[Mimedefang] Performance difference...
Jason Englander
jason at englanders.cc
Fri Aug 22 16:47:01 EDT 2003
On Thu, 21 Aug 2003, Ashley M. Kirchner wrote:
> Right now my filter (which is very similar to the example one) first
> checks for invalid extensions, and then goes on to the virus scanner.
> What kind of performance hit can I expect if I reverse those two: scan
> first, then check for extension?
You're much better off, system load wise, if an attachment is rejected
because it's caught by filter_bad_filename() for being a pif, rather than
being virus scanned.
...but if you do any sender notifications (which probably won't get
to the actual sender anyway) or recipient notifications, they may want to
know they've been saved from the evil Sobig.F worm rather than seeing a
generic message that your_details.pif has been removed from their
message. You can always add a Sobig.F specific note about for messages
caught by filter_bad_filename() who's file names match Sobig.F's filenames)
Whether or not flipping them around will effect the load on your system
depends on what sort of files come through. If most attachments that come
through are OK (good extension, not infected), you may not see a
difference. If you're talking about something like an ISP mail server
(who will be bombarded with virii and bad extensions 24/7), your load
will go noticeably higher.
The added i/o activity required for virus scanning is what will make it
worse. If your spool dir is a ramdisk, that will lessen the hit. If your
virus scanner(s) is File::Scan or a daemon (clamd, sophie, trophie,
etc.), that will help too. ...vs. using a regular commandline scanner.
(because perl won't have to exec it for each e-mail processed, it will
already be running)
Jason
--
Jason Englander <jason at englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
More information about the MIMEDefang
mailing list