Hi there, On Fri, 4 Mar 2022, Jorge Elissalde via clamav-users wrote:
... Trying to be more forthcoming I can explain the code I'm making. - I get the full list of files under c:\windows\system32 folder, just files, not folders (4913 files in my case). - I send every file name to clamd using the SCAN command. The whole process takes almost 5 minutes, and I'm trying to drastically reduce that time.
Firstly, I'm not sure that you aren't just running around in circles. I've seen scans which took hours fail to find threats which were known to be present. Please keep that in mind. You're scanning for threats using code which is running on the threatened machine. If I wanted to attack that machine, the first thing I'd do when I gained access would be to nobble any virus scanner so that it claimed to find nothing even when it found something. If some malicious actor was able to modify files in the ...\system32 directory then that same actor probably also had the ability to nobble the scanner. Please keep that in mind too. The reason it takes five minutes to scan your files is basically that you are scanning something like five thousand files (note: you haven't mentioned the average size of those files) for something in the region of ten million threats, likely using modest, general purpose hardware. If I may take liberties with units, the number of file.threats is of the order of fifty billion. The average time per file.threat scan is 300/50000000000 or approximately six nanoseconds. That's quite a bit less than the access time for your RAM (never mind the mass storage!) and while this is like measuring a piece of string with a theodolite, typical 21st century CPUs won't be able to execute more than a very few instructions in that time even if they take a running jump at it. I shouldn't be surprised if millions of instructions would need to be executed to scan a single file for a single threat. So I think that, under the circumstances, ClamAV doesn't do too bad a job. What are the specifications for your harware? Why are you scanning the things you're scanning? Why are you using the scanned device to scan itself? Why are you not scanning the things you aren't scanning? How long would you expect your scan to take on your hardware? What is your target scan time? Why? What do you expect the results to tell you? What do you plan to do when you have them? How long will *that* take? How long does your coffee machine take to make a brew? Can you compare/contrast the various times in your answers? Please be much more forthcoming.
Possible solutions are: - Non recursive MULTISCAN ( seems that this is not available ) - Multithread SCAN command ( seems that is not available ) Is there another solution here?
According to the (old) ClamAV Bugzilla there was an issue with MULTISCAN which was fixed years ago: https://bugzilla.clamav.net/show_bug.cgi?id=1869 I didn't find the issue mentioned here: https://github.com/Cisco-Talos/clamav/issues/ but although that's where things are being done now, many old Bugzilla issues haven't been moved to Github. If you can produce a test case to confirm that Micah's 2018 comment on Bugzilla is wrong, you should file a report on Github. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
