JME,
As you've pointed out, it appears that some signatures containing a PCRE regex
components are responsible for slow scan times on larger email files.
I did a bunch of profiling similar to what Maarten did earlier in order to
narrow it down. I found that Email.Phishing.VOF2 signatures are
I think most suggest using an SSH tunnel between server and host.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of David Hendrick
Sent: Wednesday, April 10, 2019 1:19 PM
To:
Thanks; I'm well aware of that.
I can well understand the rationale behind the signature - however it looks
like the code is established in normal usage. The user in question requested a
more recent copy of the template sheet they work with from the upstream
organisation, which too was blocked
To whitelist a specific signature from the database you just add the
signature name into a local file with the .ign2 extension and store it
inside /var/lib/clamav.
i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2
HTH
Regards
Brent Clark
On 2019/04/10 13:46, Graeme
Doc.Trojan.Agent-6923110-0 added 5th April (I think).
Detects potentially dodgy VB/VBA/VBScript macros in Excel docs, but we have one
user who has a completely genuine spreadsheet which contains several complex
database-lookup-related macros which are triggering that sig.
Nothing else has.
Thanks for doing this.
What Im getting out of your feedback is that maybe you guys need to look
to implementing or relooking at your CI process(es).
Before pushing a commit, your CI can run the same test(s) and alert on
slow or long running scans.
All this can be automated and report on
On 2019-04-09 22:29, Micah Snyder (micasnyd) via clamav-users wrote:
Maarten,
Looking at a few of the Phish.Phishing signatures, these appear to
have the same issue (href="http:// prefix). In testing with scan of a
PDF document, I was able to reduce the scan time from 31.987 sec down
to 2.632
