subject:"Re\: \[Clamav\-devel\] ClamAV Algorithms"

Re: [Clamav-devel] ClamAV Algorithms

2011-07-16 Thread Jerry 270


Hi Edwin,

 Thanks for your help.  I used  --dev-ac-only on the command line and that 
does the trick.  I couldn't find anything about using --dev-ac-only in the 
manual page.

Regards,

Jerry

 Date: Thu, 14 Jul 2011 15:03:12 +0300
 From: edwinto...@gmail.com
 To: clamav-devel@lists.clamav.net
 Subject: Re: [Clamav-devel] ClamAV Algorithms
 
 On 07/12/2011 02:11 AM, Jerry 270 wrote:
  
  Hi Edwin,
  
  Thanks for your reply.  I am doing a Masters degree for which the 
  research is analyzing  investigating malware.  I am interested in 
  evaluating algorithms used in anti-virus software, but just investigating 
  whether this is a possibility at the moment.  The research projects goal is 
  to define a problem domain, a scenario in which the problem to be 
  investigated exists.  Within this problem domain, a research question is 
  posed.  This is the question that the project will seek to answer.
  
   I enabled DevAVOnly and only the AC signatures appear to be loaded 
  when the config file is reread but when I do a scan of some files the debug 
  information appears to suggest that BM signatures are loaded for GENERIC 
  and PE.
 
 If you are using clamscan then use --dev-ac-only. I get 0 BM sigs:
 
 LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) 
 BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode)
 LibClamAV debug: Using filter for trie 1
 LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode)
 LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode)
 LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode)
 LibClamAV debug: Using filter for trie 4
 LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode)
 LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode)
 LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode)
 LibClamAV debug: Using filter for trie 7
 LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode)
 LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
 LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM 
 sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
 
 
   What should DevACDepth be set to? 
  
  If AC is used for signatures containing wildcards and BM is used for 
  signatures without wildcards is it possible to scan using just one type of 
  signature and test the performance of each algorithm that way?
 
 Well you won't be able to load the AC signatures into BM (BM doesn't support 
 the wildcards), so as a first step you would probably be to remove
 the signatures that require AC from the DB.
 You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current 
 daily' to unpack the databases.
 
 And then load the DB as by default (into BM), and with --dev-ac-only (into 
 AC), and compare them that way.
 
 Also note that the BM algo has an optimization when signatures are tied to a 
 specific offset (PE for example).
 
  How is prefiltering disabled?
 
 Comment out this 'if' in matcher-ac.c:
 if (cli_mtargets[root-type].enable_prefiltering  dconf_prefiltering) {
 
 Best regards,
 --Edwin
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net
  
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] ClamAV Algorithms

2011-07-14 Thread Török Edwin

On 07/12/2011 02:11 AM, Jerry 270 wrote:
 
 Hi Edwin,
 
 Thanks for your reply.  I am doing a Masters degree for which the 
 research is analyzing  investigating malware.  I am interested in evaluating 
 algorithms used in anti-virus software, but just investigating whether this 
 is a possibility at the moment.  The research projects goal is to define a 
 problem domain, a scenario in which the problem to be investigated exists.  
 Within this problem domain, a research question is posed.  This is the 
 question that the project will seek to answer.
 
  I enabled DevAVOnly and only the AC signatures appear to be loaded when 
 the config file is reread but when I do a scan of some files the debug 
 information appears to suggest that BM signatures are loaded for GENERIC and 
 PE.

If you are using clamscan then use --dev-ac-only. I get 0 BM sigs:

LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode)
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode)
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)


  What should DevACDepth be set to? 
 
 If AC is used for signatures containing wildcards and BM is used for 
 signatures without wildcards is it possible to scan using just one type of 
 signature and test the performance of each algorithm that way?

Well you won't be able to load the AC signatures into BM (BM doesn't support 
the wildcards), so as a first step you would probably be to remove
the signatures that require AC from the DB.
You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current 
daily' to unpack the databases.

And then load the DB as by default (into BM), and with --dev-ac-only (into AC), 
and compare them that way.

Also note that the BM algo has an optimization when signatures are tied to a 
specific offset (PE for example).

 How is prefiltering disabled?

Comment out this 'if' in matcher-ac.c:
if (cli_mtargets[root-type].enable_prefiltering  dconf_prefiltering) {

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] ClamAV Algorithms

2011-07-11 Thread Török Edwin

On 2011-07-11 01:00, Jerry 270 wrote:
 
 Hi,
 
   I am a newbie to ClamAV so require help please.  I am doing a research 
 project and would like to evaluate the BM and AC algorithms used by ClamAV.  
 Is there anyway to get ClamAV to use either BM or AC on their own so scanning 
 speed tests can be conducted for each algorithm separately?  I have read on 
 this list that you can't get BM to run on its own.
 
   What is the best way to compare the two algorithms and can someone give me 
 more information on how ClamAV uses or chooses between BM and AC please?  

There are some AC/BM discussion in the archive, see for example:
http://lurker.clamav.net/message/20100426.103047.eb6fd9d0.en.html
http://lurker.clamav.net/message/20100427.131931.b705e603.en.html
http://lurker.clamav.net/message/20081204.212941.c9fa45c2.en.html

You can use DevACOnly to use only the AC algorithm for everything (there is no 
equivalent for BM),

Other than that you can use tools such as 'oprofile', or 'perf record / perf 
report' to see how much time
is spent in functions from matcher-ac.c and how much time in those from 
matcher-bm.c.

Also note that there is the prefiltering step too, if you want to measure just 
the AC/BM performance, you should disable that
(although you'll loose performance by doing so).

What are your research project's goals?

Best regards,
--Edwin

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] ClamAV Algorithms

Re: [Clamav-devel] ClamAV Algorithms

Re: [Clamav-devel] ClamAV Algorithms

3 matches

Site Navigation

Mail list logo

Footer information