Re: [Clamav-users] RE: File Attachment Size Problem
On 1/30/06, Bill King <[EMAIL PROTECTED]> wrote: > Thanks! This is working. However I am thinking of trying to skip the scan > of large messages as I am not sure if it is worth the CPU ticks. Does > anyone have ideas about whether or not this is a good plan? There are two schools of thought on this: 1. Your target for mail scanning should be restricted to blocking viral worms which are almost all sending relatively small attachments in order to spread quickly and efficiently. 2. Your target should be any incoming infected file. If you believe in (1) and that your desktop AV software will protect you from (2) then put in an attachment size restriction. The standard mimedefang-filter has an example of this in place for SpamAssassin scanning, restricted to 100K for the same reasons as (1) above. If you believe in (2) then you have to throw hardware at it. IMHO ClamAV isn't terribly efficient at scanning large files and appears to have particular issues with documents that it parses such as XML and MS Office filetypes. Throwing CPUs at it and increasing your timeout limits works ok though. You could also consider prioritising smaller messages if you have limited resources. -- des -- http://frommars.org/ ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] RE: File Attachment Size Problem
Bill King wrote: > On 1/27/06, Bill King <[EMAIL PROTECTED]> wrote: >>> I am running ClamAV on a Solaris host, with MIMEDefang. ... >>> Jan 26 12:05:31 MTA_Daemon[4795]: Milter (mimedefang): timeout before >>> data read >> >> Try something like: >> INPUT_MAIL_FILTER(`mimedefang', >> `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, >> T=S:5m;R:5m;E:10m') > > Thanks! This is working. However I am thinking of trying to skip > the scan of large messages as I am not sure if it is worth the CPU > ticks. Does anyone have ideas about whether or not this is a good > plan? If you're looking to save ticks... If you're using MIMEDefang with SpamAssassin, and you have a reasonably high percentage of your mail volume that is viral, you might save ticks by using clamav-milter as well. That would keep the number of memory-hungry MIMEDefang threads down, if you ran the clamav-milter before calling MIMEDefang. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RE: File Attachment Size Problem
On 1/27/06, Bill King <[EMAIL PROTECTED]> wrote: >> I am running ClamAV on a Solaris host, with MIMEDefang. Versions and log >> examples are posted below. I am trying to modify ... ...snip... >> I'm already using MIMEDefang. >> >> Jan 26 12:05:31 MTA_Daemon[4795]: Milter (mimedefang): timeout before >> data read > >This sounds like a milter timeout rather than clamd. Check your milter >configuration in sendmail.mc, if it says something like S:1m;R:1m it's >too low for scanning large messages. Try something like: > >INPUT_MAIL_FILTER(`mimedefang', >`S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:5m;R:5m;E:10m') Thanks! This is working. However I am thinking of trying to skip the scan of large messages as I am not sure if it is worth the CPU ticks. Does anyone have ideas about whether or not this is a good plan? Bill King Systems Administrator Nuclear Engineering Department U.C. Berkeley (510)642-1021, (510)866-3386 [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html