Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
ok, it seems that limits.maxfilesize limits to 10MB, but I am able to scan up to 25MB files. see below: (when I scan 30MB file the data scanned is 0, Why is like that? and I am able to scan nearly 25MB) Every byte in sample file is 'B8' ls -l total 60656 -rw-r--r-- 1 root root 1600 Dec 17

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
What kind of data was scanned? Was it hand-crafted, automatically generated, or real world files? I create files by calling in loop function: fputc('my_byte') i.e: file_builder -n sizeoffile -xB8 So entire file consists of bytes 'B8' and I create 2MB, 4MB file, up to 60MB files What is the

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
You might want to scan something resembling a real world file, and I'm not saying to use /dev/urandom instead of B8. I can think of a much more efficient algorithm to match on B8 bytes... Ohh, yes, there will be several test cases, B8 bytes is only one There will be also test case upon DNA

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
And there is also 'groot'. Tom On Tue, Dec 9, 2008 at 4:51 PM, Thomasz Blaszczyk [EMAIL PROTECTED] wrote: Thank you for answer, I have another question. I cannot figure out meaning for ftonly and troot. Can I get some explanation for this 2 variables? They are used in matcher.c [code

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
, 2008 at 5:00 PM, Török Edwin [EMAIL PROTECTED] wrote: On 2008-12-09 18:51, Thomasz Blaszczyk wrote: Thank you for answer, I have another question. I cannot figure out meaning for ftonly and troot. Can I get some explanation for this 2 variables? They are used in matcher.c [code snipped

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
Another thing, If I force troot-ac_only=0 if(troot) {troot-ac_only=0;printf(\ntroot-ac_only IN TROOT!!!%d \n,troot-ac_only); if(troot-ac_only || (ret = cli_bm_scanbuff(upt, length, ctx-virname, troot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(upt,

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-06 Thread Thomasz Blaszczyk
Thanks Joseph for answer, The quote appears too restrictive - as I found that the file can be longer, as long as it starts with the Eicar. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-03 Thread Thomasz Blaszczyk
Thank you for reply, Török Edwin, Very, very good web seminar! I have 2 more questions: 1) I'd like to measure compare performance of AC BM algorithms. clamscan displays in 'scan summary' a 'time'. Does this time include disc access, signature tree building in AC(phase1) or BM Just wonder If

[Clamav-devel] clamAV scanning algorithm

2008-12-02 Thread Thomasz Blaszczyk
Hi, I am new to CLAMAV I am just wonder how files are scanned. Does it work like: 1. PE section is taken from file to be scanned 2. MD5 is calculated 3. That MD5 is compared to all signatures in ClamAV Database 4. If match virus is found. I have simplified this. But please let me know

Re: [Clamav-devel] confirm 878cdf1f1ee11bbfe4f147caa216e145422ff8a2

2008-12-02 Thread Thomasz Blaszczyk
Hi, I am new to CLAMAV I am just wonder how files are scanned. Does it work like: 1. PE section is taken from file to be scanned 2. MD5 is calculated 3. That MD5 is compared to all signatures in ClamAV Database 4. If match virus is found. I have simplified this. But please let me know if I am