On [08/23/03 21:25], Tomasz Kojm wrote: > On Fri, 22 Aug 2003 22:19:47 -0400 > > Don't make a fool of me, please. >
I wasnt, but I had a feeling you did (by assuming that
nobody else could find details on the algorithm).
>
> Yevgeniy, you're still writing obvious things. To make aware of the
> problem imagine the following _real_ problem: we have just received
> about 1100 virus samples. Imagine we have just created the signatures.
> Now please tell me the exact clamav memory usage with that new
> signatures !?
>
No, you are writing obvious things. You obviously do not want
to listen or to try anything. Well, here are step by step
algorithm on how to compute exact memory usage of the trie
(just in case you did not want to take a look at dbstats.pl):
total_size = sizof(struct cl_node) // root node usage
level = 2
while(level <= CL_MIN_LENGTH) {
total_size = total_size +
(total number of unique prefixes of size level - 1)*struct(cl_node)
level = level + 1;
}
Of course I'm not accounting the usage used due to pattern linked lists --
this is a cost you pay regardless of tree depth.
>
> Every modern OS supports threads. clamd is a multithreaded application
> and shares the database between all threads without all that copy on
> write trickery, which is defacto non standard (derives from System V)
> and we cannot depend on it.
And thread will duplicate 50MB database or reuse it?
My point was that even in forking server, your database would be
50 MB in a moder OS regardless of number of forked instance running.
What's you point here?
> Bullshit !!! Sorry, it seems you don't understand the problem. Please
> download the file http://www.mat.uni.torun.pl/~tk/magistr.zip (password:
> virus). First thing - I've just realized clamav WILL NOT run with the
> level value higher than 2:
You are imagining things -- and not proving them.
>
> clamscan$ ./clamscan
> LibClamAV Error: readdb(): Malformed pattern line 10 (file
> /usr/local/share/clamav/viruses.db2). ERROR: Too short pattern detected.
>
> You must remove the W32/BadTrans from viruses.db2. Now scan the
> oriente.com file from the zip archive with level 2:
I did not get such error.
>
> [EMAIL PROTECTED]:/tmp$ clamscan oriente.com
> oriente.com: W32/Magistr.B FOUND
>
> and with level 3:
>
> [EMAIL PROTECTED]:~/tests/Clam/clamscan$ ./clamscan oriente.com
> oriente.com: OK
No THIS IS BULLSHIT. See attached script file which CLEARLY
shows that magistr was deteccted FINE with 3 levels.
I'm curious Tomasz, did you even BOTHER applying the patch, or
you're just in the bullshitting mood?
>
> The virus will be available on the website for a week so everyone can
> verify I'm right.
>
You can keep it as long as you want.
--
Eugene Miretskiy <[EMAIL PROTECTED]>
INVISION.COM, INC. (631) 543-1000
www.invision.net / www.longisland.com
pgp00000.pgp
Description: PGP signature
