Hi there,
On Wed, 1 Apr 2020, Andrea Venturoli via clamav-users wrote:
I'm trying the combination Squid + C-ICAP + SquidClamAV + ClamAV, and I'm
seeing terrible performance.
...
Perhaps someone here is using the same thing or knows how to better
tweak the engine.
I'm not surprised that the performance is terrible. :/
To me it sounds like this will not be a quick tweak but a project, and
a lot of work, but it might prove to be a valuable contribution to the
security of a large number of users.
... page loading times varies a lot: sometimes they'll load as fast
as without virus scanning, but often (the same pages) will take
several seconds to display (with ClamAV eating a lot of CPU).
Still no surprises.
So I'm looking for suggestions on how to fine-tune ClamAV (and/or
SquidClamaAV) for this specific use case: ...
It's a very interesting experiment but I'm not sure that the designers
of ClamAV (and of the various databases available for it) anticipated
that they would be used in this way. It bears some resemblance to
on-access scanning but it's sufficiently different to demand a lot of
thought. My approach would probably be to start with very little in
the signature database(s) and gradually add things which might prove
useful, at the same time excluding anything which might be expected to
be nearly useless in this application, all the time logging verbosely.
You might need to put extra intelligence into splitting content from
headers etc. before you pass the data to the scanner. The hashing
algorithm which ClamAV uses to avoid repeating scans of data might
need some work. An individual signature can sometimes cause the
scanning engine to work really hard when a superficially similar
signature does not, so I don't think you'll be able to tackle the
performance problem at the database level. I imagine you'll want to
set up instrumentation to attempt to measure the performance of the
individual signatures - or at least of the separate databases, which
would give only a rough idea of the scale of the problem but possibly
allow you to do binary searches for slow regexes. I guess you'd need
to automate a lot of that, or maybe crowdsource might work.
HTH. Please do keep us informed of any progress.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
