New service - the Team Cymru Malware Hash Registry!
steve.freegard at fsl.com
Tue Oct 28 22:35:16 GMT 2008
--[ UxBoD ]-- wrote:
> Steve, understood, but if a local persistant cache was generated then the number of upstream look ups for the same hash would reduce ? would this not also reduce the load on the upstream servers ? sorry if I am being stupid but it kinda makes sense to me :( isn't that what AV sigs are for ?
All the records from the Malware Hash Registry have a TTL of 86400
seconds (24 hours), so that means that if you're looking up the same
hash within 24 hours - it will come from your local cache provided it
hasn't been purged to reclaim space.
If you maintain a local cache - you really don't save a lot of lookups
to the upstream since the vast majority of lookups are going to be
negative lookups (e.g. NXDOMAIN).
DNS was designed with caching in mind; and it works just fine for the
purposes it was designed for - adding a second cache is almost always a
bad idea and will introduce lag and incorrect results along with space
If you're going to argue a local cache for these hashes - why not argue
for local caching for DNS BL or URI BL lookups as well? The reason we
don't do local caching for these is exactly the same as why we shouldn't
do it here - the data is fluid - there's no guarantee that a positive or
negative lookup now yield the same result the next time you look at the
More information about the MailScanner