On 07/12/2011 02:11 AM, Jerry 270 wrote:
>
> Hi Edwin,
>
> Thanks for your reply. I am doing a Masters degree for which the
> research is analyzing & investigating malware. I am interested in evaluating
> algorithms used in anti-virus software, but just investigating whether this
> is a possibility at the moment. The research projects goal is to define a
> problem domain, a scenario in which the problem to be investigated exists.
> Within this problem domain, a research question is posed. This is the
> question that the project will seek to answer.
>
> I enabled DevAVOnly and only the AC signatures appear to be loaded when
> the config file is reread but when I do a scan of some files the debug
> information appears to suggest that BM signatures are loaded for GENERIC and
> PE.
If you are using clamscan then use --dev-ac-only. I get 0 BM sigs:
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode)
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode)
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM sigs:
0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs:
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
> What should DevACDepth be set to?
>
> If AC is used for signatures containing wildcards and BM is used for
> signatures without wildcards is it possible to scan using just one type of
> signature and test the performance of each algorithm that way?
Well you won't be able to load the AC signatures into BM (BM doesn't support
the wildcards), so as a first step you would probably be to remove
the signatures that require AC from the DB.
You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current
daily' to unpack the databases.
And then load the DB as by default (into BM), and with --dev-ac-only (into AC),
and compare them that way.
Also note that the BM algo has an optimization when signatures are tied to a
specific offset (PE for example).
> How is prefiltering disabled?
Comment out this 'if' in matcher-ac.c:
if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) {
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
