> On Tue, 30 Jun 2009 09:59:18 -0700 > "Bill Landry" <b...@inetmsg.com> wrote: > >> > On Tue, 30 Jun 2009 10:28:36 -0400 >> > Tom Shaw <ts...@oitc.com> wrote: >> > >> >> Does freshclam or clam on load/reload look for and remove dup >> >> signatures? >> > >> > No, it doesn't. This is up to the database maintainers to avoid >> > duplicates. >> >> So if, for example, the following signature: >> >> 5468697320697320612074657374207369676e61747572652e2e2e >> >> happens to be listed in one of the "official" signature databases and >> multiple 3rd party signature databases, ClamAV will load the same >> signature into memory multiple times? > > Yes, it will. It does what it's instructed to do. By adding an additional > database, you instruct clamav to use it. > >> That seems rather inefficient and requires every 3rd party signature >> writer to cross-reference every other signature writers databases, as >> well >> as the official signature databases. > > Well, this is not our problem really. We maintain the official databases > to be free of duplicates.
So if I were to include a signature in my 3rd party database, and then a few days later ClamAV adds the same signature to the official signature database, that is not your problem, but rather my problem? Seems like if you (ClamAV) is providing the means for including 3rd party databases, then wouldn't you agree that it really is ClamAV's responsibility to make sure that duplicate signatures do not get loaded and used? > We had an idea to allow 3rd party signature > creators to use our mechanisms for signature maintenance ([1], easy > checking for FPs, dups, name collisions) and also our network > infrastructure and freshclam to make everything more smooth but > unfortunately this idea didn't get much interest. Hmmm, first I've heard of this. Why was there a lack of interest? >> Wouldn't it be better/more efficient for ClamAV to load duplicate >> signatures only once? > > It would be inefficient (and could be even unsafe in some cases) to do > such things in the engine. Why is that? If ClamAV sorts all signatures when reloading, and ignores duplicate signatures, why would that be dangerous in the engine? Anyway, thanks for the feedback... Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
