Hi Edwin, Thanks for your help. I used --dev-ac-only on the command line and that does the trick. I couldn't find anything about using --dev-ac-only in the manual page.
Regards, Jerry > Date: Thu, 14 Jul 2011 15:03:12 +0300 > From: edwinto...@gmail.com > To: clamav-devel@lists.clamav.net > Subject: Re: [Clamav-devel] ClamAV Algorithms > > On 07/12/2011 02:11 AM, Jerry 270 wrote: > > > > Hi Edwin, > > > > Thanks for your reply. I am doing a Masters degree for which the > > research is analyzing & investigating malware. I am interested in > > evaluating algorithms used in anti-virus software, but just investigating > > whether this is a possibility at the moment. The research projects goal is > > to define a problem domain, a scenario in which the problem to be > > investigated exists. Within this problem domain, a research question is > > posed. This is the question that the project will seek to answer. > > > > I enabled DevAVOnly and only the AC signatures appear to be loaded > > when the config file is reread but when I do a scan of some files the debug > > information appears to suggest that BM signatures are loaded for GENERIC > > and PE. > > If you are using clamscan then use --dev-ac-only. I get 0 BM sigs: > > LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) > BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode) > LibClamAV debug: Using filter for trie 1 > LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode) > LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode) > LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode) > LibClamAV debug: Using filter for trie 4 > LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode) > LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode) > LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode) > LibClamAV debug: Using filter for trie 7 > LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode) > LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) > LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM > sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) > > > > What should DevACDepth be set to? > > > > If AC is used for signatures containing wildcards and BM is used for > > signatures without wildcards is it possible to scan using just one type of > > signature and test the performance of each algorithm that way? > > Well you won't be able to load the AC signatures into BM (BM doesn't support > the wildcards), so as a first step you would probably be to remove > the signatures that require AC from the DB. > You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current > daily' to unpack the databases. > > And then load the DB as by default (into BM), and with --dev-ac-only (into > AC), and compare them that way. > > Also note that the BM algo has an optimization when signatures are tied to a > specific offset (PE for example). > > > How is prefiltering disabled? > > Comment out this 'if' in matcher-ac.c: > if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) { > > Best regards, > --Edwin > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net