diff -r -u ossec-hids-2.7-orig/src/analysisd/decoders/syscheck.c ossec-hids-2.7/src/analysisd/decoders/syscheck.c
--- ossec-hids-2.7-orig/src/analysisd/decoders/syscheck.c	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/analysisd/decoders/syscheck.c	2013-05-12 12:01:43.967411367 +0200
@@ -19,6 +19,8 @@
 #include "alerts/alerts.h"
 #include "decoder.h"
 
+#include <sqlite3.h>
+
 
 typedef struct __sdb
 {
@@ -60,7 +62,37 @@
 /* Global variable */
 _sdb sdb;
 
+/* Extract a token from a string */
+char *extract_token(char *s, char *delim, int position)
+{
+        int count = 0;
+        char tmp[OS_MAXSTR + 1];
+        char *token;
+	strncpy(tmp,s, OS_MAXSTR);
+        token = strtok(tmp, delim);
+        while (token != NULL)
+        {
+                count++;
+                token = strtok(NULL, delim);
+                if (count == position)
+                {
+                        return(token);
+                }
+        }
+        return(NULL);
+}
 
+/* Validate a MD5 string format */
+int validate_md5(char *s)
+{
+	int i;
+	char *hex_chars = "abcdefABCDEF0123456789";
+	if (strlen(s) != 32) return(0);
+	for (i = 0; i < strlen(s); i++) {
+		if (!strchr(hex_chars, s[i])) return(0);
+	}
+	return(1);
+}
 
 /* SyscheckInit
  * Initialize the necessary information to process the syscheck information
@@ -744,10 +776,17 @@
  * and to be less resource intensive
  */
 int DecodeSyscheck(Eventinfo *lf)
-{
+{ 
     char *c_sum;
     char *f_name;
 
+    char *p;
+    char stmt[OS_MAXSTR + 1];
+    sqlite3 *conn;
+    sqlite3_stmt *res;
+    int error = 0;
+    int rec_count = 0;
+    const char *tail;
 
     /* Every syscheck message must be in the following format:
      * checksum filename
@@ -809,6 +848,45 @@
     /* Checksum is at the beginning of the log */
     c_sum = lf->log;
 
+    /* Extract the MD5 hash and search for it in the whitelist
+     * Sample message:
+     * 0:0:0:0:78f5c869675b1d09ddad870adad073f9:bd6c8d7a58b462aac86475e59af0e22954039c50
+     */
+    if (Config.md5db) 
+    {
+        if ((p = extract_token(c_sum, ":", 4)))
+        {
+	    if (!validate_md5(p)) { /* Never trust input from other origin */
+		debug0("%s: Not a valid MD5 hash: '%s'", ARGV0, p);
+		return(0);
+	    }
+    	    debug1("%s: Checking MD5 '%s' in %s", ARGV0, p, Config.md5db);
+	    if (!(error = sqlite3_open(Config.md5db, &conn)))
+	    {
+	        sprintf(stmt, "select md5sum from files where md5sum = \"%s\"", p);
+	        error = sqlite3_prepare_v2(conn, stmt, 1000, &res, &tail);
+	        if (error == SQLITE_OK) {
+		    while (sqlite3_step(res) == SQLITE_ROW)
+		    {
+			rec_count++;
+		    }
+		    if (rec_count) {	
+			sqlite3_finalize(res);
+                        sqlite3_close(conn);
+		    	debug0(MD5_NOT_CHECKED, ARGV0, p);
+		        return(0);
+                    }
+    	        }
+	        sqlite3_finalize(res);
+	        sqlite3_close(conn);
+	    }
+	    else
+	    {
+		merror(INVALID_IGNORE_MD5DB, ARGV0, Config.md5db);
+            }
+        }
+    }
+
 
     /* Searching for file changes */
     return(DB_Search(f_name, c_sum, lf));
diff -r -u ossec-hids-2.7-orig/src/config/global-config.c ossec-hids-2.7/src/config/global-config.c
--- ossec-hids-2.7-orig/src/config/global-config.c	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/config/global-config.c	2013-05-10 15:05:45.687411731 +0200
@@ -171,6 +171,9 @@
     char *xml_geoip6_db_path = "geoip6_db_path";
 #endif
 
+    /* MD5 DB */
+    char *xml_md5db = "md5db";
+
     _Config *Config;
     MailConfig *Mail;
 
@@ -544,6 +547,14 @@
             }
         }
 #endif
+        /* MD5 DB */
+        else if(strcmp(node[i]->element, xml_md5db) == 0)
+        {
+	    if(Config)
+            {
+                os_strdup(node[i]->content, Config->md5db);
+            }
+        }
         else
         {
             merror(XML_INVELEM, ARGV0, node[i]->element);
diff -r -u ossec-hids-2.7-orig/src/config/global-config.h ossec-hids-2.7/src/config/global-config.h
--- ossec-hids-2.7-orig/src/config/global-config.h	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/config/global-config.h	2013-05-10 15:05:18.855412338 +0200
@@ -82,6 +82,8 @@
     char *geoip6_db_path;
 #endif
 
+    /* MD5 DB support */
+    char *md5db;
 }_Config;
 
 
diff -r -u ossec-hids-2.7-orig/src/Config.Make ossec-hids-2.7/src/Config.Make
--- ossec-hids-2.7-orig/src/Config.Make	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/Config.Make	2013-05-10 00:34:08.523411783 +0200
@@ -8,7 +8,7 @@
 include ${PT}Config.OS
 
 
-CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} ${CGEOIP} -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS
+CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA} ${FEXTRA} ${GEXTRA} ${HEXTRA} ${CGEOIP} -lsqlite3 -DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS
 
 SOURCES = *.c
 OBJECTS = *.o 
diff -r -u ossec-hids-2.7-orig/src/error_messages/error_messages.h ossec-hids-2.7/src/error_messages/error_messages.h
--- ossec-hids-2.7-orig/src/error_messages/error_messages.h	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/error_messages/error_messages.h	2013-05-11 17:46:52.783411100 +0200
@@ -132,6 +132,8 @@
 #ifdef GEOIP
 #define INVALID_GEOIP_DB "%s(1276): ERROR: Cannot open GeoIP database: '%s'."
 #endif
+#define INVALID_IGNORE_MD5DB "%s(1277) ERROR: Cannot open MD5 database: '%s'."
+#define MD5_NOT_CHECKED	 "%s(1278) WARN: File with MD5 '%s' not processed."
 
 
 /* Log collector */
diff -r -u ossec-hids-2.7-orig/src/LOCATION ossec-hids-2.7/src/LOCATION
--- ossec-hids-2.7-orig/src/LOCATION	2012-11-09 03:24:55.000000000 +0100
+++ ossec-hids-2.7/src/LOCATION	2013-05-10 15:21:26.603421272 +0200
@@ -1,4 +1,4 @@
-DIR="/var/ossec"
+DIR="/opt/ossec"
 CC=gcc
 GCC=gcc
 CLANG=clang