[AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
This is a discussion on [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions within the Amavis User forums, part of the Anti-Spam and Anti-Virus Related Forums category; My amavisd.conf is using a standard configuration for uvscan: ### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-13-2008
|
|||
|
|||
[AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
My amavisd.conf is using a standard configuration for uvscan:
### http://www.nai.com/ ['NAI McAfee AntiVirus (uvscan)', 'uvscan', '--secure -rv --mime --summary --noboot - {}', [0], [13], qr/(?x) Found (?: \ the\ (.+)\ (?:virus|trojan) | \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | :\ (.+)\ NOT\ a\ virus)/, # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, # sub {delete $ENV{LD_PRELOAD}}, ], I'm running many instances of amavisd, yet I never seem to see much more than a dozen uvscan processes, no mater how many amavisd processes are running. Furthermore, it seems like every uvscan process is scanning the entire contents of /var/amavisd/tmp?: amavisd 6265 6112 1 15:57:36 ? 0:07 /usr/local/bin/uvscan --secure -rv --mime --summary --noboot - /var/amavis/tmp/ Shouldn't each uvscan process be shown as acting on a single subdirectory (message) in amavisd/tmp? I'm seeing really high times for virus scanning. Any insight here greatly appreciated. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ 
|
|
08-14-2008
|
|||
|
|||
|
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote:
> My amavisd.conf is using a standard configuration for uvscan: > > ### http://www.nai.com/ > ['NAI McAfee AntiVirus (uvscan)', 'uvscan', > '--secure -rv --mime --summary --noboot - {}', [0], [13], > qr/(?x) Found (?: > \ the\ (.+)\ (?:virus|trojan) | > \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | > :\ (.+)\ NOT\ a\ virus)/, > # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, > # sub {delete $ENV{LD_PRELOAD}}, > ], > > I'm running many instances of amavisd, yet I never seem to see much more > than a dozen uvscan processes, no mater how many amavisd processes are > running. Furthermore, it seems like every uvscan process is scanning > the entire contents of /var/amavisd/tmp?: > > amavisd 6265 6112 1 15:57:36 ? 0:07 > /usr/local/bin/uvscan --secure -rv --mime --summary --noboot - > /var/amavis/tmp/ > > Shouldn't each uvscan process be shown as acting on a single > subdirectory (message) in amavisd/tmp? I'm seeing really high times for > virus scanning. Yes, it should be a per-mail message, which gets decoded into a specific folder in the amavis tmp directory. I'm seeing: /bin/sh /usr/local/bin/uvscan --secure -rv --mime --summary \ --noboot - /var/spool/amavis/tmp/amavis-20080813T135331-1 > > Any insight here greatly appreciated. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
|
|
08-14-2008
|
|||
|
|||
|
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
aha: I'm not seeing the directory name in my ps list due to the
command-line printout cutoff, which conveniently chops off right after /var/amavis/tmp/. Increasing my amavis loglevel shows the correct directory being scanned. I'm still not sure why I don't see a corresponding increase in the number of uvscan processes if I increase my number of amavisd processes by a factor of 2 or 3. I have servers that are getting a queue backlog, yet are only showing 40% cpu utilization and lots of free memory, which seems strange. MrC wrote: > jonathan wrote: >> My amavisd.conf is using a standard configuration for uvscan: >> >> ### http://www.nai.com/ >> ['NAI McAfee AntiVirus (uvscan)', 'uvscan', >> '--secure -rv --mime --summary --noboot - {}', [0], [13], >> qr/(?x) Found (?: >> \ the\ (.+)\ (?:virus|trojan) | >> \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | >> :\ (.+)\ NOT\ a\ virus)/, >> # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, >> # sub {delete $ENV{LD_PRELOAD}}, >> ], >> >> I'm running many instances of amavisd, yet I never seem to see much more >> than a dozen uvscan processes, no mater how many amavisd processes are >> running. Furthermore, it seems like every uvscan process is scanning >> the entire contents of /var/amavisd/tmp?: >> >> amavisd 6265 6112 1 15:57:36 ? 