Performance of 'ClamAV Full Message Scan'

[René Berber]

From the changelog:

"When clamav, clamavmodule or clamd parsers are being used and new setting
  "ClamAV Full Message Scan" is set to "yes", pass each of the entire
  messages to ClamAV as well as the attachments so that the signatures that
  detect spam can work reliably. This is set to "no" be default as it has a
  speed impact."

Why pass the message AND attachments?  ClamAV can detect the virus in the
message in any possible form, MailScanner is just making clam do double work,
plus the work done by MS to extract the attachments.

Looking at the logs:

Aug  6 20:45:52 sunfire MailScanner[7019]: INFECTED::
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND :: ./l771jcte008468/file.pdf
Aug  6 20:45:52 sunfire MailScanner[7019]: INFECTED::
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND :: ./l771jcte008468/
Aug  6 20:45:53 sunfire MailScanner[7019]: Virus Scanning: Clamd found 2 infections

I'm not sure if this was a 2 line report from clamd about the directory, or it
really was "2 infections", the message and the attachment... which really show
that clamd worked twice on the same infection.

For instance, with the quarantine directory I can do:

# clamdscan /var/spool/MailScanner/quarantine/20070806/l771jcte008468
/var/spool/MailScanner/quarantine/20070806/l771jcte008468/message:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND
/var/spool/MailScanner/quarantine/20070806/l771jcte008468/file.pdf:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND

----------- SCAN SUMMARY -----------
Infected files: 2
Time: 0.139 sec (0 m 0 s)

# clamdscan /var/spool/MailScanner/quarantine/20070806/l771jcte008468/message
/var/spool/MailScanner/quarantine/20070806/l771jcte008468/message:
Email.Stk.Gen592.Sanesecurity.07071801.pdf FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.118 sec (0 m 0 s)

OK, the time difference is not double, is just 18% more work, but still significant.
-- 
René Berber