A while back I did some tests on clamdscan vs clamscan with the default clamd signatures.
clamdscan doesn't have to load the whole clamav DB each time it scans, and clamscan does. My original tests showed that on a 5400rpm sata/ide, it took longer for clamscan to scan 30MB and less files than it did for clamdscan to scan it. (scsi, and faster drives, well, YMMV). What this meant to normal amavisd installations that used CONTSCAN / clamscan for primary scanner, and the command line clamscan for backup, is that if, when, while clamd was offline for updates, reboot, maintenance, etc, the CLI version clamscan took over. NORMALLY, not really too big of a deal. HOWEVER with the addition of more signatures, google safehosts, sanesecurity signatures, the clamscan CLI scanner is so slow that its almost useless as a backup scanner. I may have a solution for companies that can run a backup clamd scanner in TCP mode it appears that the (newer) clamdscan and clamd automatically support the TCP new streams mode and if you set up a clamd scanner on a remote host, open up the TCP port and run clamdscan {file/directory} clamd on the remote knows you are remote, lets clamdscan know that, and clamdscan starts to send the file through TCP instead of just sending the fileid. (you have to edit clamd.conf on both systems, take our socket, use TCP options. clamd doesn't support both unix socket and TCP socket) Two things come to mind: 1) if a backup scanner is needed, clamscan CLI is no longer really a viable option if you use more then just the clamscan sigs. B) clamdscan supports the remote streaming mode, and can be an effective option, especially if the network is local 3) MAYBE amavisd 2.6.4 can augment the amavisd/clam modes by implementing the remote mode. I have even thought of using the clamdscan/tcp remote option as a PRIMARY scanner, and have tested the throughput results. observations include: with build in CONTSCAN, amavisd loads the code once, and probaly caches the unix socket. with using clamdscan (tcp/remote) as the primary scanner, nothing is cached, clamdscan needs to be called (the binary) for each message, hence the question/request to support the TCP mode. if clamd supported both TCP and unix sockets on the same server, and you had two servers, amavisd could use unix sockets for primary, and then maybe tcp for backup scanner. has anyone else given this a try? your thoughts? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/