Török Edwin wrote: > Right now the only detections one can write are pattern-based. You > can't write heuristic detections, you can't write unpackers, you > can't support new file formats, and you can't do more complex > analysis than pattern matching. The bytecode tries to offer the > possibility to do the above, without releasing a new engine update > each time.
Well, there's a fundamental philosophical problem here. You've essentially introduced a software update mechanism that bypasses the normal way to install ClamAV. Furthermore, you're trying to write complex algorithms in byte code rather than C. (Or do you have a high-level language that compiles down to byte code?) This will require a completely new set of coding and debugging skills. Also, the *only* thing protecting us from malicious byte-code is your GPG key. I hope you keep it safe. And nothing will protect us from buggy byte code. Looking at the bytecode implementation, I found an easy way to DoS ClamAV... do we really want that ability? >> And a security tool that requires (or at least can use) a C compiler >> at run-time boggles the mind. > It doesn't use a C compiler at runtime. Really? Why do the release notes say: The following packages are optional, but required for bytecode JIT support: GCC C and C++ compilers (minimum 4.1.3, recommended 4.3.4 or newer) Do you mean that GCC is required only at build time? Anyway... I don't like large and complex (barely-commented, full of mysterious hard-coded constants) code being added to a security tool, especially when that large and complex code implements a (Turing-complete?) computer. I just worry that some future version of ClamAV will require the bytecode interpreter, similar to how 0.94 was EOL'd because of signature engine limitations. I also worry that there will be pressure to expose more and more API functions to the bytecode interpreter---it's so tempting when you just need "one more thing" to implement a new detection algorithm. Regards, David. _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
