Hi,
I am new to CLAMAV & I am just wonder how files are scanned.
Does it work like:
1. PE section is taken from file to be scanned
2. MD5 is calculated
3. That MD5 is compared to all signatures in ClamAV Database
4. If match virus is found.
I have simplified this. But please let me know
Hi,
I am new to CLAMAV & I am just wonder how files are scanned.
Does it work like:
1. PE section is taken from file to be scanned
2. MD5 is calculated
3. That MD5 is compared to all signatures in ClamAV Database
4. If match virus is found.
I have simplified this. But please let me know if I am
Thank you for reply,
Török Edwin, Very, very good web seminar!
I have 2 more questions:
1) I'd like to measure & compare performance of AC & BM algorithms.
clamscan displays in 'scan summary' a 'time'. Does this time include
disc access, signature tree building in AC(phase1) or BM
Just wonder I
Hi,
I just want to debug ex1.c in Code::Blocks IDE,
But it fails, Please have look at my screenshot: http://omploader.org/vem1m
What I did:
I've created new folder 'ex1' and I've copied ex1.c file to this folder.
Next I've moved all files from libclamav to this folder.
I change only one line in e
Thanks Joseph for answer,
The quote appears too restrictive - as I found that the file can be
longer, as long as it starts with the Eicar.
> "Any anti-virus product that supports the EICAR test file should
> detect it in any file providing that the file starts with the
> following 68 characters,
Thanks,
There were many troubles. (I am building project from files I have
copied from libclamav to my new created project folder).
In many files a line #include was missing.
Guess something wrong with cltypes.h (#ifndef __CLTYPES_H).
Please have a look on my compilation errors:
http://omploader
s long"
I have created new file by appending to Eicar Test Virus file some
binary data & ClamAV still recognize this new file as infected. And
the file is not 68bytes anymore.
Please give me some feedback.
Regards,
Tom
On Sat, Dec 6, 2008 at 1:55 PM, Thomasz Blaszczyk <[EMAIL PROTE
Thank you for answer,
I have another question. I cannot figure out meaning for ftonly and troot.
Can I get some explanation for this 2 variables?
They are used in matcher.c [code snipped]:
if(!ftonly && (ret = cli_ac_initdata(&gdata, groot->ac_partsigs,
groot->ac_lsigs, AC_DEFAULT_TRACKLEN)))
And there is also 'groot'.
Tom
On Tue, Dec 9, 2008 at 4:51 PM, Thomasz Blaszczyk <[EMAIL PROTECTED]> wrote:
> Thank you for answer,
>
> I have another question. I cannot figure out meaning for ftonly and troot.
> Can I get some explanation for this 2 variables?
&g
* for PE section sigs */
uint32_t bm_patterns;
/* Extended Aho-Corasick */
uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs;
struct cli_ac_lsig **ac_lsigtable;
struct cli_ac_node *ac_root, **ac_nodetable;
struct cli_ac_patt **ac_pattable;
uint8_t ac_mindepth, ac_
Another thing,
If I force troot->ac_only=0
if(troot) {troot->ac_only=0;printf("\ntroot->ac_only IN TROOT!!!%d
\n",troot->ac_only);
if(troot->ac_only || (ret = cli_bm_scanbuff(upt, length,
ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(upt
Hello,
I just reviewed few multi-pattern string scanning algorithms.
And there are many variants for multi-pattern for Boyer-Moore.
I am curious if the one implemented in Clamav is Boyer-Moore-Horspool
or the one taken from authors of GLIMPSE or Set-wise Boyer-Moore? or
AC_BM proposed by Silicon D
oh yes, I will create ramdrive and put all file for scanning there.
Should be fine.
Thanks for hints,
Tom
On Tue, Dec 16, 2008 at 3:50 PM, Lars Sommer wrote:
> Török Edwin wrote:
>>
>> - you should have fast disks, so that you're sure you're benchmarking
>> ClamAV and not your I/O system
>>
>
>
Hi,
I have notice kind of limitation in ClamAV. When time of scanning one
file is longer than 1 sec, the entire file scan is droped. In order to
compare performance of BM and AC I need to remove that limitation,
Where this time per one file scan is defined?
Any options I can use from command line
ok, it seems that limits.maxfilesize limits to 10MB, but I am able to
scan up to 25MB files. see below:
(when I scan 30MB file the data scanned is 0, Why is like that? and I
am able to scan nearly 25MB)
Every byte in sample file is 'B8'
ls -l
total 60656
-rw-r--r-- 1 root root 1600 Dec 17 16:
use them for performace
measurements.
Looking forward for feedback,
Thx,Tom
On Wed, Dec 17, 2008 at 6:10 PM, Thomasz Blaszczyk wrote:
> Thx, found it;)
>
> On Wed, Dec 17, 2008 at 5:47 PM, Török Edwin wrote:
>> On 2008-12-17 18:37, Thomasz Blaszczyk wrote:
>&g
I also change all 20 signatures to be in format:
:0:*:
Regards,
Tom
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
> What kind of data was scanned?
> Was it hand-crafted, automatically generated, or real world files?
I create files by calling in loop function: fputc('my_byte')
i.e:
file_builder -n sizeoffile -xB8
So entire file consists of bytes 'B8' and I create 2MB, 4MB file, up
to 60MB files
> What is t
> You might want to scan something resembling a real world file, and I'm
> not saying to use /dev/urandom instead of B8.
> I can think of a much more efficient algorithm to match on B8 bytes...
Ohh, yes, there will be several test cases, B8 bytes is only one
There will be also test case upon DNA s
r-Moore make up for lost time.
Still for larger files ( with size greater than 3 MB) for the same
signature database Aho-Corasick is better."
Greetings,
Tom
On Sat, Dec 20, 2008 at 7:36 PM, GiM wrote:
> Thomasz Blaszczyk in message 'Re: [Clamav-devel] clamAV scanning algorithm
20 matches
Mail list logo