Mailing List Archive

On 2010-05-12 20:53, Mohammed Al-Saleh wrote:
> Hi,
>
> I have two questions. Thanks in advance for answers.
> 1- MAXSOPATLEN constant was commented in more than one location to contain the value 32 but in the actual implementation its value is 8. So, was it implemented first as 32 then changed to 8? if yes, can you please tell me why? Does this mean that we only have 8 states for the filtering step?
>

Yes it was changed to 8 because it is sufficient, you'll find that most
of the subsignatures are very short (2-4 bytes) which makes it that much
harder to prefilter (since these 2-4 byte sequence generate a lot of
false matches).

commit 2c04b207e01eed2bdcdc5fca596476b25aa7b7cd
Author: Török Edvin <edwin@clamav.net>
Date: Sat Nov 29 10:07:33 2008 +0000

8 bits are sufficient, we only care if it is longer than 4
characters or not.
TODO: maybe we can use the rest of 24 states for something else?

git-svn-id:
file:///var/lib/svn/clamav-devel/branches/prefiltering@4491
77e5149b-7576-45b1-b177-96237e5ba77b

> 2- if we count the number of signatures in the 10 roots (root[0] through root[9]) for both AC and BM, the total would around 100,000 signatures. So, would the remaining number of signatures (759261 - (~100,000) ) be the md5 and such signatures?

Yeah .hdb and .mdb make up the majority of signatures.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net