On 2013-06-27 16:04, Matt wrote:
like this:
20130627155608, arg1=F:\\proc\work\D6063018a00002550.smd : Could
Not Connect!
That is SNFClient giving up after waiting for SNF to process the message
for too long.
At the same time, my Sniffer logs start showing frequent
"ERROR_MSG_FILE" results on about 1/8th of the messages.
This is SNFServer giving up after trying to open the message file and
read it.
What's happening is that the OS is not delivering the file to SNF, SNF
is waiting for this (it has no choice, it's a call to the OS's open()
command), and then eventually it fails so SNF produces the
ERROR_MSG_FILE result because it was not able to open the file it was
supposed to scan.
This is often caused by fragmentation, or it can be that there are too
many files in the directory that contains the message file. Ultimately
it is an IO problem.
This shouldn't be associated with updates -- but if it is, I might guess
that's because the file system is ready to fall over and saving a new
rulebase file to disk, or reading afterward is enough to push it over
the edge.
Seeing ERROR_MSG_FILE on 1/8th of the scans means that SNF is being
asked to scan a message that the file system can't or won't give it.
That is a strong indication that the system is IO bound. SNF can't
really do anything different in that case -- it's simply asking to open
the file so it can read it. If the IO system says "No" then it spits out
that error.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
