Beta release 4.61.1

Rick Cooper rcooper at dwford.com
Sat Jun 2 20:35:13 IST 2007 

 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Julian Field
> Sent: Saturday, June 02, 2007 9:33 AM
> To: MailScanner discussion; MailScanner beta testers
> Subject: Beta release 4.61.1
> 
> This beta includes direct communication with clamd, and no 
> longer uses 
> clamd-wrapper or clamdscan. This should be faster than the 
> clamd support 
> in the previous version.
> Thanks for Rick Cooper for this contribution.
> 

Julian,

Line 3097, I defer to your judgment on that issue
Line 3211, That comment isn't relevant anymore and could be removed. I
decided to use a Session rather than two connections, however that may have
been the wrong choice in the long run. I defer to your opinion on this
issue. Using a session allows for issuing multiple within a single
connection otherwise you have to reconnect to the daemon for each command so
PING/PONG, reconnect, CONTSCAN/result and done or PING/PONG/CONTSCAN/result.
This method requires a file-by-file scan approach (as with clamavmodule)
because the daemon doesn't tell you when it's finished the scan, you will
just set there waiting for output until the connection times out. If I did
not use SESSION but tested the daemon, reopened the connection and then sent
the CONTSCAN/MULTISCAN command and handed clamd the entire directory it
would scan every file, returning the infected files, and end the connection.
Personally I think the overhead of reopening the connection after the PING
is pretty much nothing and scanning the entire directory with one command
would certainly help  SMP hosts using threads, I didn't really see a real
advantage on a normal CONTSCAN but I never sent it 100 files to check. I
also noted MailScanner seems to get pissed off if I scan an entire batch at
once verses a single message. When I scan the entire batch for some reason
it doesn't seem to know who ( the ip at the end of the virus was sent by log
line is gone) sent the virus. I didn't have time to try and work that out
but scanning an entire batch at one time would certainly be an asset, if you
have a clue about why MS doesn't know where the virus came from even though
the message-id is passed (to the parser) with the report/file name just like
one file at a time. I also noted when this happens the entire message body
is removed as a result, a bad thing.

Anyway if people would prefer entire directory at one pass, easy to rewrite
that... If you have a clue as to the entire batch problem (parser not
expecting multiple message-ids or something?) it would also be easy to scan
entire batch at once and that did improve the overall scan time (by clam)
for a batch considerably.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list