[Clamav-devel] clamAV scanning algorithm

2008-12-02 Thread Thomasz Blaszczyk
Hi, I am new to CLAMAV I am just wonder how files are scanned. Does it work like: 1. PE section is taken from file to be scanned 2. MD5 is calculated 3. That MD5 is compared to all signatures in ClamAV Database 4. If match virus is found. I have simplified this. But please let me know

Re: [Clamav-devel] confirm 878cdf1f1ee11bbfe4f147caa216e145422ff8a2

2008-12-02 Thread Thomasz Blaszczyk
Hi, I am new to CLAMAV I am just wonder how files are scanned. Does it work like: 1. PE section is taken from file to be scanned 2. MD5 is calculated 3. That MD5 is compared to all signatures in ClamAV Database 4. If match virus is found. I have simplified this. But please let me know if I am

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-03 Thread Thomasz Blaszczyk
Thank you for reply, Török Edwin, Very, very good web seminar! I have 2 more questions: 1) I'd like to measure compare performance of AC BM algorithms. clamscan displays in 'scan summary' a 'time'. Does this time include disc access, signature tree building in AC(phase1) or BM Just wonder If

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-06 Thread Thomasz Blaszczyk
Thanks Joseph for answer, The quote appears too restrictive - as I found that the file can be longer, as long as it starts with the Eicar. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
And there is also 'groot'. Tom On Tue, Dec 9, 2008 at 4:51 PM, Thomasz Blaszczyk [EMAIL PROTECTED] wrote: Thank you for answer, I have another question. I cannot figure out meaning for ftonly and troot. Can I get some explanation for this 2 variables? They are used in matcher.c [code

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
, 2008 at 5:00 PM, Török Edwin [EMAIL PROTECTED] wrote: On 2008-12-09 18:51, Thomasz Blaszczyk wrote: Thank you for answer, I have another question. I cannot figure out meaning for ftonly and troot. Can I get some explanation for this 2 variables? They are used in matcher.c [code snipped

Re: [Clamav-devel] build debugging ex1.c

2008-12-09 Thread Thomasz Blaszczyk
Another thing, If I force troot-ac_only=0 if(troot) {troot-ac_only=0;printf(\ntroot-ac_only IN TROOT!!!%d \n,troot-ac_only); if(troot-ac_only || (ret = cli_bm_scanbuff(upt, length, ctx-virname, troot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(upt,

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
ok, it seems that limits.maxfilesize limits to 10MB, but I am able to scan up to 25MB files. see below: (when I scan 30MB file the data scanned is 0, Why is like that? and I am able to scan nearly 25MB) Every byte in sample file is 'B8' ls -l total 60656 -rw-r--r-- 1 root root 1600 Dec 17

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
What kind of data was scanned? Was it hand-crafted, automatically generated, or real world files? I create files by calling in loop function: fputc('my_byte') i.e: file_builder -n sizeoffile -xB8 So entire file consists of bytes 'B8' and I create 2MB, 4MB file, up to 60MB files What is the

Re: [Clamav-devel] clamAV scanning algorithm

2008-12-17 Thread Thomasz Blaszczyk
You might want to scan something resembling a real world file, and I'm not saying to use /dev/urandom instead of B8. I can think of a much more efficient algorithm to match on B8 bytes... Ohh, yes, there will be several test cases, B8 bytes is only one There will be also test case upon DNA