[clamav-users] Continuous increase of startup time (is daily.cld broken?)

Steve Basford steveb_clamav at sanesecurity.com
Mon Oct 7 12:04:50 EDT 2019


On 7 October 2019 15:25:41 "J.R. via clamav-users" 
<clamav-users at lists.clamav.net> wrote:

> I don't know how the viruses are tracked, but maybe to reduce size (if
> applicable) some of the more ancient viruses that only affect EOL
> operating systems (or programs that should have long since been
> patched) could be spun-off into a separate definition file (that could
> be optionally disabled)? Seems like it would be quite a waste of
> resources for most if there were like a million definitions that only
> affected Windows XP or Office 2003 or something like that...

If you also take a peek at hashes:




Number of hashes:




36,49,543 main.hdb

23,657,708 daily.hdb




248,06,499 main.hsb

905,00,729 daily.hsb







file Size:




36,49,543 main.hdb

23,657,708 daily.hdb




24,806,499 main.hsb

905,00,729 daily.hsb




Example:




grep "130ae8f338cc705a26fa5fa635d8673a" daily.hsb




130ae8f338cc705a26fa5fa635d8673a:92160:Doc.Dropper.Agent-1453138:73







https://www.virustotal.com/gui/file/06f0af676b49d13c51b36e4d61f2d8751bd5ef5d5241a68e99691d68617c7415/detection




First Seen In The Wild ---> 2016-06-03 20:34:00

Last Submission ---> 2016-06-03 20:37:03

Document Name: Rotech AG_Faktur dot doc




So, is the above hash still relevant or should it moved into archived.hsb, 
which by default doesn't load ?




Perhaps, daily.* are hashes up to a year old, main.* for hashes two years 
old and everything else into archive.*




Or jsut drop document hashes over a year old ??




It's a difficult one to suit all uses of ClamAV I guess.
Cheers,


Steve
Twitter: @sanesecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191007/2f813012/attachment.html>


More information about the clamav-users mailing list