clamav-users August 2007 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] 0.91 - high load under solaris

Re: [Clamav-users] 0.91 - high load under solaris

From: Bill Landry <bill_at_nospam>
Date: Fri Aug 31 2007 - 03:51:02 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


clamav-users@utdallas.edu wrote the following on 8/30/2007 8:13 PM -0800: > -- clamav-users@utdallas.edu said the following on 8/30/07 3:40 PM: >
>> On Thu, 30 Aug 2007, clamav-users@utdallas.edu wrote:
>>
>>
>>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't
>>> appear to be associated with a particularly malformed message because
>>> when it starts hanging, if I restart it, things resume normally for a
>>> while. The incoming queue clears out.
>>>
>> Here's some more.
>>
>> [Switching to Thread 1 (LWP 1)]
>> 0xfebf0857 in _so_accept () from /lib/libc.so.1
>> (gdb) thread apply all bt
>>
>>
> > Hmm... previously I had this in the amavisd-new conf file: > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > It's my understanding that the above was necessary in order to take > advantage of the SaneSecurity sigs. Well, after the earlier hangs, I > changed it back to this: > > @keep_decoded_original_maps = (new_RE( > # qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > and man the load on clamd has dropped enormously. I saw the remark about > having the '^MAIL$' line uncommented would be slower, but the difference > is so wildly extreme. Even when the traffic was rather low, before clamd > was always at the top in terms of cpu utilization. Now it's barely > taking any cpu time at all. Naturally the time of day is a factor, but > we'll see for sure tomorrow. > >

Not all SaneSecurity signatures need to see the full message. If I recall correctly, it's only the mail file type (designated by :4: in the signature) that need to see the headers and body together. Anyway, as you had it set above, you were both decoding all of the message parts and sending them to the virus scanner(s) individually for scanning and then sending the entire message as a whole to the scanner(s) for scanning, as well. If you are running amavisd-new 2.5.1 or newer, you can always set $bypass_decode_parts=1, which will disable all MIME decoding and simply send the entire message to the virus scanner(s) for scanning. For more info, see the thread starting at:

    http://marc.info/?l=amavis-user&m=117985356008613&w=2

I've been running this way for about 3 months now, and have had no problems. ClamAV, and many other scanners, do a good job of decoding messages on their own.

Bill



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html