<div dir="ltr"><div>Hi folks</div><div><br></div><div>I ran into some problems recently with the performance of clamscan on my virtual CentOS 6.5 box. Essentially it is slow and resource intensive. It was causing major performance issues on my server. </div>
<div><br></div><div>Thought I'd share my findings in case it proves useful to anyone else. I also have a question about AVG Free Edition for Linux</div><div><br></div><div>Here's what my problem was with clamscan:</div>
<div><span id="docs-internal-guid-903a8545-1130-7805-137a-729f648cadd4"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Scanned files: 37</span></p>
<p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Time: 34.725 sec (0 m 34 s)</span></p>
<div><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div></span></div><div>F-prot was much faster:</div><span id="docs-internal-guid-903a8545-1133-9a03-7396-9ef2b077ecf5"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">
<span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Files: 39</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Running time: 00:01</span></p>
</span><div> </div><div>I wanted to run at least 2 scanners so F-prot was an obvious choice and I needed to find an alternative for clamscan.</div><div><br></div><div>I tried bitdefender 7.6 but it was nearly as slow as clamscan:</div>
<div><span id="docs-internal-guid-903a8545-1138-6f70-7029-be37bd731c69"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Files: 40</span></p>
<p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">real 0m25.261s</span></p>
<div><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div></span></div><div>Of course, anyone with more experience would know that clamd is much faster than clamav and this is the way I went:<br>
</div><div><span id="docs-internal-guid-903a8545-113d-79c0-96a6-f79d42877d22"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Scanned files: 37</span></p>
<p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Time: 5.342 sec (0 m 5 s)</span></p>
<p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p style="line-height:1.15;margin-top:0pt;margin-bottom:0pt">
<span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">I also tried AVG Free Edition for Linux from <a href="http://free.avg.com/gb-en/download-free-all-product">http://free.avg.com/gb-en/download-free-all-product</a> and this also worked very well:</span></p>
<span id="docs-internal-guid-903a8545-1141-97cb-2d23-d1205b29b5bf"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Files scanned : 39(39)</span></p>
<p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">real 0m0.606s</span></p>
</span><p style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><br></p><div><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">However, I notice that the avg mentioned in /etc/MailScanner/MailScanner.conf is:</span></div>
<div><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000" face="Arial"># avg from <a href="http://www.grisoft.com">www.grisoft.com</a></font></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">
</span></div><div><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Things have obviously moved on from the <a href="http://grisoft.com">grisoft.com</a> days and I'm wondering if avg is working correctly. I have the services running:</span></div>
<div><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000" face="Arial">root 28596 0.0 0.2 317596 2088 ? Sl May14 0:23 /opt/avg/av/bin//avgd
root 28610 0.0 0.1 85328 1136 ? Sl May14 0:17 /opt/avg/av/bin/avgavid
root 28620 0.0 0.0 137316 824 ? Sl May14 1:48 /opt/avg/av/bin/avgtcpd
root 28625 0.0 0.0 297096 864 ? Sl May14 0:06 /opt/avg/av/bin/avgscand -c 3
root 28659 0.0 0.0 410860 944 ? Sl May14 0:00 /opt/avg/av/bin/avgsched</font></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">
</span></div><div><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><br></span></div><div><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If I send an <a href="http://eicar.com">eicar.com</a> attachment with just avg as the configured scanner I get this; looks OK:</span></div>
<div><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000" face="Arial">May 18 18:46:34 mail MailScanner[28946]: Avg: Virus identified EICAR_Test in <a href="http://eicar.com">eicar.com</a>
May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Avg found 1 infections
May 18 18:46:34 mail MailScanner[28946]: Infected message 1Wm5AP-0007Wu-Rd came from <snip>
May 18 18:46:34 mail MailScanner[28946]: Virus Scanning: Found 1 viruses
May 18 18:46:34 mail MailScanner[28946]: Viruses marked as silent: Avg: Found virus EICAR_Test in file <a href="http://eicar.com">eicar.com</a>
<snip></font></span></div><div><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><font color="#000000" face="Arial">May 18 18:46:43 mail MailScanner[28946]: Cleaned: Delivered 1 cleaned messages
</font></span><span style="font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">
</span></div><div>If I use avg, f-prot and clamd the avg part looks like this. What concerns me a bit is the string "Test in <a href="http://neicar.com">neicar.com</a>" when the filename was <a href="http://eicar.com">eicar.com</a>. Also the reference to "<a href="http://icar.com">icar.com</a>" and "irus" instead of "Virus":</div>
<div><div>May 18 18:38:19 mail MailScanner[21420]: Virus Scanning: Clamd found 2 infections</div></div><div><snip></div><div><div>May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in <a href="http://neicar.com">neicar.com</a></div>
<div>May 18 18:38:20 mail MailScanner[21420]: Avg: Virus identified EICAR_Test in 1Wm52O-0007I7-Jc.message-><a href="http://icar.com">icar.com</a></div><div>May 18 18:38:20 mail MailScanner[21420]: Avg: irus identified EICAR_Test in 1Wm52O-0007I7-Jc.message</div>
<div>May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: Avg found 3 infections</div><div>May 18 18:38:20 mail MailScanner[21420]: [Found virus] <EICAR_Test_File (exact)> ./1Wm52O-0007I7-Jc/<a href="http://eicar.com">eicar.com</a></div>
</div><div><snip></div><div><div>May 18 18:38:20 mail MailScanner[21420]: Virus Scanning: F-Prot6 found 2 infections</div></div><div><br></div></span></div><div>I'm half tempted to stop using avg given these formatting issues. Anyone else using AVG Free Edition for Linux with MailScanner 4.84.5?<br>
</div><div><br></div><div>I also reduced the number of MailScanner child processes from 5 to 3:</div><div><div>Max Children = 3</div></div><div><br></div></div>