[Mimedefang] Perl Mail::ClamAV

John Rudd john at rudd.cc
Tue Sep 20 12:27:52 EDT 2005


On Sep 20, 2005, at 7:53 AM, David F. Skoll wrote:

> John Rudd wrote:
>
>> Output from using Mail::ClamAV :
>> delta = 667
>
>> Output from using clamd:
>> delta = 65
>
> Is your Mail::ClamAV code reloading the signature database for each
> message?

Nope.  Mail::ClamAV has a function which tests to see if there's new 
signatures, and only reloads them if there is.  I suppose that check 
might also be somewhat expensive though.  I guess I could try again 
with it not checking at all during the test.

> That's probably what's killing the performance.  If you somehow
> rework your code to load the signatures once when the filter starts up,
> you might see better performance.

Except as above, that's pretty much what I do.

> However, I still doubt that you'll beat clamd.  It's written in
> multithreaded C, and the IPC overhead between the Perl filter and
> clamd is minimal.

My current hypothesis is that because MailScanner does scans on huge 
(100ish) batches of messages all at once, it gets an economy of scale 
from Mail::ClamAV's archive mode that mimedefang just can't get 
(because it's a milter and must do one message at a time).  Similarly, 
I don't know how they would invoke clamd on an archive without using 
clamdscan (which may just be my own ignorance about clamav), where 
clamdscan has to deal with fork and exec overhead, etc.  And I think 
Julian has a bias against socket approaches (ex: spamc/spamd sends the 
message through a socket, which means you have to deal with extra 
overhead there, which makes it much slower than mailscanner's direct 
calling of the spam assassin libraries), and I don't know if that bias 
holds true for clamd or not.  Anyway, my point is, at their economy of 
scale, clamd might not be a win for them.

The end result being, no shoe fits both feet.  My starting point in 
this question was to try to use 1 method for both cases ... and I don't 
think that's going to hold up.  Meanwhile, I want to at least be moving 
virus scanning to mimedefang, so it looks like clamd is going to be 
where I end up.  I just wanted to be sure.




More information about the MIMEDefang mailing list