[MAILSCANNER] Clamd

[John Rudd]

On Sep 13, 2005, at 1:59 PM, Julian Field wrote:

> John Rudd wrote:
>
>> The default definition for clamav in virus.scanners.conf is
>>
>> clamav          /opt/MailScanner/lib/clamav-wrapper     /usr/local
>>
>> Which I assume will invoke clamscan.  If I want to invoke clamd, would
>> it be as simple as just modifying clamav-wrapper to use clamdscan?
>>
>>
>> and would it be faster/better to see about using the clamavmodule
>> instead?
>>
> Use clamavmodule. It's faster and has less overhead than any solution
> involving clamd. That's why I did it the way I did.
>

I did some testing (in mimedefang, which accesses clamd directly*, not 
via clamdscan, so it is not dealing with the fork and exec overhead), 
and it was 10 times faster than using Mail::ClamAV (which I had to 
write mimedefang support for myself).

(* I'm not sure if it does it via library calls, or via the clamd 
unix-socket, but I suspect the latter, because mimedefang does keep 
track of the clamd unix-socket)

What I did is submit 1 ham message, 1 spam message, and 1 eicar test 
signature virus message, each 333 times.  I then looked at how long it 
took to run the loop.

I ran it twice using clamd, and twice using Mail::ClamAV.

clamd: 65 seconds and 70 seconds
Mail::ClamAV: 667 seconds and 629 seconds


Of course, I don't know if you can invoke clamd on a large archive in 
one swoop, the way mailscanner does with Mail::ClamAV.  It may turn out 
to be just that mimedefang doesn't get the economy of scale from 
Mail::ClamAV that mailscanner does (because, as a milter, it MUST do 
one message at a time) and that mailscanner can't get clamd, except via 
clamdscan, to do the kind of bulk scans that Mail::ClamAV can.

I was just getting very different recommendations from each project 
(and was hoping to use 1 method for both implementations), and had to 
do some experimenting.

Though, I think, for my mailscanner installation, the real question is: 
is clam(d)scan faster/slower than sophos sweep, and which is faster 
between clamscan and clamdscan.  I'll have to work up something around 
that, as well.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!