On 2008-12-29 12:53, Babu.N wrote: > Hi, > > I am developing SHIM layer for ClamAV to support Freescale pattern > matching hardware. Could you please clarify a few queries: > > 1. Freescale has a pattern matching engine with 64k pattern capacity. >
How long can the patterns be? Does it support wildcards? Does it support regular expressions? Is it faster than a quad-core CPU? > But clamAV has approx 169000 signatures. This means hardware engine > will not be able to accomodate all the signatures. What if you combine N patterns into a single regular expression (hardware limits allowing). If there is a match, then you use software to tell which of the N patterns matched. > So we plan to read > .db & .ndb files line by line & load as many possible signatures in > hardware pattern table & then let the remaining signatures into > software data structures. > You can try loading type 0, and type 1 patterns into hardware, those are the most time consuming ones. > Queries: > - With the above logic, the signatures in daily.cvd always end > up in software data structures.Can we assume that daily.cvd file > contains the currently prevalent signatures ? If so, does it improve > the performance if we store the daily.cvd signatures in hardware tables ? > - Is main.cvd organized in such a fashion that prevalent > signatures are at the top ? If not, the concern is that hardware scan > hit rate is not as optimal as possible. > There is no particular ordering in the .cvd files. I think new signatures are just added to the bottom. If your hardware allows regular expressions, load those patterns which have a very short static subpattern (2,3,4 bytes). > 2. In clamd signature reloading process, does it always unload the > current signatures & then reload the fresh signatures ? Even if only > daily.cvd is updated in the freshclam update ? > It loads the new signatures, and the old signatures are freed when the last thread that was using it finishes. It always loads all the databases. > 3. When the signature database is updated, Feshclam returns 0. Is > there a way to find whether main.cvd is updated or daily.cvd is > updated or both ? > Yes, you could parse freshclam's logs/stdout, it says one of "main.cvd is up to date", "main.cld is up to date", "main.cld updated", "main.cvd updated" Similarly for daily.cvd/cld. Or just use sigtool --info to find out the DB version, and compare with last. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
