On Fri, 22 Aug 2003 22:19:47 -0400 Yevgeniy Miretskiy <[EMAIL PROTECTED]> wrote:
> > Because the algorithm is data-dependend (which are very random in > > out case) > > Let's clarify something: by data-dependent do you mean that it depends > on input? or do you mean that it depends on the database? Don't make a fool of me, please. > But, by saying that the data (i.e. the database) is very random, > are you stating something that's a fact, or is something that you > think is a fact? Define random please. Do you think a new (non existing yet) virus signatures are predictable ? > Your input is random, but the database is not. The database is finite > in size, and is constant. What does "constant" mean here ? > How exactly is your memory usage is unpredictable? I really don't > follow your logic. Not only is it predictable, it can be calculated > _EXACTLY_ even before running clamav. Or, if you don't feel like > calculating, just run it, and watch top. Clamav memory usage should > _never_ go up after db is loaded and first buffer is read. Yevgeniy, you're still writing obvious things. To make aware of the problem imagine the following _real_ problem: we have just received about 1100 virus samples. Imagine we have just created the signatures. Now please tell me the exact clamav memory usage with that new signatures !? > > Do you really want an anti-virys software which consumes 50 MB of > > your system's memory ? > > Why NOT? I have 1 process that consumes 50MB. Every modern OS > supports copy on write. I don't have to fork off 50MB for each > scanner instance. Every modern OS supports threads. clamd is a multithreaded application and shares the database between all threads without all that copy on write trickery, which is defacto non standard (derives from System V) and we cannot depend on it. > I'm sorry, but this makes not sense to me. > First 2 characters (4000) will be used to locate some node on the > second level of the trie. Then entire pattern will be added to that > nodes linked list. The matching will continue the same way whether > it's a 2, or 5 level trie. Very simply, the nodes that contain > pattern linked lists are marked with is_last=1 (the name should > probably change). > > Why don't you try running the patched clamav with 5 (or however many) > levels on Hybris.C virus and see if it detects it. I just did -- > detected it just fine. Bullshit !!! Sorry, it seems you don't understand the problem. Please download the file http://www.mat.uni.torun.pl/~tk/magistr.zip (password: virus). First thing - I've just realized clamav WILL NOT run with the level value higher than 2: clamscan$ ./clamscan LibClamAV Error: readdb(): Malformed pattern line 10 (file /usr/local/share/clamav/viruses.db2). ERROR: Too short pattern detected. You must remove the W32/BadTrans from viruses.db2. Now scan the oriente.com file from the zip archive with level 2: [EMAIL PROTECTED]:/tmp$ clamscan oriente.com oriente.com: W32/Magistr.B FOUND and with level 3: [EMAIL PROTECTED]:~/tests/Clam/clamscan$ ./clamscan oriente.com oriente.com: OK The virus will be available on the website for a week so everyone can verify I'm right. Best regards, Tomasz Kojm -- oo ..... [EMAIL PROTECTED] (\/)\......... http://www.konarski.edu.pl/~zolw \..........._ I nie zapomnij kliknac w brzuszek... //\ /\\ <- C. Amboinensis www.pajacyk.pl ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Clamav-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-devel
