On Mon, Feb 25, 2013 at 4:47 PM, Kaushik Vaidyanathan < kvaid...@andrew.cmu.edu> wrote:
> Hi > > I have a basic question. When I run clamscan with --debug option I see that > #AC sigs and #BM sigs reported for the different engines clamscan spawns. > If I add the AC and BM for all engines its somewhere around 110K-120K > signatures, > > However I see the sigtool info report for main.cvd and daily.cvd report > close a 1M and 800K signatures respectively. > > I guess there is a difference in the definition of the word "signature" but > I am unable to figure out what it is. > > Thank you! > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > In short, there are signatures that are not AC type or BM type. So the difference in definition you refer to is summed up in this equation: AC signatures + BM signatures < ALL signatures The largest group is full-file hash signatures (from the HDB & MDB-style signatures). If you use sigtool to unpack the CVD files, you will see that main.mdb and daily.mdb are the largest files inside each CVD. That is the biggest part of the difference. The true "all signatures" count is printed out in the "Known viruses" line of clamscan's output. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
