From clamav-users-bounces@lists.clamav.net Fri Aug 31 05:51:28 2007 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhK65P30GJtf; Fri, 31 Aug 2007 05:51:27 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 9368E16C05C; Fri, 31 Aug 2007 05:51:16 +0200 (CEST) X-Original-To: clamav-users@tad.clamav.net Delivered-To: clamav-users@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrbokkmAq-I4 for ; Fri, 31 Aug 2007 05:51:13 +0200 (CEST) Received: from outbound.mailhop.org (outbound.mailhop.org [63.208.196.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tad.clamav.net (Postfix) with ESMTP id BAB4016C05A for ; Fri, 31 Aug 2007 05:51:13 +0200 (CEST) Received: from pool-71-112-40-77.sttlwa.dsl-w.verizon.net ([71.112.40.77] helo=mail.inetmsg.com) by outbound.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1IQxXM-0008lg-En for clamav-users@lists.clamav.net; Thu, 30 Aug 2007 23:51:12 -0400 X-Mail-Handler: MailHop Outbound by DynDNS X-Originating-IP: 71.112.40.77 X-Report-Abuse-To: abuse@dyndns.com (see http://www.mailhop.org/outbound/abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX1+MrJKGXNAb+iOR3QELJ+YX X-Virus-Scanned: by amavisd-new at mail.inetmsg.com Received: from [192.168.1.100] (unknown [192.168.1.100]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.inetmsg.com (INetMsg Mail Service) with ESMTP id 2F2B46D0FE3 for ; Thu, 30 Aug 2007 20:51:07 -0700 (PDT) X-DKIM: Sendmail DKIM Filter v1.2.0 mail.inetmsg.com 2F2B46D0FE3 X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 mail.inetmsg.com 2F2B46D0FE3 Message-ID: <46D79026.3070003@inetmsg.com> Date: Thu, 30 Aug 2007 20:51:02 -0700 From: Bill Landry User-Agent: Thunderbird MIME-Version: 1.0 To: ClamAV users ML References: <469CF15D.6060000@gmail.com> <20070725143430.GA23951@lucky.misty.com> <46B1F6E8.9000105@utdallas.edu> <46BB6A25.3040601@utdallas.edu> <46BDEC6E.5030109@utdallas.edu> <4354d3270708121326u4cb0c8c7mc19b2c5b3c3c2fbe@mail.gmail.com> <46D6FFC4.2090208@utdallas.edu> <46D78767.2040309@utdallas.edu> In-Reply-To: <46D78767.2040309@utdallas.edu> X-Enigmail-Version: 0.95.3 Subject: Re: [Clamav-users] 0.91 - high load under solaris X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net clamav-users@utdallas.edu wrote the following on 8/30/2007 8:13 PM -0800: > -- clamav-users@utdallas.edu said the following on 8/30/07 3:40 PM: > >> On Thu, 30 Aug 2007, clamav-users@utdallas.edu wrote: >> >> >>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't >>> appear to be associated with a particularly malformed message because >>> when it starts hanging, if I restart it, things resume normally for a >>> while. The incoming queue clears out. >>> >> Here's some more. >> >> [Switching to Thread 1 (LWP 1)] >> 0xfebf0857 in _so_accept () from /lib/libc.so.1 >> (gdb) thread apply all bt >> >> > > Hmm... previously I had this in the amavisd-new conf file: > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > It's my understanding that the above was necessary in order to take > advantage of the SaneSecurity sigs. Well, after the earlier hangs, I > changed it back to this: > > @keep_decoded_original_maps = (new_RE( > # qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > and man the load on clamd has dropped enormously. I saw the remark about > having the '^MAIL$' line uncommented would be slower, but the difference > is so wildly extreme. Even when the traffic was rather low, before clamd > was always at the top in terms of cpu utilization. Now it's barely > taking any cpu time at all. Naturally the time of day is a factor, but > we'll see for sure tomorrow. > > Not all SaneSecurity signatures need to see the full message. If I recall correctly, it's only the mail file type (designated by :4: in the signature) that need to see the headers and body together. Anyway, as you had it set above, you were both decoding all of the message parts and sending them to the virus scanner(s) individually for scanning and then sending the entire message as a whole to the scanner(s) for scanning, as well. If you are running amavisd-new 2.5.1 or newer, you can always set $bypass_decode_parts=1, which will disable all MIME decoding and simply send the entire message to the virus scanner(s) for scanning. For more info, see the thread starting at: http://marc.info/?l=amavis-user&m=117985356008613&w=2 I've been running this way for about 3 months now, and have had no problems. ClamAV, and many other scanners, do a good job of decoding messages on their own. Bill _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html