sherpya at netfarm
May 29, 2007, 10:02 PM
Post #1 of 3
(1621 views)
Permalink
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Some time ago two guys wrote a patch for clamav
to use a different filter that works with the
collaboration of bm matcher,
in brief bloom av gives no false negative
but may have false positive, the file then is passed to
the bm matcher.
The attached patch is rather old, with new changes to the
engine I don't known if it still works,
and how it's easy to adapt.
it also needs to be tweaked to support scan with offset
(right now I've made as a false positive so the scan is passed to bm)
bloom av is faster than bm, the overall scan speed
is improved since the hypothesis is that
non virus files are a lot more than virus files.
I've attached also a profiled scan
look the detail:
[bm + ac]
54.63 166.07 166.07 8012 0.02 0.02 cli_bm_scanbuff
22.41 234.20 68.13 139428866 0.00 0.00 cli_findpos
15.26 280.59 46.39 8012 0.01 0.01 cli_ac_scanbuff
[(bloom | bm) + ac]
27.85 67.22 67.22 139428866 0.00 0.00 cli_findpos
27.31 133.15 65.93 245 0.27 0.27 cli_bm_scanbuff
19.52 180.26 47.11 8012 0.01 0.01 cli_ac_scanbuff
and
2.20 217.76 5.31 8012 0.00 0.00 cli_bloom_filter_scanbuff
so we gain 8012 - 245 bm scans, replaced by 8012 bloom scans that are faster
the logic of the overall scan is:
bloom first, if positive bm,
then ac as normal flow
the patch has not yet included gpl header, but the guy gave me the permission
to distribute it as GPL
Hope this helps
- --
Gianluigi Tiesi <sherpya [at] netfarm>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGXQVr3UE5cRfnO04RAvs6AJ0bp5AofqW5c/ssdW9BdVCd4rwaVQCcCQP9
WrTvFvzBrCKjr3ELiamVvgI=
=cN7P
-----END PGP SIGNATURE-----
|
profiler.txt
signature.asc
