On Fri, Mar 15, 2013 at 7:44 AM, Eray Aslan <eray.as...@caf.com.tr> wrote: > I see that clamav is bundling llvm library along with its code. > > * What does llvm buy me exactly for clamav? In other words, why do I > want to turn it on? Or do I even want to turn it on? > * I dont think bundling a library is such a great idea. Fortunately, > there is a --with-system-llvm switch in the configure script. I believe > clamav is shipping llvm-2.8. Upstream seems to be at llvm-3.2. Are > there any compatibility tests being made? Does clamav have a version > restriction regarding the llvm library it uses? > > Thanks. > -- > Eray Aslan
Hey Eray, LLVM allows our analyst team to write advanced detection logic. Certain pieces of malware can't be detected by a simple hash. The analyst team writes bytecode signatures that safely run in our LLVM runtime. We bundle LLVM inside of ClamAV's source because we've made heavy modifications to make it safe for our use. We've removed a lot of instructions that could potentially harm machines in case a piece of malware is somehow able to explain a weakness inside of LLVM while ClamAV scans the sample. Due to the nature of our modifications, we can't simply submit patches upstream. We've essentially forked LLVM's source and included the fork within ClamAV's source code. I hope that helps answer your questions. Let me know if you have any further questions or comments. Thanks, Shawn Webb _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
