http://blogs.mcafee.com/mcafee-labs/optimizing-dat-performance-smaller-better
搬运一个讲特征库优化的文章。
I want to share some of the good work McAfee Labs did in the past year in optimizing and enhancing the [size=15.1200008392334px]V2 DATs (malware definition files, also known as AVV DATs) used in McAfee VirusScan Enterprise and other McAfee enterprise products. In 2014, we reduced DAT size by more than 45% to about 70MB, down from a high of about 132MB.我想和大家分享一下过去几年实验室在优化和增强V2特征库上的进展,这版特征库被用在VSE和其他咖啡的企业级产品上。在2014年,我们将特征库大小从132 m缩减到了大约70m,降低了超过45%。
These enhancements have led to a big performance win: The reduction in DAT size automatically translates into faster system scan times and smaller DAT updates. Even more impressive is that these massive size reductions have been achieved while delivering consistently high protection effectiveness results in tests last year by AV-Test, AV-Comparatives, and NSS Labs. 这些优化带来了性能上的巨大进步:DAT体积的缩小带来了更快的系统扫描和更小的DAT更新数据量。更令人惊讶的是去年我们在AV-Test, AV-Comparatives,和 NSS Labs的测试中仍然保持了一如既往的高效防护。
Shrinking strategy-压缩策略
McAfee Labs evaluated its DAT signature categories and focused first on hash-based detections that had been added by our automation systems. Over time, human-authored generic signatures evolved to overlap most hash-based signature content, allowing for their safe removal without losing any detection capability. 实验室评估了DAT签名的各种分类,首先关注的是由自动分析系统添加的基于哈希值的检测定义。随着时间的推移,人工编写的通用签名能够取代大多数基于哈希值的签名,允许我们在不降低检测能力的情况下安全移除它们。
The second strategy was to target signatures not seen in the field—mainly single-use malware deployed in common spam campaigns. The risk of seeing these old files in the field is very low. If these signatures were not seen via our McAfee Global Threat Intelligence (GTI) cloud telemetry, we moved them into the McAfee GTI cloud where they still provide protection but without the performance impact of constantly downloading unneeded data. 关注的第二点是一些冷门的签名——大多是在常见垃圾邮件攻击中部署的一次性恶意软件。在网络活动中遇见这类老文件的几率是非常低的。如果这些签名不再被GTI检测到,我们已经把他们放到了GTI云,这样既能继续提供检测,又避免了持续下载无用数据对性能的影响。
Antimalware engine releases such as the 5600 and 5700 engines used in McAfee VirusScan Enterprise and other McAfee enterprise products also allow us to port commonly used code in the DAT files to native engine code. Although in the past there were limitations to authoring generic detections on unsupported packers or file formats, new engines enable better decomposition of these formats, allowing researchers to create better generic signatures. VSE和其他企业级产品中的反病毒引擎(5600,5700)的发布也使得我们能够将经常用到的代码从DAT放进引擎中。虽然以前某些文件的解包不被支持给编写通用签名带来了困难,新引擎允许对这些格式的更好解包,使程序员编写更优的通用签名成为了可能。
Continuing performance focus-性能的不断优化 The DAT optimization project was incredibly complex, requiring significant testing and validation to ensure DAT quality, safety, and consistently high protection effectiveness. Scan times are now back to pre-2011 levels without any product or technology uplifts. DAT的优化相当复杂,需要长时间的测试和验证来确保DAT的质量,安全性和从始至终的高效防护。如果不做任何产品和技术上的优化的话扫描时间会回到2011年以前的水平。
As we continue to innovate, the ability to process V3 DATs—the successor to V2 DATs—will be integrated into all McAfee endpoint products. Today, V3 DATs are used by McAfee Endpoint Protection for SMB, McAfee Internet Security, and McAfee Antivirus Plus. V3 DATs further reduce DAT size. Currently, they are smaller than 30MB, providing even better system scan time performance while still delivering outstanding protection results! 随着我们的持续革新,第三代DAT将被整合进咖啡所有端点产品中。现在,V3DAT已经在MEP,MIS,MAP上使用。V3DAT进一步缩减了DAT体积。现在它们甚至不到30m大小,在保障防护效果的同时进一步提升了系统扫描的性能表现。 
了解更多请点击https://kc.mcafee.com/corporate/index?page=content&id=KB82396
| 
发表于 2015-1-8 11:00:39
楼主
特征库要变小~
可是我想吃成胖子