Google Answers Logo
View Question
 
Q: MD5 Hash values for viruses ( No Answer,   0 Comments )
Question  
Subject: MD5 Hash values for viruses
Category: Computers
Asked by: jsclmedave-ga
List Price: $2.00		 Posted: 20 Aug 2004 07:43 PDT
Expires: 19 Sep 2004 07:43 PDT
Question ID: 390332 
I am looking for the MD5 hash valuse of known viruses.  I want to use
Group Policy to block these values from being able to run, if they
happen to get through my security.  I have searced Symantec and have a
larg list of MD5 Valuse but I am not sure what is a Symantec program
and which, if any, are the MD5 values for the viruses.
Request for Question Clarification by maniac-ga on 21 Aug 2004 10:52 PDT 
Hello Jsclmedave,

I am not quite sure what you are asking for or how "what you may be
asking" would be helpful.

If you are asking for MD5 values of executables of known viruses, that
is easily defeated by a virus writer by using a polymorphic or similar
method that introduces changes to an insignificant part of the
executable. Each such virus would have a separate MD5 value and only
one instance would be trapped by your MD5 check.

If this does not make sense or if you are asking for something else -
please make a clarification to your question.

  --Maniac
Clarification of Question by jsclmedave-ga on 24 Aug 2004 13:26 PDT 
That?s what I was talking about...  I was under the impression that,
say, Netsky.p would have a set MD5 hash value.   I am protected
against it, but if a office member still decided to open it via a USB
port or something, it would do no harm since it was blocked in the GP
of the "restrict software" setting.  If another variance of it came
out, I would simply update it again.

I receive alerts about new and changing versions through out the day
and I am constantly online checking for new versions as well.  If I
knew where to find the MD5 Hash value it would not be a problem to
update daily it as well.  Unless of course it was constantly changing
throughout the day.

I am not a Guru at MD5 Hash values by any means?  It was suggested
that this was yet another bit of security to apply.
Request for Question Clarification by maniac-ga on 25 Aug 2004 17:27 PDT 
Hello Jscimedave,

What I mean by this...
  "Each such virus would have a separate MD5 value and
   only one instance would be trapped by your MD5 check."

Means that if you looked at 20 copies of a specific virus, each and
every copy would have a different MD5 hash value. For a reference, see
  http://www.cknow.com/vtutor/vtpolymorphic.htm
or search using the phrase
  polymorphic virus
to get a number of good references that explain the process.

Your statement of
  "... it [the MD5 hash] was constantly changing
   throughout the day."
is a pretty concise explanation of what will happen with such a virus.

Note that most virus detection packages use other methods (generally a
common signature) to detect each virus infection.
  --Maniac
Answer  
There is no answer at this time.

Comments  
There are no comments at this time.
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy