Steve Brown wrote: [ ... ]
1) For those of you who are using softlimits or ulimits, what are you're limits set to? It still makes me nervous, so I'd like to add the limits back at some point.
I commonly leave my datasize at 512MB, which is far more than needed for this particular task, but leaves room for a squid cache process or some JVM...
2) I've been monitoring the clamd process with top and it never seems to take more than about 30Mb of total memory (physical + virtual), so I'm curious why it would be choking with a softlimit of 50Mb. Thoughts?
30MB is likely to be the baseline memory requirement to keep the program text and the virus database resident, and then it will probably grow by the size of the files you pass in to be scanned, ie, if you ask it to scan a 50MB file, the program will briefly need 80MB...
[ This is for the simplest case, using mmap() to access the file, which seems to be what things called from cl_scanfile() or cli_magic_scandesc() do, but the ClamAV source code frightens me. 9-) ]
3) Are other mail admins out there seeing these huge file attachments coming in?
I have the MTA limit max mailsize to 10MB, and I set amavisd and clamav to be willing to scan archives which expand up to 200MB, which is a 20:1 compression ratio.
I've never seen anything but an empty database or a maliciously crafted archive do better than 95% compression, so this has worked fine for all legit attachments that we've seen.
Most of them seem to be spam, so I'm guessing a few folks are. I'm sure I could find this in the docs, but being a little lazy right now, what does clamd do when it reaches the max file size? What do other clamd users have your max file size set to?
ClamAV will pass an archive which exceeds its limits by default; it's up to the upstream caller like amavisd or clamav-milter to decide what to do about the circumstance. However, see clamd.conf about the following:
# Number of files to be scanned within an archive. # Value of 0 disables the limit. # Default: 1000 #ArchiveMaxFiles 1500 # If a file in an archive is compressed more than ArchiveMaxCompressionRatio # times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip) # Value of 0 disables the limit. # Default: 250 #ArchiveMaxCompressionRatio 300 [ ... ] # Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit) # if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is # reached. # Default: disabled #ArchiveBlockMax -- -Chuck _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
