The code for loading the data directories will give priority to loading the ignore list (from ign2 files and from the daily.ign2 inside daily.cvd) before loading signatures, which is just a list of signature names.
The rest of the signatures are loaded after that. Then every signature name is checked against the ignore list and matches are discarded before allocating permanent memory in the scanning engine. Hope this helps, Dave R. On Mon, Apr 8, 2019 at 12:41 PM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hello again, > > On Mon, 8 Apr 2019, Arnaud Jacques wrote: > > Le 07/04/2019 ? 18:18, G.W. Haywood via clamav-users a ?crit?: > > > > > > grep -a '^Phishtank.Phishing' daily.cld | cut -d':' -f1 > > > > ~/phishtank.ign2 > > > > This is not optimized : > > Phishtank.Phishing are loaded in memory. > > Then phishtank.ign2 is loaded on memory. > > Possibly true, I haven't looked at the code, but if I'd coded it then > it would work in a more sensible way. I'd free the ignored signatures > from memory (and keep a note of the databases/files in use, and check > their mtimes every now and again - perhaps even for every scan - etc.). > > > So there is a lot of memory used for nothing. > > Conjecture? > > > And I guess this will slow down the scan. > > Conjecture, but easily tested. And if it *does* slow down the scan, > I'd suggest that something must be horribly wrong. It should be far > quicker to ignore a signature than to check some block of data to see > if it's matched. Of course if the signature doesn't exist (i.e. it's > been removed from memory) then it will take zero time to process it. :) > > > ... and one day I created a *huge* ign2 file and it crashed clamd. > > Has this fault in the code been reported? > > > Ign2 files may not be appropriate to ignore tons of signatures. > > I did count the number of signatures before suggesting this. > > mail6:~# >>> wc -l phishtank.ign2 > 3968 phishtank.ign2 > mail6:~# >>> > > I agree that it might not make sense to do this for somthing like all > the Android signatures; if we're talking about hundreds of thousands, > instead of just a few thousand, then I'd start asking if it weren't > more appropriate to create my own databases from the published ones or > something like that. But for just a few thousand signatures, I'd have > thought a .ign2 file would be quite satisfactory. > > Isn't that what this mechanism is for? > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- --- Dave Raynor Talos Security Intelligence and Research Group dray...@sourcefire.com
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
