tag:blogger.com,1999:blog-9518042.post701000895614205072..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Malware for Incident Responders - FakeXPAUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-64509922857376319012009-03-07T14:26:00.000-05:002009-03-07T14:26:00.000-05:00...if the malware doesn't changeBut there's four h...<I>...if the malware doesn't change</I><BR/><BR/>But there's four hashes for the latest variant. If that doesn't indicate that the malware changes, I'm not sure what would.<BR/><BR/>Honestly, there's nothing that prevents AV vendors from improving the information they provide to customers, or even improving their own processes.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6680666254742448372009-03-07T13:20:00.000-05:002009-03-07T13:20:00.000-05:00Think of the list of SHA1s as a list of references...Think of the list of SHA1s as a list of references for a scholarly paper. Sometimes they can be used for actual detection if the malware doesn't change. And some security vendors have huge collections thus can pull the actual sample from their database and use the fact that we associated them together to better build generic signatures.Anonymousnoreply@blogger.com