Usually an infected copy of a known thing would not match the hash of the file that is whitelisted. Are whitelists done strictly by name or are other checks done?