* Török Edwin wrote: > On 05/24/2010 05:28 AM, Nathan Gibbs wrote: >> 2. >> Store an array of pointers to sigs needed to do a partial scan. >> Hand the engine the list on partial scans. >> That might be the more elegant solution. > > It might be possible to do this for the MD5 signatures, not the NDB > signatures though.
OK, I'm clueless there, so I'll take your word for it. Basically, that idea would only work part of the time. Right? > An AC trie needs to be built out of the full set of signatures you > intend to scan with. The trie is actually more like an automaton, so you > need a new one each time you add or remove a signature. > I'm sure there is a way to do, it is just not that simple :) > OK, so an AC trie gets built and used until a DB reload. Am I understanding correctly? > Actually for full system scans there might be a way to do it that > doesn't involve many (or in fact any) changes to the engine: > Store the CVD used, and a DB of clean file hashes/sizes. > When you want a rescan you give the old CVD and the new CVD to a script, > which compares the 2 databases and builds you a partial DB in a > temporary directory (if a partial scan is possible, see the corner cases > above). Then you can start a scan with just that temporary DB. > H'mm, That might work. The corner cases being the NBD sigs, right? > In 0.96 we started with something simple (cache clean, erase cache on > reload) that works. We can always improve that later. > Even the simple solution has some corner cases though (for example > recursion depth needs to be taken into account), so care needs to be taken. > Right, I'll defer to sharper minds than mine to figure the implementation out. It sounds promising though. :-) -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
