When I originally started using clamav, clamscan could handle my low (SOHO) volume of email quite well, but recently, it started taking over 20 secs to scan a short email, and was even showing signs of not keeping up with the spam rate. (My email server is an AMD Sempron "2800+", 1600 MHz, 896 MB RAM, 2.4.x kernel).
So I decided to try clamdscan, again. In the past, I had had trouble getting it configured (maybe no listen IP address option back then?), which is why I took the clamscan route, but with 0.90.3, configuration was straightforward. What an incredible improvement! Instead of 20+ secs to scan, it scans normal emails in anywhere from .005 sec to .100 secs. I would guess the average speed up is on the order of 1000 to 1! My only worry now is that either clamd will crash, or stop listening too long when updating. I am using procmail on the tail-end of Postfix's "virtual" delivery and don't see a way to have procmail get Postfix to try delivery again later (like it would with SMTP delivery), rather than bouncing it back to the sender (not their fault). So in the meantime, I flag the mail as "possible virus" and write some nasty messages to log files. (In the script my procmailrc calls for scanning, I use netcat to PING clamd to see if it's available.) I think I may set up a cron-driven monitor for clamdscan, to restart it if it dies. I could also set up a delay and retry loop in my scanner script. BTW, I use HAVP with libclamav for Web-page scanning, and it never has had any bad slowness. Paul Kosinski P.S. Clamav may be slower than commercial scanners, however, my observation has been that clamav scans the *entire* file, rather than only part of it, as commercial scanners tend to do. (In some cases, they couldn't even *read* the entire file that fast.) I'm not sure how necessary this is -- in the case of files which are not archives such as zip, tar etc. -- but it *is* more thorough. BTW, when I was using Norton AV some years ago, I had to exclude some zip files from being scanned, as they took far too long. So commercial scanners can be excessively slow too. Also, I have noticed that Norton/Symantec, McAfee, CA etc. seem to include new executable code in their signature updates. Likely they add special-case code for some new threats, rather than only data. But I would be very unhappy if clamav added new code on the fly: that could really open the door to a nastier variety of malware. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
