On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say: > Hi list, I have posted before about an issue with clamd hanging and > yesterday we finally managed to find out what the underlying problem was. > We came across an 800k mail that we initially thought was causing clamd to > hang. The truth infact was that once we turned on debugging, we noticed > that clamd was not hanging - just taking an age to scan the mail. This was > obviously causing us huge problems as this was happening on very busy mail > servers and in effect causes a DOS. > We were running 0.83 and downgraded eventually to 0.80 and then we no > longer experienced the issue. > > What we noticed about this one particular mail was that it had hundreds of > mime-parts. So it appears to us that there has been a major change in the > way clamav deals with mime parts since 0.80. So much so that it goes from > scanning this mail in under a second in 0.80: > > # ls -la 1108491486.1513-1.ophelia.telkomsa.net > -rw------- 1 root root 817795 Feb 15 20:35 > 1108491486.1513-1.ophelia.telkomsa.net > > # cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan - > stream: OK > > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Time: 0.741 sec (0 m 0 s) > > To taking over 4 minutes to scan in 0.83 > > Can anyone shed some light on this / offer some advice, as obviously we > want to keep up with the latest stable version. I can provide the mail if > anyone wants to examine it further.
My setup is now as follows: Qmail-scanner with 'reformmime' enabled. Clamd with the ScanMail option removed. It looks initially like this will solve our issue of clamd taking an age to scan messages that have huge numbers of messages within them. Tested by sending a few viruses. and they were trapped. Cheers. -- Scott Ryan Telkom Internet _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
