Mailing List Archive

Sigs Order
Hi,

Are new viruses always added to the end of the database files (in both
main.* and daily.*)?
From few samples, I see that new viruses are appended to the DB files, but I
need to get confirmed that this always (or not necessarily) happens.

Thanks,

~Moe
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Sigs Order [ In reply to ]
On 06/06/2010 11:00 AM, Mohammed Al-Saleh wrote:
> Hi,
>
> Are new viruses always added to the end of the database files (in both
> main.* and daily.*)?
> From few samples, I see that new viruses are appended to the DB files, but I
> need to get confirmed that this always (or not necessarily) happens.

For daily.cvd most of the time yes, since this way the .cdiff updates
are smaller.
However if a signature is removed and a new one is added, then the new
signature will replace the old one (i.e. it will be at the same line as
the old one was, not at the end).

So there is not guarantee where new signatures will end up, but the
order of signatures doesn't matter anyway.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Sigs Order [ In reply to ]
Hi Edwin,

Thanks for your kind replies.
I think the order of viruses matters when you add them to the BM linked
lists (in cli_bm_addpatt function).
The code tries to avoid hash collision in the first phase. So, one signature
could cause another to have a different place in the linked lists.

~Moe



2010/6/6 Török Edwin <edwin@clamav.net>

> On 06/06/2010 11:00 AM, Mohammed Al-Saleh wrote:
> > Hi,
> >
> > Are new viruses always added to the end of the database files (in both
> > main.* and daily.*)?
> > From few samples, I see that new viruses are appended to the DB files,
> but I
> > need to get confirmed that this always (or not necessarily) happens.
>
> For daily.cvd most of the time yes, since this way the .cdiff updates
> are smaller.
> However if a signature is removed and a new one is added, then the new
> signature will replace the old one (i.e. it will be at the same line as
> the old one was, not at the end).
>
> So there is not guarantee where new signatures will end up, but the
> order of signatures doesn't matter anyway.
>
> Best regards,
> --Edwin
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net