Ok, thank you. El sáb, 5 mar 2022 a las 8:48, G.W. Haywood via clamav-users (< clamav-users@lists.clamav.net>) escribió:
> Hi there, > > On Fri, 4 Mar 2022, Jorge Elissalde via clamav-users wrote: > > > ... > > Trying to be more forthcoming I can explain the code I'm making. > > > > - I get the full list of files under c:\windows\system32 folder, just > > files, not folders (4913 files in my case). > > - I send every file name to clamd using the SCAN command. > > > > The whole process takes almost 5 minutes, and I'm trying to drastically > > reduce that time. > > Firstly, I'm not sure that you aren't just running around in circles. > > I've seen scans which took hours fail to find threats which were known > to be present. Please keep that in mind. You're scanning for threats > using code which is running on the threatened machine. If I wanted to > attack that machine, the first thing I'd do when I gained access would > be to nobble any virus scanner so that it claimed to find nothing even > when it found something. If some malicious actor was able to modify > files in the ...\system32 directory then that same actor probably also > had the ability to nobble the scanner. Please keep that in mind too. > > The reason it takes five minutes to scan your files is basically that > you are scanning something like five thousand files (note: you haven't > mentioned the average size of those files) for something in the region > of ten million threats, likely using modest, general purpose hardware. > > If I may take liberties with units, the number of file.threats is of > the order of fifty billion. The average time per file.threat scan is > 300/50000000000 or approximately six nanoseconds. That's quite a bit > less than the access time for your RAM (never mind the mass storage!) > and while this is like measuring a piece of string with a theodolite, > typical 21st century CPUs won't be able to execute more than a very > few instructions in that time even if they take a running jump at it. > I shouldn't be surprised if millions of instructions would need to be > executed to scan a single file for a single threat. So I think that, > under the circumstances, ClamAV doesn't do too bad a job. > > What are the specifications for your harware? > > Why are you scanning the things you're scanning? > > Why are you using the scanned device to scan itself? > > Why are you not scanning the things you aren't scanning? > > How long would you expect your scan to take on your hardware? > > What is your target scan time? > > Why? > > What do you expect the results to tell you? > > What do you plan to do when you have them? > > How long will *that* take? > > How long does your coffee machine take to make a brew? > > Can you compare/contrast the various times in your answers? > > Please be much more forthcoming. > > > Possible solutions are: > > > > - Non recursive MULTISCAN ( seems that this is not available ) > > - Multithread SCAN command ( seems that is not available ) > > > > Is there another solution here? > > According to the (old) ClamAV Bugzilla there was an issue with > MULTISCAN which was fixed years ago: > > https://bugzilla.clamav.net/show_bug.cgi?id=1869 > > I didn't find the issue mentioned here: > > https://github.com/Cisco-Talos/clamav/issues/ > > but although that's where things are being done now, many old Bugzilla > issues haven't been moved to Github. > > If you can produce a test case to confirm that Micah's 2018 comment on > Bugzilla is wrong, you should file a report on Github. > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
