On Sun, 27 Jun 2010 08:57:28 +0800
唐杰 <outstandingca...@gmail.com> wrote:
> Sorry, I may not express clearly. I want to know the what the
> functions in filter.c file do. I think it build a filter before
> scaning and get a position in the scaned file. What is the purpose to
> do this?
The filter runs faster than the AC or BM matcher, it is used to
eliminate parts of the buffer that certainly won't contain a match.
However the filter is only approximate, so it has false positives (but
no false negatives). Thats why AC/BM matcher needs to be run too.
For example: if the trie contains: abc|ade the filter will accept
a[bd][ce]. So it does accept anything the original trie would accept,
but it also accepts some that it wouldn't ('abe' for example).
If the original buffer contains 'aee' though then the filter doesn't
match (and neither would the original trie), so it can skip this match.
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
