[Mimedefang] clamd memory leak?
Kelsey Cummings
kgc at sonic.net
Fri Apr 16 13:45:17 EDT 2004
On Thu, Apr 15, 2004 at 11:00:46PM -0700, Jeffrey Goldberg wrote:
> On Thu, 15 Apr 2004 WBrown at e1b.org wrote:
>
> > We limit messages to 10 MB.
>
> We use 20 MB. I wanted 10, my boss wanted 20, so we compromised on 20.
<g>
> But we still haven't clarified (or maybe I missed it) whether there is
> a memory leak in clamav or whether the huge file caused the problems
> leaklessly. I should note that the example/default mimedefang-filter has
> a condition on it to not run spamassassin on very large messages. It
> might be safe to do the same with virus scanning. A worm so large that
> most mail hubs would reject on size is not really going to propogate very
> far.
There are some outside cases where a 4mb message can make some versions of
clamd consume >gigs< of RAM. It's also decompressing files into RAM so a
50 MB message that's compressed 2:1 will take at least 100MB of RAM. Add
to this the overhead for the scanner's structures and recursion it could
take a great deal more. Clamd can be DoS'd pretty easily right now. You
may want to consider tuning it, running something later than .70rc, running
it under ulimits and adding as much RAM to the server as you can afford or
will fit.
An alternate choice is to use clamscan which appears to do a better job
with it's memory management but has the expense of reading the sigs for
every check along with the process startup costs.
Disabling archive scanning can also help.
--
Kelsey Cummings - kgc at sonic.net sonic.net, inc.
System Administrator 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
More information about the MIMEDefang
mailing list