> I've done some analysis of ClamAV with just this signature set, and the
> loading is simply slowing down as it runs through the list. This is mainly
> because of the significant amounts of overlap at the beginnings of these
> strings and the length thereafter.
Hi David,
Thanks for the info.. and looking into the issue.
Here's a few tests using the bofhland_cracked_URL.ndb but using various
combos:
Sig: (B)77????2E
db.log:Time: 6.281 sec (0 m 6 s)
db.tmp:LibClamAV debug: pool memory used: 29.425 MB
Start Sig: (B)777777{1}
Time: 6.281 sec (0 m 6 s)
LibClamAV debug: pool memory used: 39.624 MB
Start Sig: (B)777777??
Time: 70.875 sec (1 m 10 s)
LibClamAV debug: pool memory used: 29.413 MB
Start Sig: (B)77??772E
Time: 9.578 sec (0 m 9 s)
LibClamAV debug: pool memory used: 29.417 MB
Start Sig: (B)7777{2}
Time: 6.234 sec (0 m 6 s)
LibClamAV debug: pool memory used: 39.304 MB
Start Sig: (B)7777??2E
Time: 6.328 sec (0 m 6 s)
LibClamAV debug: pool memory used: 29.425 MB
Seems for me anyway, that (B)7777??2E is the best for speed/memory...
Cheers,
Steve
Sanesecurity
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
