Plus; parallel scans give a clue too. Next time compare one session vs. 2 or more sessions . If both times are nearly equal then it's not related to cpu usage or any other machine related bottleneck, coz probably SA waits for something -then timeout occurs? -
On Sun, Sep 5, 2010 at 3:55 AM, John Hardin <jhar...@impsec.org> wrote: > On Sat, 4 Sep 2010, Chris wrote: > > On Sat, 2010-09-04 at 14:33 -0700, John Hardin wrote: >> >>> On Sat, 4 Sep 2010, Chris wrote: >>> >>> I'm trying to figure out why I'm having ridiculous scan times such as >>>> the above examples. Lower scan times such as in the 20 second range are >>>> the exception rather than the rule. I'm running bind as a local caching >>>> nameserver and it seems to be working correctly. I've just seen a ham >>>> that has a scantime=172.2. Could there be something else on the system >>>> that is affecting this? >>>> >>>> Any advice as to troubleshooting would be appreciated. >>>> >>> >>> What version of SA, and are you current on updates (have you run >>> sa-update >>> recently)? >>> >>> Would it be possible to post an example message that exhibits the >>> problem? >>> >> >> Hi John, version is 3.3.0 and updates was last run at 5:11pm. Here is a >> link to a spam that took 302s to process http://ez-files.net/445403 >> > > Thanks. > > ClamAV took almost a minute and a half to scan that message. > > All of the steps seem slow. I'd suggest that it isn't any particular bad > rule, so much as the system appears overloaded. > > > Awhile ago I logged out and logged back in again, I no longer am seeing >> the above and scan times have decreased considerably, >> ham - scantime=5.7 >> and for a spam that just came in >> scantime=1.6 >> >> Things seem back to normal, for now, though I'm not sure how long >> they'll last. Any idea what could be causing the above? >> > > That's odd. Are you running in an X session or character? Was there some > other process bogging the system or taking up lots of memory such that it > was swapping, which got killed when you logged out? > > >
