[Mimedefang] ClamAv Perl Module

John Rudd john at rudd.cc
Thu Sep 15 02:30:09 EDT 2005 

On Sep 14, 2005, at 7:02 PM, John Nemeth wrote:

> On Feb 4,  1:43am, "David F. Skoll" wrote:
> } John Rudd wrote:
> }
> } > Does mimedefang support calling clamav via the clamav perl module? 
>  I
> } > have heard that that is much faster than both clamscan and clamd.
> }
> } No, but MIMEDefang "talks" the clamd protocol directly, so it is 
> faster
> } than clamscan.
> }
> } I doubt anything could possibly be faster than clamd.
>
>      I believe the Perl module loads libclamav and calls it directly.
> In that sense it would be faster then clamd.  However, having multiple
> copies of libclamav in memory could cause problems due to excessive
> memory usage.

MailScanner's default number of children is 10.  So, while it does 
impose some extra memory footprint, we're not talking about tons of 
dynamic invokations of libclamav in memory.  And MailScanner's memory 
requirements are fairly modest (I haven't seen any of my mailscanner 
boxes spill over 512MB of memory in use; and they all have about 1.5MB 
to play with).  If mimedefang had an option for the same, it wouldn't 
be much different (similar numbers of children).

And, the way it does virus scanning is to set aside, in a work 
directory, around 100 messages (configurable), scan all of them in one 
pass, and then look at the results.

They claim that both of these things (calling libclamav directly, and 
not feeding messages to clamd one at a time) make mailscanner's method 
faster than using clamd.


I suppose that, once Sept. is over (school starts this weekend, so I 
can't do any real messing with the servers for a week or two), and once 
we get our new hardware into the racks, I can try loading the clamav 
perl module directly in mimedefang-filter, and see how the results go, 
and compare them.  If/when I get around to that, I'll post results 
here.


> There is also the issue of having to periodically check
> to see if the signature files have been updated (freshclam has a
> mechanism to inform clamd).

Yeah, I don't know how exactly they deal with that.  Probably at the 
start of each group-scan they do some form of check, and then do the 
group scan.

More information about the MIMEDefang mailing list