I read in Peter Szor's Art of Computer Virus Research and Defense that, in the past, a 16-byte malware signature was sufficient to 16-bit detect malware, but that longer signatures are necessary for 32-bit malware. I am wondering how large the typical signature is for modern malware.
Asked
Active
Viewed 242 times
-2
-
1I find it hard to believe that the length of the address bus or registers directly corelates to the length of a malware signature. It's far more likely that malware was simpler back then, and thus required shorter signatures to detect it. As software (malware included) increases in complexity, so do signatures. – Nov 07 '19 at 19:16
-
Yeah, I can see that being the case. I'm still interesting in knowing how long a viable signature is nowadays. – chillsauce Nov 07 '19 at 19:41
1 Answers
2
What antivirus vendors mean when they use the term signature is not digital signature/hash/checksum. A malware signature here is really best described as a short program written in a domain specific language that can classify whether a file is or isn't malware. It does not necessarily have a specific length to it, but rather depends on the complexity of distinguishing it from legitimate software.
Further reading: How do antiviruses scan for thousands of malware signatures in a short time?
Lie Ryan
- 31,089
- 6
- 68
- 93