[Avcheck] md5 body checksum ring buffer as cache??
Michael Tokarev
mjt@tls.msk.ru
Tue, 20 Nov 2001 04:33:01 +0300
Ralf Hildebrandt wrote:
>
> Hi!
>
> Would a ring-buffer of md5 checksums of message bodies make sense for
> caching virus scan results?
>
> Say, the buffer is 100 entries big:
>
> checksum1 virus
> checksum2 clean
> checksum3 clean
> ...
> checksumn clen
>
> This would considerably (?) decrease scanning time. Or is it just a stupid
> idea?
On my machine, DrWeb runs slightly faster than md5sum on a big mail
collection. When I feed a postfix-users archive into it (most mails
are plain text), DrWeb beats md5 for shure. (Don't know about Avp).
Well, what *will* help is try to see is a message *can* contain
viruses at all before feeding it into a virusscanner. For example,
plaintext mail without funny MIME stuff is a bad candidate for a
virus. But there is one problem -- one day someone will write a
virus that will sit in a mail headers -- virusscanners will adapt
quickly by issuing an update, and we will need to deal with that
too. (just a hypotetical situation, but there is already a "patch"
in Sendmail against a buffer overflow in some MUAs. And there are
such things like uuencode exists too -- interesting, DrWeb claims
to detect viruses in uuencoded "attachtments" too, I'll check this --
how it runs so fast?).
Regards,
Michael.