On Wednesday 09 March 2005 23:05, Calin A. Culianu wrote: > > How would people feel about adding some sort of caching feature to the > clamuko thread in order to cache the results of previous scans? This > could dramatically speed things up for on-access scanning of often-used > files.. > > Of course, the cache entry would have to be invalidated if the file is > ever opened for writing to avoid exploits. >
I think there's definitely something that can be done to speed up scanning, especially when (mis)using clamuko to provide on-access desktop scanning. One approach I've thought of is to keep track of files that are opened with a write-flag and scan them when they are closed - a hacky sort of 'ScanOnModified' implementation. I'm thinking of including a customized clamd in KlamAV (http://klamav.sf.net) that does just this. My fear is that there's a very good reason why this isn't being done already... The code below gives you an idea of how I've tried to do it in clamuko.c: /* If opened for writing, cache filename for scanning when closed */ if (scanmodified){ scan = 0; switch (acc->event) { case DAZUKO_ON_OPEN: if (acc->set_flags){ if ((acc->flags & O_RDWR) || (acc->flags & O_WRONLY) || (acc->flags & O_APPEND) || (acc->flags & O_SYNC) || (acc->flags & O_CREAT) || (acc->flags & O_TRUNC) || (acc->flags & O_EXCL)){ val = tsearch((void *)acc->filename, &root, compare); if(val == NULL) break; printf("Adding file to tree: %s id: %i\n",acc->filename,tharg->pid); } }else{ scan = 1; } break; case DAZUKO_ON_CLOSE: if (val = tfind((void *)acc->filename, &root, compare)){ scan = 1; tdelete((void *)acc->filename, &root, compare); printf("Deleting File from tree: %s id: %i\n",acc->filename,tharg->pid); } break; default: scan = 1; break; } } Any thoughts? -- robert hogan dublin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html