On 2010-05-12 20:53, Mohammed Al-Saleh wrote: > Hi, > > I have two questions. Thanks in advance for answers. > 1- MAXSOPATLEN constant was commented in more than one location to contain > the value 32 but in the actual implementation its value is 8. So, was it > implemented first as 32 then changed to 8? if yes, can you please tell me > why? Does this mean that we only have 8 states for the filtering step? >
Yes it was changed to 8 because it is sufficient, you'll find that most of the subsignatures are very short (2-4 bytes) which makes it that much harder to prefilter (since these 2-4 byte sequence generate a lot of false matches). commit 2c04b207e01eed2bdcdc5fca596476b25aa7b7cd Author: Török Edvin <ed...@clamav.net> Date: Sat Nov 29 10:07:33 2008 +0000 8 bits are sufficient, we only care if it is longer than 4 characters or not. TODO: maybe we can use the rest of 24 states for something else? git-svn-id: file:///var/lib/svn/clamav-devel/branches/prefilter...@4491 77e5149b-7576-45b1-b177-96237e5ba77b > 2- if we count the number of signatures in the 10 roots (root[0] through > root[9]) for both AC and BM, the total would around 100,000 signatures. So, > would the remaining number of signatures (759261 - (~100,000) ) be the md5 > and such signatures? Yeah .hdb and .mdb make up the majority of signatures. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net