Hello Tom,
> I like having a central DB. In fact I think the central DB should be > queryable (eg submit signatures and get feedback if they are already > superceded but other detections) I don't think this is technically feasible: there is no easy way to say whether a particular signature is superseded by another. > On a similar line I suggested to Luca a while ago that it would be go if > you maintained a DB of MD5 signatures of files that you have processed. [snip] > As far as an MD5 DB, I would like it to include the following status: in > queue, verified benign, and in work. This would allow me to know that you > have it and know when something is benign. I know you must have something > like this internally if for any reason to cull dups and to checkout or As I explained to you via private email, we do NOT have such information. Our sigmakers only do two things when reviewing malware samples: either they generate a signature that detects the sample, or they discard the sample. In the past, they used to set the status of the sample to "in work", "verified malware"/"verified benign" (to use your naming conventions), but now they don't do it any longer, due to the amount of samples we receive every day (between 2 and 3 GBs). > signature creation so adding some exposure of the DB shouldn't be an > issue. It would be possible to expose it - although not easy due to security policies - if we had it. But we don't. Regards, -- Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
