Carlos E. R. wrote:
On 01/09/2019 18.33, Per Jessen wrote:
Carlos E. R. wrote:
I don't believe that for one second. clamd works by loading all signatures into memory and using that when scanning. Maybe you could add "LogTime true" to clamd.conf ?
Well, you can see how it actually detected a virus, and not the entire thing came back to ram. I guess memory segments were retrieved as needed from swap by the kernel, till clamd hit a match signature and it stopped. Less than 100MB were needed.
And the test signature is probably one of the first in the database, yes. I don't think the PDF you sent was scanned though.
I think the same, and that worries me. Unless it knows directly it has no javascript.
I think it is unlikely for amavis to dabble with that.
Id like to find something more aggressive.
Maybe try "kill -TSTP <pid>" to suspend/pause clamd.
Mmmm... :-? The process is already waiting, not using cpu at all.
It can still be scheduled, receive data etc. If you pause it, it can't.
You need to enable clamd for listening on an external socket - that seems to be the TCPSocket and the TCPAddr options.
I don't have amavis installed anywhere, but I am sure you can find parameters that directs which clamd to use.
I posted the part of the configuration that mentions clamd. Wait... I found something. @av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m [],
That sounds a lot like the on-demand scan you were looking for?
Clamd listen on a port, amavis could be redirected to that port outside. But the problem is, amavis autodetects clamd and connects to it, so connecting to outside means changing code, IMHO.
There is nothing to configure which clamd to use?
Not that I know, no. The config file is code.
Okay, so it's configured with perl.
# ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd-socket"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
Wild guess:
replace "/var/run/clamav/clamd-socket"] with
"yourhost:yourport"
:-?
It is an area I know little about.
If I read it correctly, that definition is called "ClamAV-clamd", it uses a function called "ask_daemon" to talk to a daemon listening on "/var/run/clamav/clamd-socket". The rest are regexes for how to interpret the result. Instead of a UNIX socket path, it seems reasonable to use "yourhost:yourport" instead.
And there is saint google: "using amavis with a remote clamd"
First hit, 15 years ago, says it is not currently supported. Second one, does not use amavis.
Here there is one hit (2007):
https://sourceforge.net/p/amavis/mailman/message/17392709/
ah, but he says it is not working. The answer is it is not possible. Clamav supports it, amavis not.
Oh. But there is an example in the config you posted? # ### http://www.clamav.net/ - using remote clamd scanner as a backup # ['ClamAV-clamdscan', 'clamdscan', # "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", # [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], I would try it, if this memory issue is so critical. -- Per Jessen, Zürich (16.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org