On Aug 23, 2006, at 10:33 AM, Karl Pielorz wrote:
--On 23 August 2006 10:04 -0700 Chuck Swiger <[EMAIL PROTECTED]> wrote:
Clamd will grow as needed to handle any compressed files being
passed to
it; perhaps someone is sending maliciously constructed archives
which
require excessive resources to unpack and scan?
Hi,
Thanks for the reply... So clamd basically 'grows' around any file
it's scanning, it doesn't just 'read' the file (buffering say 'x'k
of it?)
Less complex pattern matching can be done using only a forward-
scanning algorithm (eg, Boyer-Moore), which would play nice with
buffering only parts of the file. However, sufficiently complex
virus patterns involve regular expressions that really want all of
the data being tested resident, which makes it hard to deal with a
partial buffer.
clamd.conf should have
some tunable knobs related to this which you might try adjusting.
Yeah, we've had to look in there before - a problem we had some
months go with a legitimate file that compressed by thousands of
percent ;)
An archive of a database can do that, for example...
Also, I don't think that clamav-milter is the best interface for
doing virus
scanning, but YMMV; consider using a frontend like amavisd which
invokes
clamdscan as needed only after a message passes less resource-
intensive
checking.
We really didn't want to install anything else on the server - i.e.
all it does is scan for viruses, that's it - which meant, at the
time the supplied milter was more than enough.
Using the simplest solution to the problem is usually a good idea,
but the amount of malicious or spammy email out there is so large
that anything you can do upfront that's cheap and helps reserve the
expensive operations like anti-virus scanning for email that passes
the cheap tests is probably worth considering.
--
-Chuck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
