From clamav-users-bounces@lists.clamav.net Tue Jun 30 20:26:39 2009 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-cCj3G63N3k; Tue, 30 Jun 2009 20:26:39 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id CC33731C01A; Tue, 30 Jun 2009 20:26:35 +0200 (CEST) X-Original-To: clamav-users@tad.clamav.net Delivered-To: clamav-users@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOVO7TztuSog for ; Tue, 30 Jun 2009 20:26:33 +0200 (CEST) Received: from mail.inetmsg.com (mail.inetmsg.com [173.10.94.185]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by tad.clamav.net (Postfix) with ESMTPS id 2165516C056 for ; Tue, 30 Jun 2009 20:26:31 +0200 (CEST) X-Virus-Scanned: by amavisd-new at mail.inetmsg.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=inetmsg.com; s=dkimmail; t=1246386389; bh=Ie/Vh/LEeqoID868INVGfCv1p9HQH1SuiIdmauRnahw=; h=Message-ID:In-Reply-To:References:Date:Subject:From:To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=TzBTM2AkiE0Rc+NTrBE7AvnQYoRPAwW4cSZtmKLKukQSrvrW/encjGZlCDDpkBq5Z dZEFI8X+pmXKLdzS+HFVssJeS3Sp29gu64oaXC9scWork93frdXgWcymKAO3Z5Q56q iyHyEyTWgQfg/ajWJmvR0bVOpBLlxrFhH7+FLpro= DomainKey-Signature: a=rsa-sha1; s=dkmail; d=inetmsg.com; c=nofws; q=dns; h=x-sender-ip:received:message-id:in-reply-to:references:date: subject:from:to:user-agent:mime-version:content-type:x-priority: importance:content-transfer-encoding; b=xpT6rbRk5GEDQdIL0hRT/ofRQ1WCIsSqyFVfuTjmclGjgYyfsG1tC9S46ZnsMkEz2 L/PHcL5v+d/3QtGGqj3tKZ2/JpqrnbUj/SCHR5GJo26EctdEYhfnY+XcfFilEeV X-Sender-IP: 127.0.0.1 Received: from 164.90.7.2 (SquirrelMail authenticated user bill@inetmsg.com) by mail.inetmsg.com with HTTP; Tue, 30 Jun 2009 11:26:25 -0700 Message-ID: In-Reply-To: <20090630192113.380e689d@Quad> References: <4A43B6C6.4050308@vianet.ca> <4A4430B7.5030905@inetnw.com> <4A4A1EB0.6020403@vianet.ca> <20090630163327.0b8e438d@Quad> <20090630192113.380e689d@Quad> Date: Tue, 30 Jun 2009 11:26:25 -0700 From: "Bill Landry" To: "ClamAV users ML" User-Agent: SquirrelMail/1.4.19-1.fc10 MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal Subject: Re: [Clamav-users] Signature dups X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.11 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net > On Tue, 30 Jun 2009 09:59:18 -0700 > "Bill Landry" wrote: > >> > On Tue, 30 Jun 2009 10:28:36 -0400 >> > Tom Shaw wrote: >> > >> >> Does freshclam or clam on load/reload look for and remove dup >> >> signatures? >> > >> > No, it doesn't. This is up to the database maintainers to avoid >> > duplicates. >> >> So if, for example, the following signature: >> >> 5468697320697320612074657374207369676e61747572652e2e2e >> >> happens to be listed in one of the "official" signature databases and >> multiple 3rd party signature databases, ClamAV will load the same >> signature into memory multiple times? > > Yes, it will. It does what it's instructed to do. By adding an additional > database, you instruct clamav to use it. > >> That seems rather inefficient and requires every 3rd party signature >> writer to cross-reference every other signature writers databases, as >> well >> as the official signature databases. > > Well, this is not our problem really. We maintain the official databases > to be free of duplicates. So if I were to include a signature in my 3rd party database, and then a few days later ClamAV adds the same signature to the official signature database, that is not your problem, but rather my problem? Seems like if you (ClamAV) is providing the means for including 3rd party databases, then wouldn't you agree that it really is ClamAV's responsibility to make sure that duplicate signatures do not get loaded and used? > We had an idea to allow 3rd party signature > creators to use our mechanisms for signature maintenance ([1], easy > checking for FPs, dups, name collisions) and also our network > infrastructure and freshclam to make everything more smooth but > unfortunately this idea didn't get much interest. Hmmm, first I've heard of this. Why was there a lack of interest? >> Wouldn't it be better/more efficient for ClamAV to load duplicate >> signatures only once? > > It would be inefficient (and could be even unsafe in some cases) to do > such things in the engine. Why is that? If ClamAV sorts all signatures when reloading, and ignores duplicate signatures, why would that be dangerous in the engine? Anyway, thanks for the feedback... Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml