On 04/25/2012 03:13 PM, Steve Basford wrote:
>
>
>> I think I'm missing some context here: which DB files are slow to load?
>> The official ones? Just the sanesecurity ones? Any particular DB from the
>> sanesecurity ones?
>
> Hi Edwin,
>
> I'm emailed you off-list... but think I've found the issue and work-around.
>
> Sorry for the cross-post to clamav-users.
Most of the time is spent here:
96.19% lt-clamscan libclamav.so.6.1.13 [.] cli_ac_addpatt
2.42% lt-clamscan libc-2.13.so [.] __memcmp_sse2
: if(!ph_add_after && ph->partno <= pattern->partno &&
(!ph->next || ph->next->partno > pattern->partno)) ▒
47.55 : bc098: movzwl 0x4a(%r12),%eax
▒
2.34 : bc09e: cmp %ax,0x4a(%rbp)
▒
0.09 : bc0a2: ja bbf74 <cli_ac_addpatt+0x294>
▒
0.02 : bc0a8: mov 0x58(%rbp),%rdx
▒
2.03 : bc0ac: test %rdx,%rdx
▒
0.24 : bc0af: je bc127 <cli_ac_addpatt+0x447>
▒
3.94 : bc0b1: cmp 0x4a(%rdx),%ax
▒
5.13 : bc0b5: cmovb %rbp,%r13
◆
7.47 : bc0b9: jmpq bbf74 <cli_ac_addpatt+0x294>
Thats because all all sigs share a quite long, common prefix as you've found it
(in bofhland_malware_URL.ndb).
Perhaps it'd be faster to load these sigs into the BM matcher instead of AC (as
they don't use any NDB features).
Best regards,
--Edwin
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
