Mailing List Archive: What's function for check between virus and signature on database ( AC)?

What's function for check between virus and signature on database ( AC)?

Sep 29, 2011, 11:24 AM

Post #1 of 3 (1421 views)

Hello All,

I debug clamscan programs by insert a input test to it. I have question on
function for check match string between virus and signature on database.
What a function for checking a virus and signature on database?
My view, It's should as function below in file name matcher-ac.c.

int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt,
unsigned int *cnt, uint64_t *ids, unsigned int parse_o nly)

In last email in mail-list suggested we should start with cli_parse_add()
function in readdb.c file for debuging with AC algorithms,but It's step for
AC algorithms in order to check start string with signature base( stage 1
check with prefix of string but not stage 2 for checking all string match
with signature base),right?

Best Regards,
Chatsiri Ratana
--
:--------------------------------------------------------
http://about.me/chatsiri.ratana
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: What's function for check between virus and signature on database ( AC)? [ In reply to ]

edwintorok at gmail

Oct 1, 2011, 8:30 AM

Post #2 of 3 (1386 views)

Permalink

On 09/29/2011 09:24 PM, Chatsiri Ratana wrote:
> Hello All,
>
> I debug clamscan programs by insert a input test to it. I have question on
> function for check match string between virus and signature on database.
> What a function for checking a virus and signature on database?
> My view, It's should as function below in file name matcher-ac.c.
>
> int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt,
> unsigned int *cnt, uint64_t *ids, unsigned int parse_o nly)

This is only one of the functions, have a look at cli_fmap_scandesc: that is
the function that calls most of the other matchers.

If you are about AC algorithm only, then look at cli_ac_scanbuff.

>
> In last email in mail-list suggested we should start with cli_parse_add()
> function in readdb.c file for debuging with AC algorithms,but It's step for
> AC algorithms in order to check start string with signature base( stage 1
> check with prefix of string but not stage 2 for checking all string match
> with signature base),right?

cli_parse_add is used when loading the database to parse and convert the signatures into the internal representation.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: What's function for check between virus and signature on database ( AC)? [ In reply to ]

insiderboy at gmail

Oct 1, 2011, 10:06 AM

Post #3 of 3 (1371 views)

Permalink

2011/10/1 Török Edwin <edwintorok@gmail.com>

> On 09/29/2011 09:24 PM, Chatsiri Ratana wrote:
> > Hello All,
> >
> > I debug clamscan programs by insert a input test to it. I have question
> on
> > function for check match string between virus and signature on database.
> > What a function for checking a virus and signature on database?
> > My view, It's should as function below in file name matcher-ac.c.
> >
> > int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt,
> > unsigned int *cnt, uint64_t *ids, unsigned int parse_o nly)
>
> This is only one of the functions, have a look at cli_fmap_scandesc: that
> is
> the function that calls most of the other matchers.
>
> If you are about AC algorithm only, then look at cli_ac_scanbuff.
>
> >
> > In last email in mail-list suggested we should start with
> cli_parse_add()
> > function in readdb.c file for debuging with AC algorithms,but It's step
> for
> > AC algorithms in order to check start string with signature base( stage 1
> > check with prefix of string but not stage 2 for checking all string match
> > with signature base),right?
>
> cli_parse_add is used when loading the database to parse and convert the
> signatures into the internal representation.
>
> Best regards,
> --Edwin
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>

Hello,

I looking in clam-doc after download source code. It's good document into
description API function for scanning virus.
I have plan for research performance for scanning for Clamav :D

Thanks you for advices,
Chatsiri Ratana

--
:--------------------------------------------------------
http://about.me/chatsiri.ratana
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net