Regexes can be slow or even extremely slow to apply, depending on the implementation. Backtracking is the worst, perhaps taking exponential time, but often is cut off by artificial limits.
Does ClamAV perchance precompute Deterministic Finite Automata for the regexes? These run fast, but take time exponential in regex length to set up: https://en.wikipedia.org/wiki/Regular_expression#Implementations_and_running_times On Thu, 11 Apr 2019 00:56:04 +0000 "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote: > JME, > > As you've pointed out, it appears that some signatures containing a > PCRE regex components are responsible for slow scan times on larger > email files. > > I did a bunch of profiling similar to what Maarten did earlier in > order to narrow it down. I found that Email.Phishing.VOF2 signatures > are performing slower with the eml sample you sent me. > Email.Phishing.VOF2 signatures contain a PCRE regex component to > alert on email attachments with specific names. Now that we've > determined which signatures are performing slowly in these cases, I > am hopeful that we will be able to optimize the Email.Phishing.VOF2 > signatures to improve performance. > > I will note that your idea to lower the PCRERecMatchLimit setting to > 1 will effectively neuter all signatures that rely on regexes and so > I can't recommend this. > > Regards, > Micah _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
