[Avcheck] md5 body checksum ring buffer as cache??

Michael Tokarev mjt@tls.msk.ru
Tue, 20 Nov 2001 04:33:01 +0300


Ralf Hildebrandt wrote:
> 
> Hi!
> 
> Would a ring-buffer of md5 checksums of message bodies make sense for
> caching virus scan results?
> 
> Say, the buffer is 100 entries big:
> 
> checksum1           virus
> checksum2           clean
> checksum3           clean
> ...
> checksumn           clen
> 
> This would considerably (?) decrease scanning time. Or is it just a stupid
> idea?

On my machine, DrWeb runs slightly faster than md5sum on a big mail
collection.  When I feed a postfix-users archive into it (most mails
are plain text), DrWeb beats md5 for shure. (Don't know about Avp).

Well, what *will* help is try to see is a message *can* contain
viruses at all before feeding it into a virusscanner.  For example,
plaintext mail without funny MIME stuff is a bad candidate for a
virus.  But there is one problem -- one day someone will write a
virus that will sit in a mail headers -- virusscanners will adapt
quickly by issuing an update, and we will need to deal with that
too. (just a hypotetical situation, but there is already a "patch"
in Sendmail against a buffer overflow in some MUAs.  And there are
such things like uuencode exists too -- interesting, DrWeb claims
to detect viruses in uuencoded "attachtments" too, I'll check this --
how it runs so fast?). 

Regards,
 Michael.