[EMAIL PROTECTED] wrote the following on 8/30/2007 8:13 PM -0800:
> -- [EMAIL PROTECTED] said the following on 8/30/07 3:40 PM:
>
>> On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote:
>>
>>
>>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't
>>> appear to be associated with a particularly malformed message because
>>> when it starts hanging, if I restart it, things resume normally for a
>>> while. The incoming queue clears out.
>>>
>> Here's some more.
>>
>> [Switching to Thread 1 (LWP 1)]
>> 0xfebf0857 in _so_accept () from /lib/libc.so.1
>> (gdb) thread apply all bt
>>
>>
>
> Hmm... previously I had this in the amavisd-new conf file:
>
> @keep_decoded_original_maps = (new_RE(
> qr'^MAIL$', # retain full original message
> qr'^MAIL-UNDECIPHERABLE$',
> qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data', # don't trust Archive::Zip
> ));
>
> It's my understanding that the above was necessary in order to take
> advantage of the SaneSecurity sigs. Well, after the earlier hangs, I
> changed it back to this:
>
> @keep_decoded_original_maps = (new_RE(
> # qr'^MAIL$', # retain full original message
> qr'^MAIL-UNDECIPHERABLE$',
> qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
> # qr'^Zip archive data', # don't trust Archive::Zip
> ));
>
> and man the load on clamd has dropped enormously. I saw the remark about
> having the '^MAIL$' line uncommented would be slower, but the difference
> is so wildly extreme. Even when the traffic was rather low, before clamd
> was always at the top in terms of cpu utilization. Now it's barely
> taking any cpu time at all. Naturally the time of day is a factor, but
> we'll see for sure tomorrow.
>
>
Not all SaneSecurity signatures need to see the full message. If I
recall correctly, it's only the mail file type (designated by :4: in the
signature) that need to see the headers and body together. Anyway, as
you had it set above, you were both decoding all of the message parts
and sending them to the virus scanner(s) individually for scanning and
then sending the entire message as a whole to the scanner(s) for
scanning, as well. If you are running amavisd-new 2.5.1 or newer, you
can always set $bypass_decode_parts=1, which will disable all MIME
decoding and simply send the entire message to the virus scanner(s) for
scanning. For more info, see the thread starting at:
http://marc.info/?l=amavis-user&m=117985356008613&w=2
I've been running this way for about 3 months now, and have had no
problems. ClamAV, and many other scanners, do a good job of decoding
messages on their own.
Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
