See, there's your problem. Viruses—infectious code embedded inside unaware
host programs—are probably close to extinction now. Modern malware typically
takes the form of worms and trojans:
Don't have the statistics. There always were all kind of viri. Inside-program, inside-HDD, standalone's.
The latter were always most easy to deal with.
And boot-kits are showing the viri are not getting simplier, but the opposite happens, more and more complex and sly they get.
fully self-contained programs or
malicious documents.
Documents ? Macro-viri were always those, who were embedding themselves into "unaware host documents"
Even then, virtually any programmer who worked with hashmaps aka dictionaries aka associative arrays - and that means virtually any programmer active today - knows well that hash collision is normal and regular thing. And that is nothing but "1st evaluation" that only means to filter most wrong candidates, so that real check can be done on few remained. Hash is not the check, it is only the mean to make less checks than you could w/o checking.
So, well, you CRC check "ringed the bell" so what ? check the length, check the signature, check few more hashes. Easy.
Virtually every programmer today - and AV programmers expected to be among most experienced - knows that hash collision is ubiquitous thing and means nothing per se.
Last but not least, checking viri by hash looks ultimately useless. You should not be anything but script kiddy, to, say, change Icon or VersionInfo resource and make completely different hash. No matter how to look at this, you should have some internal invariant signature. And that signature should relate to code or at least data structures, but not to some compiler copyright message or timestamp or like that.
And you know, i have a 1st hand experience of AV endors blocking RTL instead of particulkar vrir, because that was easier for them.
And i don't think that is a co-incidence that AV is among the list