file hash is used only as a last resort.

Did you know that virus writers have services similar to VirusTotal and Jortti where they can see which AVs detect their viruses? The services will also make subsequent periodic checks and inform the virus writers when AVs start detectilng their virus, so they can change it. They then repack/compress the original file, and it comes out unique again--it's quite automated. Some viruses are changed hourly!

I am hopeful that the new Clam signatures available with version .96 will be both more specific and longer lasting.

View user's profileSend private message
False positives becoming routine around here
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 3  

 Reply to topic