On 10/18/2010 12:54 PM, Török Edwin wrote:
> What kind of signatures do those 3rdparty databases have?
> Can you use wc -l, and then group them by extension?
> I would expect hashes (.mdb, .hdb) to load quite fast, since we have
> lots of those too, and .ndb, or maybe .ldb to load a bit more slowly if
> you have many.
# wc -l *
2310 bytecode.cld
140903 daily.cld
705232 main.cld
------
848445 (67%)
139 sanesecurity.ftm
20 sigwhitelist.ign2
111 doppelstern.hdb
1613 rogue.hdb
854 spamimg.hdb
63 spamattach.hdb
2158 winnow.attachments.hdb
14344 winnow_malware.hdb
-----
19143 (2%)
56 spam.ldb
3 winnow.complex.patterns.ldb
----
59
216439 INetMsg-SpamDomains-2m.ndb
542 doppelstern.ndb
36235 junk.ndb
19492 jurlbl.ndb
49131 jurlbla.ndb
2217 lott.ndb
1727 mbl.ndb
14604 phish.ndb
11167 scam.ndb
20878 scamnailer.ndb
15439 spear.ndb
3943 spearl.ndb
1901 winnow_malware_links.ndb
709 winnow_phish_complete_url.ndb
------
394424 (31%)
> Although it is expected that using more signatures slows down DB
> reload, 4 minutes is a bit much.
> How long does it take with only the official DBs?
I don't know, I'll have to test that on the off-hours.
BTW clamd spikes the CPU to between 80 to 90% during those 4 minutes.
> That should actually speed up the DB load, since it doesn't have to JIT
> compile the code for Sparc.
> You only get slowed down during a scan.
OK, so no improvements will come from that (I just changed compilers to
gcc 4.4.5 and compiled as 64-bit to see if anything improved, nothing
really changed from the old gcc 3.4.6 and 32-bit; other than I don't get
the warnings about g++ being too old and file descriptors too few).
> AFAIK it supports it only for static code generation (i.e. it requires
> an assembler).
OK.
--
René Berber
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
