On 2/25/13 4:01 PM, "David Raynor" wrote: > On Mon, Feb 25, 2013 at 4:47 PM, Kaushik Vaidyanathan < > kvaid...@andrew.cmu.edu> wrote: > >> Hi >> >> I have a basic question. When I run clamscan with --debug option I see that >> #AC sigs and #BM sigs reported for the different engines clamscan spawns. >> If I add the AC and BM for all engines its somewhere around 110K-120K >> signatures, >> >> However I see the sigtool info report for main.cvd and daily.cvd report >> close a 1M and 800K signatures respectively. >> >> I guess there is a difference in the definition of the word "signature" but >> I am unable to figure out what it is. >> >> Thank you! >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > > In short, there are signatures that are not AC type or BM type. So the > difference in definition you refer to is summed up in this equation: AC > signatures + BM signatures < ALL signatures > > The largest group is full-file hash signatures (from the HDB & MDB-style > signatures). If you use sigtool to unpack the CVD files, you will see that > main.mdb and daily.mdb are the largest files inside each CVD. That is the > biggest part of the difference. The true "all signatures" count is printed > out in the "Known viruses" line of clamscan's output. > > Dave R. > I was lead to believe the "Known viruses" line of the clamscan output represents all _loaded_ signatures, which may not include optional signatures such as PUA.
-Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
