On 05/24/2010 05:28 AM, Nathan Gibbs wrote:
> * Török Edwin wrote:
>> On 05/23/2010 02:46 AM, Nathan Gibbs wrote:
>>> I've wondered about a similar idea for speeding up file scanning.
>>> Especially in regards to daily system scans,
>>>
>>> After an initial scan, record a file's name, checksum, and
On Sun May 23 2010 13:54:14 GMT+0200 (CET)
Luciano_Rinetti wrote:
> I'm surprised that on a server with Clamav 0.95 the mirrors.dat
> shows 16 mirrors, and a recent mail server with Clamav 0.96 only 2 mirrors.
> Why this behaviour ?
The information about the mirrors is collected by freshclam dur
* Török Edwin wrote:
> On 05/24/2010 05:28 AM, Nathan Gibbs wrote:
>> 2.
>> Store an array of pointers to sigs needed to do a partial scan.
>> Hand the engine the list on partial scans.
>> That might be the more elegant solution.
>
> It might be possible to do this for the MD5 signatures, not the
On 2010-05-24 22:00, Nathan Gibbs wrote:
> * Török Edwin wrote:
>> On 05/24/2010 05:28 AM, Nathan Gibbs wrote:
>>> 2.
>>> Store an array of pointers to sigs needed to do a partial scan.
>>> Hand the engine the list on partial scans.
>>> That might be the more elegant solution.
>>
>> It might be pos
Török Edwin wrote:
> A simpler form of this is already implemented in 0.96 :)
>
> If a file is determined to be clean, its MD5 is added to an in-memory cache.
> When scanning a new file, its MD5 is computed and looked up in the
> cache. If found, it is considered clean.
> On DB reload the entire ca
On Mon, 24 May 2010 22:22:46 +0200 Sarocet wrote:
> Török Edwin wrote:
>> A simpler form of this is already implemented in 0.96 :)
>>
>> If a file is determined to be clean, its MD5 is added to an in-memory cache.
>> When scanning a new file, its MD5 is computed and looked up in the
>> cache. If f
* Török Edwin wrote:
> On 2010-05-24 22:00, Nathan Gibbs wrote:
>> OK, so an AC trie gets built and used until a DB reload.
>> Am I understanding correctly?
>
> Yes.
>
Man, that does make it complicated.
>> H'mm, That might work.
>> The corner cases being the NBD sigs, right?
>
> The IDB sigs,
On 2010-05-24 23:37, Nathan Gibbs wrote:
> * Török Edwin wrote:
>> On 2010-05-24 22:00, Nathan Gibbs wrote:
>>> OK, so an AC trie gets built and used until a DB reload.
>>> Am I understanding correctly?
>>
>> Yes.
>>
>
> Man, that does make it complicated.
>
>>> H'mm, That might work.
>>> The cor
* Tomasz Kojm wrote:
> On Mon, 24 May 2010 22:22:46 +0200 Sarocet wrote:
>> Török Edwin wrote:
>>> A simpler form of this is already implemented in 0.96 :)
>>>
>>> If a file is determined to be clean, its MD5 is added to an in-memory cache.
>>> When scanning a new file, its MD5 is computed and loo
* Török Edwin wrote:
> On 2010-05-24 23:37, Nathan Gibbs wrote:
>> Here is about as far as my feature req would get.
>>
>> Leverage a checksum/hashing algorithm & partial DB's to speed up scheduled
>> system scans.
>>
See, I told you I didn't know what I was talking about. Your entry is better.
:
Tomasz Kojm wrote:
> On Mon, 24 May 2010 22:22:46 +0200 Sarocet wrote:
>
>> Create two files with a colliding md5. One is innocuous, the other is
>> infected.
>> Send the clean one first. clamav will note it is clean and cache the md5.
>>
> The cache also checks file sizes
>
>
>> Send th
On Mon, 24 May 2010 23:14:12 +0200 Sarocet wrote:
>>> Send the malicious one after a while. The hash in on the cache so it
>>> bypasses the AV.
>>> Profit.
>>>
>> Good luck,
>>
>
> I don't need to be specially lucky.
> It's just one google search away.
> http://www.mscs.dal.ca/~selinger/
Tomasz Kojm wrote:
> These are poor examples, which are almost identical (only 6 bytes
> differ). Now, take a notepad.exe and create a malicious file with the
> same file size and MD5.
>
> Thanks,
>
Read again the scenario.
Both files are created by the attacker. When the AV marks as clean the
* Sarocet wrote:
> Tomasz Kojm wrote:
>> These are poor examples, which are almost identical (only 6 bytes
>> differ). Now, take a notepad.exe and create a malicious file with the
>> same file size and MD5.
>>
>> Thanks,
>>
>
> Read again the scenario.
Scan the scenario. Neither file has a vi
14 matches
Mail list logo
