Antivirus performance, AVG

Glenn Steen glenn.steen at gmail.com
Thu May 22 09:58:35 IST 2014 

Hi Paul,

Seems like something is up with the patterns (in MS) for avg, so one of the
maintainers really should look through that part of the code. Back in the
days, Jules would be on this;-).

The actual perl (in the wrappers and in SweepViruses.pm) is ...
voluminous... but perhaps not downright obtuse (since I think I know how it
works:-)... There is however a fair bit of massaging of the output from the
scanner going on in ProcessAvgOutput (in SweepViruses.pm), so ... If you
can generate the output and play with the REs as from that function, maybe
you'll find the solution yourself;-).

Alas, I myself has next to no time to put into any projects anymore, so
can't be of more help.

Cheers!
-- 
-- Glenn


On 19 May 2014 00:00, Paul Welsh <paul at welshfamily.com> wrote:

> Hi folks
>
> I ran into some problems recently with the performance of clamscan on my
> virtual CentOS 6.5 box. Essentially it is slow and resource intensive.  It
> was causing major performance issues on my server.
>
> Thought I'd share my findings in case it proves useful to anyone else.  I
> also have a question about AVG Free Edition for Linux
>
> Here's what my problem was with clamscan:
>
> Scanned files: 37
>
> Time: 34.725 sec (0 m 34 s)
>
> F-prot was much faster:
>
> Files: 39
>
> Running time: 00:01
>
> I wanted to run at least 2 scanners so F-prot was an obvious choice and I
> needed to find an alternative for clamscan.
>
> I tried bitdefender 7.6 but it was nearly as slow as clamscan:
>
> Files: 40
>
> real    0m25.261s
>
> Of course, anyone with more experience would know that clamd is much
> faster than clamav and this is the way I went:
>
> Scanned files: 37
>
> Time: 5.342 sec (0 m 5 s)
>
>
> I also tried AVG Free Edition for Linux from
> http://free.avg.com/gb-en/download-free-all-product and this also worked
> very well:
>
> Files scanned     :  39(39)
>
> real    0m0.606s
>
>
> However, I notice that the avg mentioned in
> /etc/MailScanner/MailScanner.conf is:
> # avg from www.grisoft.com
>
> Things have obviously moved on from the grisoft.com days and I'm
> wondering if avg is working correctly. I have the services running:
> root 28596 0.0 0.2 317596 2088 ? Sl May14 0:23 /opt/avg/av/bin//avgd root
> 28610 0.0 0.1 85328 1136 ? Sl May14 0:17 /opt/avg/av/bin/avgavid root 28620
> 0.0 0.0 137316 824 ? Sl May14 1:48 /opt/avg/av/bin/avgtcpd root 28625 0.0
> 0.0 297096 864 ? Sl May14 0:06 /opt/avg/av/bin/avgscand -c 3 root 28659 0.0
> 0.0 410860 944 ? Sl May14 0:00 /opt/avg/av/bin/avgsched
>
> If I send an eicar.com attachment with just avg as the configured scanner
> I get this; looks OK:
> May 18 18:46:34 mail MailScanner[28946]: Avg: Virus identified EICAR_Test
> in eicar.com May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Avg
> found 1 infections May 18 18:46:34 mail MailScanner[28946]: Infected
> message 1Wm5AP-0007Wu-Rd came from <snip> May 18 18:46:34 mail
> MailScanner[28946]: Virus Scanning: Found 1 viruses May 18 18:46:34 mail
> MailScanner[28946]: Viruses marked as silent: Avg: Found virus EICAR_Test
> in file eicar.com <snip>
> May 18 18:46:43 mail MailScanner[28946]: Cleaned: Delivered 1 cleaned
> messages
> If I use avg, f-prot and clamd the avg part looks like this.  What
> concerns me a bit is the string "Test in neicar.com" when the filename
> was eicar.com.  Also the reference to "icar.com" and "irus" instead of
> "Virus":
> May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2
> infections
> <snip>
> May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test
> in neicar.com
> May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test
> in 1Wm52O-0007I7-Jc.message->icar.com
> May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test
> in 1Wm52O-0007I7-Jc.message
> May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3
> infections
> May 18 18:38:20 mail MailScanner[21420]: [Found virus] <EICAR_Test_File
> (exact)> ./1Wm52O-0007I7-Jc/eicar.com
> <snip>
> May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2
> infections
>
> I'm half tempted to stop using avg given these formatting issues.  Anyone
> else using AVG Free Edition for Linux with MailScanner 4.84.5?
>
> I also reduced the number of MailScanner child processes from 5 to 3:
> Max Children = 3
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140522/4f6e9dd6/attachment.html

More information about the MailScanner mailing list