On 07/12/2011 02:11 AM, Jerry 270 wrote:
>
> Hi Edwin,
>
> Thanks for your reply. I am doing a Masters degree for which the research is analyzing & investigating malware. I am interested in evaluating algorithms used in anti-virus software, but just investigating whether this is a possibility at the moment. The research projects goal is to define a problem domain, a scenario in which the problem to be investigated exists. Within this problem domain, a research question is posed. This is the question that the project will seek to answer.
>
> I enabled DevAVOnly and only the AC signatures appear to be loaded when the config file is reread but when I do a scan of some files the debug information appears to suggest that BM signatures are loaded for GENERIC and PE.
If you are using clamscan then use --dev-ac-only. I get 0 BM sigs:
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 35862 (reloff: 21, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 470 (ac_only mode)
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 59482 (reloff: 47699, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 468 (ac_only mode)
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 1726 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 5773 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 799 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 1146 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 23 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 47 (reloff: 29, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 400 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1568 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 492 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
> What should DevACDepth be set to?
>
> If AC is used for signatures containing wildcards and BM is used for signatures without wildcards is it possible to scan using just one type of signature and test the performance of each algorithm that way?
Well you won't be able to load the AC signatures into BM (BM doesn't support the wildcards), so as a first step you would probably be to remove
the signatures that require AC from the DB.
You can use 'sigtool --unpack-current main' and 'sigtool --unpack-current daily' to unpack the databases.
And then load the DB as by default (into BM), and with --dev-ac-only (into AC), and compare them that way.
Also note that the BM algo has an optimization when signatures are tied to a specific offset (PE for example).
> How is prefiltering disabled?
Comment out this 'if' in matcher-ac.c:
if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) {
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla:
http://bugs.clamav.net