On 05/23/2010 02:46 AM, Nathan Gibbs wrote:
> * Dennis Peterson wrote:
>> Has the team explored the notion of checking MD5 hashes of signature
>> files before deciding to reload them? Is it even possible to reload only
>> those that have changed since the last reload?
>>
> I've wondered about a similar idea for speeding up file scanning.
> Especially in regards to daily system scans,
>
> After an initial scan, record a file's name, checksum, and time scanned.
> On rescan,
> If a file's checksum hasn't changed from time scanned {
> Scan it with the DB sigs that have changed since then
There are some exceptions here, some databases (daily.ftm, daily.ign(2),
daily.fp, daily.wdb, daily.idb) affect other signatures by their nature.
So if any of these change it should be considered that the entire DB
changed. Also signature removals need to be considered: a previously
infected file can become clean.
This would also mean more memory usage since we would need 2 AC tries:
one for the full DB, and one for the partial DB since last reload.
The partial DB would probably not use that much memory though.
I think this might speed up full-system scheduled scans (compared to the
caching we already do, see below).
> else
> Scan it like it does now
> ( with everything in the DB, I assume. )
> }
A simpler form of this is already implemented in 0.96 :)
If a file is determined to be clean, its MD5 is added to an in-memory cache.
When scanning a new file, its MD5 is computed and looked up in the
cache. If found, it is considered clean.
On DB reload the entire cache is cleared.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
