On 07/12/2011 02:11 AM, Jerry 270 wrote: > > Hi Edwin, > > Thanks for your reply. I am doing a Masters degree for which the > research is analyzing & investigating malware. I am interested in evaluating > algorithms used in anti-virus software, but just investigating whether this > is a possibility at the moment. The research projects goal is to define a > problem domain, a scenario in which the problem to be investigated exists. > Within this problem domain, a research question is posed. This is the > question that the project will seek to answer. > > I enabled DevAVOnly and only the AC signatures appear to be loaded when > the config file is reread but when I do a scan of some files the debug > information appears to suggest that BM signatures are loaded for GENERIC and > PE.
If you are using clamscan then use --dev-ac-only. I get 0 BM sigs: LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode) LibClamAV debug: Using filter for trie 1 LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode) LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode) LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode) LibClamAV debug: Using filter for trie 4 LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode) LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode) LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode) LibClamAV debug: Using filter for trie 7 LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode) LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) > What should DevACDepth be set to? > > If AC is used for signatures containing wildcards and BM is used for > signatures without wildcards is it possible to scan using just one type of > signature and test the performance of each algorithm that way? Well you won't be able to load the AC signatures into BM (BM doesn't support the wildcards), so as a first step you would probably be to remove the signatures that require AC from the DB. You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current daily' to unpack the databases. And then load the DB as by default (into BM), and with --dev-ac-only (into AC), and compare them that way. Also note that the BM algo has an optimization when signatures are tied to a specific offset (PE for example). > How is prefiltering disabled? Comment out this 'if' in matcher-ac.c: if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) { Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net