0:07 >> /usr/local/bin/uvscan --secure -rv --mime --summary --noboot - >> /var/amavis/tmp/ >> >> Shouldn't each uvscan process be shown as acting on a single >> subdirectory (message) in amavisd/tmp? I'm seeing really high times for >> virus scanning. > > Yes, it should be a per-mail message, which gets decoded into a specific > folder in the amavis tmp directory. I'm seeing: > > /bin/sh /usr/local/bin/uvscan --secure -rv --mime --summary \ > --noboot - /var/spool/amavis/tmp/amavis-20080813T135331-1 > >> Any insight here greatly appreciated. > > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
|
|
08-15-2008
|
|||
|
|||
|
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote:
> aha: I'm not seeing the directory name in my ps list due to the > command-line printout cutoff, which conveniently chops off right after > /var/amavis/tmp/. Increasing my amavis loglevel shows the correct > directory being scanned. > > I'm still not sure why I don't see a corresponding increase in the > number of uvscan processes if I increase my number of amavisd processes > by a factor of 2 or 3. I have servers that are getting a queue backlog, > yet are only showing 40% cpu utilization and lots of free memory, which > seems strange. > > Have you run amavis-nanny to see if all amavis processes are actually in use? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
|
|
08-15-2008
|
|||
|
|||
|
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
MrC wrote: > jonathan wrote: >> aha: I'm not seeing the directory name in my ps list due to the >> command-line printout cutoff, which conveniently chops off right after >> /var/amavis/tmp/. Increasing my amavis loglevel shows the correct >> directory being scanned. >> >> I'm still not sure why I don't see a corresponding increase in the >> number of uvscan processes if I increase my number of amavisd processes >> by a factor of 2 or 3. I have servers that are getting a queue backlog, >> yet are only showing 40% cpu utilization and lots of free memory, which >> seems strange. >> >> > > Have you run amavis-nanny to see if all amavis processes are actually in > use? > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
|
|
08-16-2008
|
|||
|
|||
|
Re: [AMaViS-user] amavisd-new and mcafee's uvscan for unix questions
jonathan wrote:
> as a relevant point, the newest unix (Solaris) command-line uvscan is > almost twice as fast as the previous one - upgrading this is making a > massive performance difference. Agreed. I updated my NetBSD system from the 5.2 engine to 5.3. The claimed performance gains from 5.1 -> 5.2 have finally been realized in 5.3. I'm seeing minimally a 30% reduction in scan times with the 5.3 uvscan vs. 5.2 or 5.1. While clamdscan is faster for smaller mail messages (due to not reading in defs files each run), uvscan destroys clamdscan on larger archives: # # 4.2K small mail file # $ time uvscan -rv --noboot --summary --secure --mime virus-4byRQjj1YPAt Scanning virus-4byRQjj1YPAt Scanning file virus-4byRQjj1YPAt Scanning file virus-4byRQjj1YPAt/000004dc.EML Summary report on virus-4byRQjj1YPAt File(s) Total files: ........... 2 Clean: ................. 2 Possibly Infected: ..... 0 real 0m2.845s user 0m2.474s sys 0m0.370s $ time clamdscan --verbose virus-4byRQjj1YPAt virus-4byRQjj1YPAt: Email.Malware.Sanesecurity.08081003.StormNews.CnnG en FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.071 sec (0 m 0 s) real 0m0.074s user 0m0.002s sys 0m0.002s # # 2.2M gzipped tar archive # $ time uvscan -rv --noboot --summary --secure --mime \ gallery-1.5.7.tar.gz Summary report on gallery-1.5.7.tar.gz File(s) Total files: ........... 1169 Clean: ................. 1169 Possibly Infected: ..... 0 real 0m7.642s user 0m7.130s sys 0m0.482s $ time clamdscan --verbose gallery-1.5.7.tar.gz gallery-1.5.7.tar.gz: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 18.697 sec (0 m 18 s) real 0m18.700s user 0m0.001s sys 0m0.002s ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.p...r_id=100&url=/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
|
Linear Mode
