Hi there, On Thu, 24 Sep 2020, Zayan abdul shukoor via clamav-users wrote:
Most of the performance runs that we tried with clamav resulted in scan times of 2-3 times size of the file.
It seems like you are saying that if you scan a 1kbyte file it takes 2,000 to 3,000 seconds. That seems unlikely. I tend to measure scan times in seconds, and file sizes in bytes. If I multiply a number of bytes by 2, or by 3, I have a number which is still a number of bytes, not a number which is a number of seconds.
The files are primarily zip files which contains xml and txt files.
Do you have specific threats in mind? Do you have reason to believe that ClamAV will detect them in your specific circumstances? Have you tested the scanner against threat samples? How? What have you found?
Is there any benchmarking or performance statistics available on scan times.
You will find a few mentions in the mailing list archives, but your question is so vague that it is difficult to answer.
What options are available to speed up the scan times?
That very much depends on what you've done already, but you haven't given any useful information about your hardware and you haven't said anything about the sizes of the files you want to scan. What system are you using to scan the files? Roughly how big are they in bytes? How are you scanning them? Have you read about the different ways of using ClamAV to perform scans? Think about the issues. Measure things that seem relevant, but use sane units when you note the measurements and then post them here so we can see if they look reasonable. If all else fails you could spend some money on hardware and perhaps consultancy.
Is there any recommended settings based on server cpu and memory?
Your questions all seem to be variations on the same theme, which is "How long is a piece of string?" You didn't mention your hardware, operating system, other processes which may be running, mass storage, file system, network performance, cooling, ... all sorts of things can have a bearing on performance. I use a Pi4B with 4GBytes of RAM running Raspbian Linux as a dedicated server to run clamd. It does a few other odd jobs but nothing heavy. Usually I run one clamd daemon on it, but sometimes two or even three. The clamd daemons are only used to scan mail, the mail is processed on a separate server and sent to the Pi4B using TCP on a 1Gbit/s network. The processors very rarely reach temperatures at which they throttle. The main ClamAV database is on a remote mount NFS drive but temporary files are kept on a local USB-attached SATA drive. For every message scanned, the mail server measures the time it takes between sending the message and receiving a response from the scanner. Typical scan rates for mail messages of sizes of a few kbytes to tens of kBytes are in the range 10 to 100 kBytes/sec -- in other words, it takes a fraction of a second to scan a typical mail message. That's over a hundred times faster than needed to keep up with our mail load. Can you give us concrete information like that? Then can you tell us if you are happy with the numbers, and if not, why not, and what sort of numbers you _would_ be happy with? Without something like that to go on we're only going to be able to guess, which isn't very useful. Most of the time I really don't care about the scan rates, I'm much more interested in the detection rates. You can find comments about that in many other posts to this list if you search the archives. If you can tell us what sort of detection rates you'd be comfortable with we might have suggestions to make about that too. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
