[clamav-users] Continuous increase of startup time (is daily.cld broken?)
Steve Basford
steveb_clamav at sanesecurity.com
Mon Oct 7 16:04:50 UTC 2019
On 7 October 2019 15:25:41 "J.R. via clamav-users"
<clamav-users at lists.clamav.net> wrote:
> I don't know how the viruses are tracked, but maybe to reduce size (if
> applicable) some of the more ancient viruses that only affect EOL
> operating systems (or programs that should have long since been
> patched) could be spun-off into a separate definition file (that could
> be optionally disabled)? Seems like it would be quite a waste of
> resources for most if there were like a million definitions that only
> affected Windows XP or Office 2003 or something like that...
If you also take a peek at hashes:
Number of hashes:
36,49,543 main.hdb
23,657,708 daily.hdb
248,06,499 main.hsb
905,00,729 daily.hsb
file Size:
36,49,543 main.hdb
23,657,708 daily.hdb
24,806,499 main.hsb
905,00,729 daily.hsb
Example:
grep "130ae8f338cc705a26fa5fa635d8673a" daily.hsb
130ae8f338cc705a26fa5fa635d8673a:92160:Doc.Dropper.Agent-1453138:73
https://www.virustotal.com/gui/file/06f0af676b49d13c51b36e4d61f2d8751bd5ef5d5241a68e99691d68617c7415/detection
First Seen In The Wild ---> 2016-06-03 20:34:00
Last Submission ---> 2016-06-03 20:37:03
Document Name: Rotech AG_Faktur dot doc
So, is the above hash still relevant or should it moved into archived.hsb,
which by default doesn't load ?
Perhaps, daily.* are hashes up to a year old, main.* for hashes two years
old and everything else into archive.*
Or jsut drop document hashes over a year old ??
It's a difficult one to suit all uses of ClamAV I guess.
Cheers,
Steve
Twitter: @sanesecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191007/2f813012/attachment.htm>
More information about the clamav-users
mailing list