Mailing List Archive: Re: clamav-devel Digest, Vol 69, Issue 5

Sorry, I may not express clearly. I want to know the what the functions in
filter.c file do. I think it build a filter before scaning and get a
position in the scaned file. What is the purpose to do this?
Best Regards.
2010/6/26 <clamav-devel-request@lists.clamav.net>

> Send clamav-devel mailing list submissions to
> clamav-devel@lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
> or, via email, send a message with subject or body 'help' to
> clamav-devel-request@lists.clamav.net
>
> You can reach the person managing the list at
> clamav-devel-owner@lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: what does the filter do? (T?r?k Edwin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 26 Jun 2010 09:47:36 +0300
> From: T?r?k Edwin <edwintorok@gmail.com>
> Subject: Re: [Clamav-devel] what does the filter do?
> To: clamav-devel@lists.clamav.net
> Message-ID: <20100626094736.6d17d67b@debian>
> Content-Type: text/plain; charset=UTF-8
>
> On Fri, 25 Jun 2010 11:56:48 +0800
> ?? <outstandingcandy@gmail.com> wrote:
>
> > Hi all~
> >
> > I am a freshman of clamav and is reading the code of clamscan
> > recently. I don't know why we need a filter? Does it filter some
> > files which can be confirmed not a virus?
>
> Do you mean the --exclude command-line parameter?
> That is there for directories you'd never wish to scan like /sys, /dev
> and so on.
>
> Best regards,
> --Edwin
>
>
> ------------------------------
>
> _______________________________________________
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
>
>
> End of clamav-devel Digest, Vol 69, Issue 5
> *******************************************
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Sun, 27 Jun 2010 08:57:28 +0800
å”æ° <outstandingcandy@gmail.com> wrote:

> Sorry, I may not express clearly. I want to know the what the
> functions in filter.c file do. I think it build a filter before
> scaning and get a position in the scaned file. What is the purpose to
> do this?

The filter runs faster than the AC or BM matcher, it is used to
eliminate parts of the buffer that certainly won't contain a match.
However the filter is only approximate, so it has false positives (but
no false negatives). Thats why AC/BM matcher needs to be run too.

For example: if the trie contains: abc|ade the filter will accept
a[bd][ce]. So it does accept anything the original trie would accept,
but it also accepts some that it wouldn't ('abe' for example).
If the original buffer contains 'aee' though then the filter doesn't
match (and neither would the original trie), so it can skip this match.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net