On Wed, 10 May 2006, Sumandra Majee wrote:
I am new to clamav but liked it much after going thru the code. Have couple
of questions,
1) I believe I read somewhere that clamav has around 30,000 sigs in it's
current database.
However when I looked into generated files from main.db main.[ndb|hdb|fp]
there were about
8K in main.ndb and 8k in hdb file.
So what am I missing here?
The other files?
zeus:/tmp/temp# sigtool --unpack-current main.cvd
zeus:/tmp/temp# ls
COPYING main.db main.fp main.hdb main.ndb main.zmd
zeus:/tmp/temp# wc -l main*
30477 main.db
29 main.fp
8068 main.hdb
12629 main.ndb
4 main.zmd
51207 total
zeus:/tmp/temp# sigtool --unpack-current daily.cvd
zeus:/tmp/temp# wc -l daily*
182 daily.db
29 daily.fp
4 daily.hdb
3385 daily.ndb
3600 total
If your numbers are smaller than mine, then you need to run freshclam to
get the latest database.
2) Is there a need for more or full regular expression?
Is it safe to assume that all virus signatures always starts with some
fixed literals no matter what?
I don't think the signatures assume that, though in general all binaries
do have some "magic" at the beginning that identifies what type of
binary they are....
I guess the need for {} , (x|y) came because of polymorphic viruses. Is
that all or is there a need for
grouping like [abc]+ (repetitive pattern)
It might be useful, but anything that repeats can also be detected a
single time, so it probably is not necessary.
Damian Menscher
--
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Ofc:(650)253-2757 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
