Can checksum match & still that file turns out infected?

Can a checksum match & still that file turn out to be infected…
Or is it that once checksum matches it can be said that a file is not infected by virus?

it depends on the strength of chosen checksum… crc32 e.g. is quite weak and can be fooled with a simple modification of 4 bytes…

SHA-1 or MD5?

SHA-1 & MD5 checksums rather than crc32

MD5 http://en.wikipedia.org/wiki/MD5

Cryptographic hash function http://en.wikipedia.org/wiki/Cryptographic_hash_function

SHA-1 and MD5 are much stronger than CRC32, but even these hashes aren’t unbreakable… fortunately, there are no critical collisions yet (many digital signatures rely on SHA-1 hashes)…

Sure, the checksum may match and the file still may be infected - if the checksum was generated after the file got infected (possibly because the file author didn’t know his machine is infected).
Remember Win32:Induc? Quite a few infected and signed files out there…

@Pondus
@Max_original
@igor

An Apology From Me To You All
First of all kindly accept my personal apology.Right after I raised this query a crisis developed due to which I had to rush off. I was therefore unable to respond to your kind, helpful, knowledgeable & prompt reply.I feel sorry for that :frowning:

A Sad Learning
Yes you are right all 3 checksum algorithms can & have been broken.Wikipedia also mentions that :frowning:

Why I Asked That Question

  1. I understand different AV use different algorithms & consequently it can happen (& does happen) that some AV fail to catch some virus which possibly some other AV might catch
  2. I learnt from this forum that Artemis algorithm is chosen not to be used by Avast since Avast believes that Artemis has a proneness to throw up a lot of False Positives
  3. I continue to trust Avast & respect that viewpoint & consequently I accept that it must be so regarding Artemis
  4. That said; in terms of probability Artemis throwing up a False Positive might not be 100%
  5. Hence I reasoned (& if I am wrong kindly correct my reasoning) I wondered if a large checksum algorithm like SHA-1 can be relied upon for a user to conclude if Artemis detection can be accepted or rejected with certainty.

My hypothesis was if SHA-1 matches then despite Artemis there is no virus & if SHA-1 does not match then Artemis can be taken to definitely indicate a virus

Practical Real Life Current Example Of ImgBurn 2.5.2.0 in Virus Total Where McAfee Shows Artemis & SHA-1 (& MD5) matches

  1. Despite SHA-1 matching it might indicate virus simply because SHA-1 is neither foolproof nor crackproof
  2. ImgBurn 2.5.2.0 is the leading burning software for a host of storage medium including CD & DVD. I use ImgBurn 2.5.1 which is the penultimate version & have not yet upgraded because SHA-1 as you say is not foolproof or crackproof :frowning:
  3. The ImgBurn 2.5.2.0 exe is infected by Artemis says McAfee whether downloaded from ImgBurn own website, Softpedia or cnet :frowning:

@Igor
Your post was scary & correct.I hope the developer did not upload his exe from his machine when it was infected.But my friend, perhaps the developer did not do that. Why did I say that? Virus Total indicated that the first upload was about 12 hours before my upload.Virus Total showed a clean report for that first download. At the time of the first download only cnet & ImgBurn website had hosted the exe.So then how did this infection happen?

Unfortunately I had not screenshot the earlier VirusTotal screen to show you this in a pictorially conclusive manner

Anyway I am enclosing 3 jpgs.Both McAfee show Artemis. There are 3 jpgs because one relates to ImgBurn website, one to Softpedia & one to Cnet.

What would you advise? What is the best course of action?

Due to filesize constraint I could only enclose the 1 jpg.Therefore the other 2 jpgs are not enclosed. Please bear with me