On Sun, 2007-06-24 at 20:56 -0400, Paul Kosinski wrote:
> When I originally started using clamav, clamscan could handle my low
> (SOHO) volume of email quite well, but recently, it started taking
> over 20 secs to scan a short email,
[...]
> So I decided to try clamdscan, again.
> What an incredible improvement! Instead of 20+ secs to scan, it scans
> normal emails in anywhere from .005 sec to .100 secs. I would guess
> the average speed up is on the order of 1000 to 1!
This is a recurring topic.
clamd/clamdscan does not *scan* faster than clamscan. It just does not
need to read in all the signatures yet again for each and any mail. This
starting up penalty is what you are observing.
Another point worth noting is, that this is an issue with 0.90.x only,
which is way slower starting up than previous versions. This will be
fixed in the forthcoming 0.91.x releases (already at RC2).
> My only worry now is that either clamd will crash, or stop listening
> too long when updating. I am using procmail on the tail-end of
> Postfix's "virtual" delivery and don't see a way to have procmail get
> Postfix to try delivery again later (like it would with SMTP
> delivery), rather than bouncing it back to the sender (not their
> fault).
The typical procmail recipes calling filters won't bounce the message.
If clamd is unavailable, procmail will just go on. The worst thing that
usually could happen is, that the the mail will be delivered without
being scanned for viruses.
If you seriously can't live with that, there actually *is* a way to make
postfix "try delivery again later" as a procmail recipe. Google for
EX_TEMPFAIL. Not easy to find though...
> So in the meantime, I flag the mail as "possible virus" and write
> some nasty messages to log files. (In the script my procmailrc calls
> for scanning, I use netcat to PING clamd to see if it's available.) I
> think I may set up a cron-driven monitor for clamdscan, to restart it
> if it dies. I could also set up a delay and retry loop in my scanner
> script.
Hmm, script? Instead of a home-brew solution, I recommend clamassassin.
Using it myself, and it really makes virus scanning from procmail a
breeze.
clamassassin acts pretty much as SA spam[cd] does. It can be used with
clamd, and it inserts headers you easily can filter on in procmail. A
simple procmail recipe like the one below takes care of virus scanning.
Again, if clamd is down for whatever reason, the worst that can happen
is the mail not being scanned. No failure, no bounce, no lost mail.
:0 fw
* < 1024000
| clamassassin
As for watching and restarting clamd, see the post by Peter. HTH... ;)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
