clamav-users August 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] How ClamAV compare MD5 signatur

Re: [Clamav-users] How ClamAV compare MD5 signature with other file?

From: Tomasz Kojm <tkojm_at_nospam>
Date: Tue Aug 04 2009 - 06:59:14 GMT
To: clamav-users@lists.clamav.net


On Tue, 04 Aug 2009 13:55:29 +0700
Nguyen Duy Anh Tuan <duyatuan@gmail.com> wrote:

> Hi there,
> I've just been starting to study how clamav works.
> Can u show me the scanning method of clamav when dealing with md5
> signatures?
> I tried some test, but I dont understand at all :(
> - fist, I used clamscan to scan file clam.ea06.exe in folder "test"
> of clamav source and it reported virus ClamAV-Test-File, I searched in
> main.cvd and found that the signature was located in main.hdb file, so
> it means that it's md5 checksum? right? here it is:
> aa15bcf478d165efd2065190eb473bcb:544:ClamAV-Test-File
>
> - then, I calculated md5 checksum of file "clam.ea06.exe" by using "
> sigtool --md5 " and i got this
> 21d1acd7ff5a8ff24b08d07be6f47709:257960:clam.ea06.exe
>
> - I also got the different checksum of file "clam.ea05.exe"
> 6b2324ea0df473777f58ca8d59d53ea5:211738:clam.ea05.exe
> but clamav still reported the same virus.
>
> Please help me out! Thanks in advanced!

Tip: run 'clamscan --debug --leave-temps clam.ea06.exe' and look at the temporary files -- oo ..... Tomasz Kojm <tkojm@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Aug 4 08:58:33 CEST 2009 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml