[Clamav-devel] ClamAV Scanning Algorithm

2010-04-02 Thread Mohammed Al-Saleh
Hi, I am newbie to ClamAV and want to know what is the scanning algorithm currently used by ClamAV. I would appreciate it if somebody guides me to the best place (may be an article or source code file) that talks about that. I read somewhere that it uses aho-corasick algorithm; so is it still

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-20 Thread GiM
Thomasz Blaszczyk in message 'Re: [Clamav-devel] clamAV scanning algorithm' wrote: if you switch ClamAV to use only AC, you'll notice a significant performance improvement, at the expense of increased memory usage for the DB. Right, AC trees are quite large and takes lot of memory.. So

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
ok, it seems that limits.maxfilesize limits to 10MB, but I am able to scan up to 25MB files. see below: (when I scan 30MB file the data scanned is 0, Why is like that? and I am able to scan nearly 25MB) Every byte in sample file is 'B8' ls -l total 60656 -rw-r--r-- 1 root root 1600 Dec 17

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Török Edwin
On 2008-12-17 18:37, Thomasz Blaszczyk wrote: ok, it seems that limits.maxfilesize limits to 10MB, but I am able to scan up to 25MB files. see below: (when I scan 30MB file the data scanned is 0, Why is like that? and I am able to scan nearly 25MB) Read the archives of -users. This

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Török Edwin
On 2008-12-17 20:27, Thomasz Blaszczyk wrote: I just got first results here, http://omploader.org/vMTExNA What do you think about them? What kind of data was scanned? Was it hand-crafted, automatically generated, or real world files? What is the confidence of the values you measured? (I

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
What kind of data was scanned? Was it hand-crafted, automatically generated, or real world files? I create files by calling in loop function: fputc('my_byte') i.e: file_builder -n sizeoffile -xB8 So entire file consists of bytes 'B8' and I create 2MB, 4MB file, up to 60MB files What is the

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Török Edwin
On 2008-12-17 21:28, Thomasz Blaszczyk wrote: What kind of data was scanned? Was it hand-crafted, automatically generated, or real world files? I create files by calling in loop function: fputc('my_byte') i.e: file_builder -n sizeoffile -xB8 So entire file consists of bytes 'B8'

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
You might want to scan something resembling a real world file, and I'm not saying to use /dev/urandom instead of B8. I can think of a much more efficient algorithm to match on B8 bytes... Ohh, yes, there will be several test cases, B8 bytes is only one There will be also test case upon DNA

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Török Edwin
On 2008-12-17 18:12, Thomasz Blaszczyk wrote: Hi, I have notice kind of limitation in ClamAV. When time of scanning one file is longer than 1 sec, the entire file scan is droped. There is no such limitation in ClamAV. Best regards, --Edwin ___

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-06 Thread Thomasz Blaszczyk
Thanks Joseph for answer, The quote appears too restrictive - as I found that the file can be longer, as long as it starts with the Eicar. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-04 Thread Török Edwin
On 2008-12-04 00:41, Thomasz Blaszczyk wrote: Thank you for reply, Török Edwin, Very, very good web seminar! Thanks I have 2 more questions: 1) I'd like to measure compare performance of AC BM algorithms. clamscan displays in 'scan summary' a 'time'. Does this time include disc

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-03 Thread Thomasz Blaszczyk
Thank you for reply, Török Edwin, Very, very good web seminar! I have 2 more questions: 1) I'd like to measure compare performance of AC BM algorithms. clamscan displays in 'scan summary' a 'time'. Does this time include disc access, signature tree building in AC(phase1) or BM Just wonder If

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-03 Thread Joseph Benden
See: http://www.eicar.org/anti_virus_test_file.htm Specifically: Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long Best Regards, Joseph Benden

[Clamav-devel] clamAV scanning algorithm

2008-12-02 Thread Thomasz Blaszczyk
Hi, I am new to CLAMAV I am just wonder how files are scanned. Does it work like: 1. PE section is taken from file to be scanned 2. MD5 is calculated 3. That MD5 is compared to all signatures in ClamAV Database 4. If match virus is found. I have simplified this. But please let me know