A while back I did some tests on clamdscan vs clamscan with the default
clamd signatures.
clamdscan doesn't have to load the whole clamav DB each time it scans,
and clamscan does.
My original tests showed that on a 5400rpm sata/ide, it took longer for
clamscan to scan 30MB and less files than it did for clamdscan to scan it.
(scsi, and faster drives, well, YMMV).
What this meant to normal amavisd installations that used CONTSCAN /
clamscan for primary scanner, and the command line clamscan for backup,
is that if, when, while clamd was offline for updates, reboot,
maintenance, etc, the CLI version clamscan took over.
NORMALLY, not really too big of a deal.
HOWEVER with the addition of more signatures, google safehosts,
sanesecurity signatures, the clamscan CLI scanner is so slow that its
almost useless as a backup scanner.
I may have a solution for companies that can run a backup clamd scanner
in TCP mode
it appears that the (newer) clamdscan and clamd automatically support
the TCP new streams mode and if you set up a clamd scanner on a remote
host, open up the TCP port and run clamdscan {file/directory} clamd on
the remote knows you are remote, lets clamdscan know that, and clamdscan
starts to send the file through TCP instead of just sending the fileid.
(you have to edit clamd.conf on both systems, take our socket, use TCP
options. clamd doesn't support both unix socket and TCP socket)
Two things come to mind:
1) if a backup scanner is needed, clamscan CLI is no longer really a
viable option if you use more then just the clamscan sigs.
B) clamdscan supports the remote streaming mode, and can be an effective
option, especially if the network is local
3) MAYBE amavisd 2.6.4 can augment the amavisd/clam modes by
implementing the remote mode.
I have even thought of using the clamdscan/tcp remote option as a
PRIMARY scanner, and have tested the throughput results.
observations include:
with build in CONTSCAN, amavisd loads the code once, and probaly caches
the unix socket.
with using clamdscan (tcp/remote) as the primary scanner, nothing is
cached, clamdscan needs to be called (the binary) for each message,
hence the question/request to support the TCP mode.
if clamd supported both TCP and unix sockets on the same server, and you
had two servers, amavisd could use unix sockets for primary, and then
maybe tcp for backup scanner.
has anyone else given this a try?
your thoughts?
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
