John Rudd wrote: > http://people.ucsc.edu/~jrudd/ClamAV/318642.mbox > http://people.ucsc.edu/~jrudd/ClamAV/318715.mbox
Those scanned pretty quickly for me. I don't believe I'm seeing really bad behaviour on any particular message; I just see way more overhead on all messages. On my customer's system, the heuristic caught about 30 e-mails out of a daily volume over 2 million (and they most likely would have been caught anyway by the anti-spam filter.) So I don't know what the Clam guys are doing wrong, but the huge overhead simply isn't worth the benefit IMO. Once again, I ask the developers to reconsider this feature, or at least make it off-by-default. Just for kicks, I scanned John Rudd's files with and without phishing URLs: With phishing URLS: real 0m1.925s user 0m1.820s sys 0m0.100s Without phishing URLS: real 0m1.761s user 0m1.630s sys 0m0.140s Since most of that time is probably to load signatures, it's a fairly significant overhead. Repeated runs show a consistent 200ms user-time overhead for doing the phishing URL scans. An "strace" reveals that indeed most of the time is spent loading signatures, so the actual impact on scanning time is huge. Regards, David. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
