Sigh. Looks like I screwed up and now have to apologize to one AV vendor in public :-)
I was testing these ICAP services using a 60M zip file. I had configured c-icap to not scan anything bigger than 10M - and thought I'd set the commercial scanners with the same limit. Ended up I'd set Kaspersky to 100M (double-tapped a zero) and F-secure doesn't even have a "maxsize" equivalent option - so I wasn't testing like with like. c-icap appeared to be 'streaming' through clamd when in fact it had bypassed clamd altogether. Once I set Kaspersky to 10M, it obviously started looking the same to c-icap in terms of performance for large files. And as Henrick said, smaller files over current Internet pipe speeds nearly show no overhead for AV scanning, and my more sensible 10M cutoff means people won't notice it on large files either. So Kaspersky's looking OK to me as well as c-icap/clam. Also this means my comments about clamd "streaming" aren't true - as ICAP works by the proxy shooting blobs of the downloaded content to the ICAP service, and the ICAP server sending post-processed blobs back (or error messages of course). So the trick in my mind is to choose fast enough CPUs and Internet pipes, plus a sensible maxsize cutoff so that users don't perceive the AV scanning impact - and live happily ever after :-) Jason PS: "tcpdump -n -i lo port icap" was very useful - showed what was going through ICAP and what wasn't On 10/07/15 16:59, P K wrote: > Hi jason, > > Its nice of you reviewing other commercial products. I have doubt on > below mentioned things. > > As you said c-icap is able to stream. Did you verified same with > packet capture? > I did a packet capture and observed when all packets are received by > C-icap then > it connect to Clamd and sends all response data to clamd servers in port 3310. > > -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
