On Fri, 09 Jan 2004 at 12:07:16 -0800, [EMAIL PROTECTED] wrote: > > hmm. while i am seeing a gigantic difference in 'real' scanning of incoming > messages, here's what i get from scanning my existing quarantine dir > between the two: > > with 880 files in the quarantine, > > clamdscan: > ----------- SCAN SUMMARY ----------- > Infected files: 33 > Time: 37.506 sec (0 m 37 s) > 0.02u 0.00s 0:37.51 0.0% > > clamscan: > ----------- SCAN SUMMARY ----------- > Known viruses: 29948 > Scanned directories: 1 > Scanned files: 880 > Infected files: 11 > Data scanned: 6.48 MB > I/O buffer size: 131072 bytes > Time: 34.016 sec (0 m 34 s) > 17.80u 0.55s 0:34.04 53.9% > > which is really weird. clamdscan took 3 seconds *longer*, butit also found
A gigantic difference (as shown in my previous message) is caused by wasting much time for launching the program (clamscan) and loading a database into memory (while clamd has it loaded _already_). But when you scan many files at once, you execute clamscan only once, so supremacy of clamdscan is lesser. Theoretically, with a number of files going to infinity, a duration of clamscan is reaching a duration of clamdscan. Now you could ask: "But why does clamdscan run longer that clamscan?! I understand that the times can be similar, but clamdscan longer?!". Read on :-) . > three times as many viruses as clamscan (that's weird in itself, since all > the messages in the quarantine were put there by clamscan!) Not so weird, in fact. First of all we must remember that clamdscan is a clamd client, so unless we use command line options, scanning with clamdscan will use these options which are set in clamav.conf. For instance, you may have set in clamav.conf ScanMail and ScanArchive. Of course using more features requires more time and resources. That's why clamdscan can run longer than clamscan! And your second question: "Why did clamdcan find 33 viruses, while clamscan found only 11?!". The answer is the same: clamdscan is a clamd client! If you have set ScanMail in clamav.conf, then clamdscan tries harder when searching for viruses. So it can find infections also in email messages, not only in raw binary files! A real example with one of my samples: $ clamscan Worm.Yaha.Y.msg Worm.Yaha.Y.msg: OK ----------- SCAN SUMMARY ----------- Known viruses: 19802 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.08 Mb I/O buffer size: 131072 bytes Time: 0.718 sec (0 m 0 s) $ clamdscan Worm.Yaha.Y.msg /tmp/Worm.Yaha.Y.msg: Worm.Yaha.Y FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.026 sec (0 m 0 s) As you can see, clamscan didn't find a virus in the mail message, but clamdscan did! -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
