Antivirus performance, AVG

Sun May 18 23:00:29 IST 2014

Hi folks

I ran into some problems recently with the performance of clamscan on my
virtual CentOS 6.5 box. Essentially it is slow and resource intensive.  It
was causing major performance issues on my server.

Thought I'd share my findings in case it proves useful to anyone else.  I
also have a question about AVG Free Edition for Linux

Here's what my problem was with clamscan:

Scanned files: 37

Time: 34.725 sec (0 m 34 s)

F-prot was much faster:

Files: 39

Running time: 00:01

I wanted to run at least 2 scanners so F-prot was an obvious choice and I
needed to find an alternative for clamscan.

I tried bitdefender 7.6 but it was nearly as slow as clamscan:

Files: 40

real    0m25.261s

Of course, anyone with more experience would know that clamd is much faster
than clamav and this is the way I went:

Scanned files: 37

Time: 5.342 sec (0 m 5 s)

I also tried AVG Free Edition for Linux from
http://free.avg.com/gb-en/download-free-all-product and this also worked
very well:

Files scanned     :  39(39)

real    0m0.606s

However, I notice that the avg mentioned in
/etc/MailScanner/MailScanner.conf is:
# avg from www.grisoft.com

Things have obviously moved on from the grisoft.com days and I'm wondering
if avg is working correctly. I have the services running:
root 28596 0.0 0.2 317596 2088 ? Sl May14 0:23 /opt/avg/av/bin//avgd root
28610 0.0 0.1 85328 1136 ? Sl May14 0:17 /opt/avg/av/bin/avgavid root 28620
0.0 0.0 137316 824 ? Sl May14 1:48 /opt/avg/av/bin/avgtcpd root 28625 0.0
0.0 297096 864 ? Sl May14 0:06 /opt/avg/av/bin/avgscand -c 3 root 28659 0.0
0.0 410860 944 ? Sl May14 0:00 /opt/avg/av/bin/avgsched

If I send an eicar.com attachment with just avg as the configured scanner I
get this; looks OK:
May 18 18:46:34 mail MailScanner[28946]: Avg: Virus identified EICAR_Test
in eicar.com May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Avg
found 1 infections May 18 18:46:34 mail MailScanner[28946]: Infected
message 1Wm5AP-0007Wu-Rd came from <snip> May 18 18:46:34 mail
MailScanner[28946]: Virus Scanning: Found 1 viruses May 18 18:46:34 mail
MailScanner[28946]: Viruses marked as silent: Avg: Found virus EICAR_Test
in file eicar.com <snip>
May 18 18:46:43 mail MailScanner[28946]: Cleaned: Delivered 1 cleaned
messages
If I use avg, f-prot and clamd the avg part looks like this.  What concerns
me a bit is the string "Test in neicar.com" when the filename was eicar.com.
 Also the reference to "icar.com" and "irus" instead of "Virus":
May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2
infections
<snip>
May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test
in neicar.com
May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test
in 1Wm52O-0007I7-Jc.message->icar.com
May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test in
1Wm52O-0007I7-Jc.message
May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3
infections
May 18 18:38:20 mail MailScanner[21420]: [Found virus] <EICAR_Test_File
(exact)> ./1Wm52O-0007I7-Jc/eicar.com
<snip>
May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2
infections

I'm half tempted to stop using avg given these formatting issues.  Anyone
else using AVG Free Edition for Linux with MailScanner 4.84.5?

I also reduced the number of MailScanner child processes from 5 to 3:
Max Children = 3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140518/67209538/attachment.html 