Discussion:
amavisd-new and mcafee's uvscan for unix questions
jonathan
17 years ago
Permalink
My amavisd.conf is using a standard configuration for uvscan:

### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
# sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
# sub {delete $ENV{LD_PRELOAD}},
],

I'm running many instances of amavisd, yet I never seem to see much more
than a dozen uvscan processes, no mater how many amavisd processes are
running. Furthermore, it seems like every uvscan process is scanning
the entire contents of /var/amavisd/tmp?:

amavisd 6265 6112 1 15:57:36 ? 0:07
/usr/local/bin/uvscan --secure -rv --mime --summary --noboot -
/var/amavis/tmp/

Shouldn't each uvscan process be shown as acting on a single
subdirectory (message) in amavisd/tmp? I'm seeing really high times for
virus scanning.

Any insight here greatly appreciated.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
MrC
17 years ago
Permalink
...
Yes, it should be a per-mail message, which gets decoded into a specific
folder in the amavis tmp directory. I'm seeing:

/bin/sh /usr/local/bin/uvscan --secure -rv --mime --summary \
--noboot - /var/spool/amavis/tmp/amavis-20080813T135331-1
Post by jonathan
Any insight here greatly appreciated.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
jonathan
17 years ago
Permalink
aha: I'm not seeing the directory name in my ps list due to the
command-line printout cutoff, which conveniently chops off right after
/var/amavis/tmp/. Increasing my amavis loglevel shows the correct
directory being scanned.

I'm still not sure why I don't see a corresponding increase in the
number of uvscan processes if I increase my number of amavisd processes
by a factor of 2 or 3. I have servers that are getting a queue backlog,
yet are only showing 40% cpu utilization and lots of free memory, which
seems strange.
...
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
MrC
17 years ago
Permalink
...
Have you run amavis-nanny to see if all amavis processes are actually in
use?

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
jonathan
17 years ago
Permalink
...
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
MrC
17 years ago
Permalink
as a relevant point, the newest unix (Solaris) command-line uvscan is
almost twice as fast as the previous one - upgrading this is making a
massive performance difference.
Agreed. I updated my NetBSD system from the 5.2 engine to 5.3. The
claimed performance gains from 5.1 -> 5.2 have finally been realized in
5.3. I'm seeing minimally a 30% reduction in scan times with the 5.3
uvscan vs. 5.2 or 5.1.

While clamdscan is faster for smaller mail messages (due to not reading
in defs files each run), uvscan destroys clamdscan on larger archives:

#
# 4.2K small mail file
#

$ time uvscan -rv --noboot --summary --secure --mime virus-4byRQjj1YPAt
Scanning virus-4byRQjj1YPAt
Scanning file virus-4byRQjj1YPAt
Scanning file virus-4byRQjj1YPAt/000004dc.EML

Summary report on virus-4byRQjj1YPAt
File(s)
Total files: ........... 2
Clean: ................. 2
Possibly Infected: ..... 0

real 0m2.845s
user 0m2.474s
sys 0m0.370s

$ time clamdscan --verbose virus-4byRQjj1YPAt
virus-4byRQjj1YPAt: Email.Malware.Sanesecurity.08081003.StormNews.CnnGen
FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.071 sec (0 m 0 s)

real 0m0.074s
user 0m0.002s
sys 0m0.002s


#
# 2.2M gzipped tar archive
#

$ time uvscan -rv --noboot --summary --secure --mime \
gallery-1.5.7.tar.gz
Summary report on gallery-1.5.7.tar.gz
File(s)
Total files: ........... 1169
Clean: ................. 1169
Possibly Infected: ..... 0

real 0m7.642s
user 0m7.130s
sys 0m0.482s

$ time clamdscan --verbose gallery-1.5.7.tar.gz
gallery-1.5.7.tar.gz: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 18.697 sec (0 m 18 s)

real 0m18.700s
user 0m0.001s
sys 0m0.002s

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Loading...