On 2010-03-10 22:54, David F. Skoll wrote: > Hi, > > I noticed the announcement of the bytecode interpreter in the 0.96-rc1 > announcement. > > That feature took me utterly by surprise. > > Could anyone provide a use-case for it?
Hi, Right now the only detections one can write are pattern-based. You can't write heuristic detections, you can't write unpackers, you can't support new file formats, and you can't do more complex analysis than pattern matching. The bytecode tries to offer the possibility to do the above, without releasing a new engine update each time. > I'm at a loss as to why a > security tool should allow signature writers to be able to inject > arbitary executable code. (Yes, I know the bytecode has all kinds of > security checks and is limited in what it can do, but so does/did Java > and there were still many bugs found in the Java sandbox.) > > And a security tool that requires (or at least can use) a C compiler > at run-time boggles the mind. It doesn't use a C compiler at runtime. It has both an interpreter, and a JIT that can run the bytecode. The JIT creates machine code from bytecode, not from C code. > I guess we either have to install > a C compiler or live with the slower bytecode interpreter. No, the JIT is already include in libclamav, just run clamconf and see if it reports the JIT feature. It won't use an external compiler. > > So... > > Why do we need the bytecode interpreter? Can we disable it if we decide > the cons outweigh the pros? freshclam.conf, "Bytecode no". That will prevent bytecode.cvd from being downloaded. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
