Re: [Clamav-users] Tracking false positives

[Török Edwin]

On Wed, 15 Sep 2010 10:05:02 -0700
Dennis Peterson <denni...@inetnw.com> wrote:

> On 9/15/10 7:47 AM, Tomasz Kojm wrote:
> > On Tue, 14 Sep 2010 09:22:48 -0700 Dennis
> > Peterson<denni...@inetnw.com> wrote:
> >
> >> Time tests of sigtool --find-sigs compared to grep. The output of
> >> either sigtool or grep can be piped back in to sigtool
> >> --decode-sigs:
> >>
> >> $ time sigtool --find-sigs Sanesecurity.Spam.10995
> >> Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
> >>
> >>
> >> real    2m4.16s
> >> user    1m46.65s
> >> sys     0m2.88s
> >
> > Hi David,
> >
> > how many signatures are you using and which OS? On my 3-year old
> > Linux box the search takes 3 seconds (~965k sigs):
> >
> > $ time sigtool --find-sigs Sanesecurity.Spam.10995
> > Sanesecurity.Spam.10995:4:*:46726f6d3a20{-50}5066697a6572*5375626a6563743a20{-100}2520
> >
> > real    0m3.076s
> > user    0m2.952s
> > sys     0m0.124s
> >
> 
> There are 823070 signatures in the current daily.cld, main.cld, and 
> bytecode.cld, and 190586 signatures in the various Sane Security
> files. This is a Sun Sparc box running Solaris.

How long does 'sigtool -l >/dev/null' take?
And which Sparc CPU? For comparison I tested on this one (only
main/daily/bytecode, no sanesecurity)
$ /usr/sbin/psrinfo -v -p 
The physical processor has 24 virtual processors (0-23)
  UltraSPARC-T2 (chipid 0, clock 1165 MHz)
$ time sigtool -l >/dev/null
real    0m16.128s
user    0m13.567s
sys     0m2.573s

$ time sigtool/sigtool --datadir=$HOME/db -f Trojan.Downloader-567
>/dev/null
real    0m9.569s
user    0m8.840s
sys     0m0.744s

So the sigtool -l  time is an upper bound on -f time here.

> 
> Which begs another question - anyone have a single command that will
> generate these numbers based on signature files in the DataDictionary
> directory?

sigtool -l | wc -l

It doesn't count signatures that are ignored during load though, other
than taht it should mostly match the output of
clamscan --detect-pua /dev/null | grep viruses

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml