On 02/09/2019 07.58, Per Jessen wrote:
Carlos E. R. wrote:
On 01/09/2019 18.33, Per Jessen wrote:
Carlos E. R. wrote:
I don't believe that for one second. clamd works by loading all signatures into memory and using that when scanning. Maybe you could add "LogTime true" to clamd.conf ?
Well, you can see how it actually detected a virus, and not the entire thing came back to ram. I guess memory segments were retrieved as needed from swap by the kernel, till clamd hit a match signature and it stopped. Less than 100MB were needed.
And the test signature is probably one of the first in the database, yes. I don't think the PDF you sent was scanned though.
I think the same, and that worries me. Unless it knows directly it has no javascript.
I think it is unlikely for amavis to dabble with that.
Id like to find something more aggressive.
Maybe try "kill -TSTP <pid>" to suspend/pause clamd.
Mmmm... :-? The process is already waiting, not using cpu at all.
It can still be scheduled, receive data etc. If you pause it, it can't.
Right, but then it will not respond when a mail has to be scanned.
You need to enable clamd for listening on an external socket - that seems to be the TCPSocket and the TCPAddr options.
I don't have amavis installed anywhere, but I am sure you can find parameters that directs which clamd to use.
I posted the part of the configuration that mentions clamd. Wait... I found something. @av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m [],
That sounds a lot like the on-demand scan you were looking for?
Huh? Ah. That would be not using clamd, but clamav. It takes ages to start and load. cer@Telcontar:~/viruses> time clamscan sample.exe-virus_W32-Nimd sample.exe-virus_W32-Nimd: Win.Worm.N-74 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6303089 Engine version: 0.101.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.12 MB Data read: 0.28 MB (ratio 0.44:1) Time: 57.688 sec (0 m 57 s) real 0m57,729s user 0m57,116s sys 0m0,608s cer@Telcontar:~/viruses> One minute. If one second later I ask again, it is another minute. What I want is to start the clamd daemon on socket; take a minute to start, but then the following jobs would be done fast. After a time (say, 2 minutes) of no activities, unload.
Clamd listen on a port, amavis could be redirected to that port outside. But the problem is, amavis autodetects clamd and connects to it, so connecting to outside means changing code, IMHO.
There is nothing to configure which clamd to use?
Not that I know, no. The config file is code.
Okay, so it's configured with perl.
# ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd-socket"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
Wild guess:
replace "/var/run/clamav/clamd-socket"] with
"yourhost:yourport"
:-?
It is an area I know little about.
If I read it correctly, that definition is called "ClamAV-clamd", it uses a function called "ask_daemon" to talk to a daemon listening on "/var/run/clamav/clamd-socket". The rest are regexes for how to interpret the result. Instead of a UNIX socket path, it seems reasonable to use "yourhost:yourport" instead.
And there is saint google: "using amavis with a remote clamd"
First hit, 15 years ago, says it is not currently supported. Second one, does not use amavis.
Here there is one hit (2007):
https://sourceforge.net/p/amavis/mailman/message/17392709/
ah, but he says it is not working. The answer is it is not possible. Clamav supports it, amavis not.
Oh. But there is an example in the config you posted?
# ### http://www.clamav.net/ - using remote clamd scanner as a backup # ['ClamAV-clamdscan', 'clamdscan', # "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
I would try it, if this memory issue is so critical.
But there is no documentation of this :-( It needs a config file, /etc/clamd-client.conf There is no clamd-client in my system. Maybe it is for clamdscan, but man page does not mention anything related. Google hits for "clamd-client.conf" mentions amavis only. Found something. <https://sourceforge.net/p/amavis/mailman/message/23962953/> +++................ Given the overhead of having to stream the whole content to a remote scanner, the cost of spawning a clamdscan process is probably negligible. I don't think there is a need to duplicate in amavisd what clamdscan client does just fine.
if clamd supported both TCP and unix sockets on the same server, and you had two servers, amavisd could use unix sockets for primary, and then maybe tcp for backup scanner.
Just add an entry like: ### http://www.clamav.net/ - using remote clamd scanner ['ClamAV-clamdscan', 'clamdscan', "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], and you have a backup clamd scanner on a remote host. The /etc/clamd-client.conf is just a copy of your main /etc/clamd.conf, with changed: TCPSocket 3310 TCPAddr <remote-host-running-clamd> It would be more comfortable if clamdscan supported a command-line option to specify a host/port of a scanning host, but using an alternative config file works fine too for the time being. Someone should send a suggestion to ClamAV folks. ................++- Dunno. Perhaps. Because it says a copy, so clamav has still to be installed locally, then it will find and use it. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)