[clamav-users] [External] Re: Scan very slow
Paul Kosinski
clamav-users at iment.com
Sun Apr 14 13:50:32 UTC 2019
Regexes can be slow or even extremely slow to apply, depending on the
implementation. Backtracking is the worst, perhaps taking exponential
time, but often is cut off by artificial limits.
Does ClamAV perchance precompute Deterministic Finite Automata for the
regexes? These run fast, but take time exponential in regex length to
set up:
https://en.wikipedia.org/wiki/Regular_expression#Implementations_and_running_times
On Thu, 11 Apr 2019 00:56:04 +0000
"Micah Snyder \(micasnyd\) via clamav-users"
<clamav-users at lists.clamav.net> wrote:
> JME,
>
> As you've pointed out, it appears that some signatures containing a
> PCRE regex components are responsible for slow scan times on larger
> email files.
>
> I did a bunch of profiling similar to what Maarten did earlier in
> order to narrow it down. I found that Email.Phishing.VOF2 signatures
> are performing slower with the eml sample you sent me.
> Email.Phishing.VOF2 signatures contain a PCRE regex component to
> alert on email attachments with specific names. Now that we've
> determined which signatures are performing slowly in these cases, I
> am hopeful that we will be able to optimize the Email.Phishing.VOF2
> signatures to improve performance.
>
> I will note that your idea to lower the PCRERecMatchLimit setting to
> 1 will effectively neuter all signatures that rely on regexes and so
> I can't recommend this.
>
> Regards,
> Micah
More information about the clamav-users
mailing list