[Mimedefang] ClamAv Perl Module
John Rudd
john at rudd.cc
Thu Sep 15 02:30:09 EDT 2005
On Sep 14, 2005, at 7:02 PM, John Nemeth wrote:
> On Feb 4, 1:43am, "David F. Skoll" wrote:
> } John Rudd wrote:
> }
> } > Does mimedefang support calling clamav via the clamav perl module?
> I
> } > have heard that that is much faster than both clamscan and clamd.
> }
> } No, but MIMEDefang "talks" the clamd protocol directly, so it is
> faster
> } than clamscan.
> }
> } I doubt anything could possibly be faster than clamd.
>
> I believe the Perl module loads libclamav and calls it directly.
> In that sense it would be faster then clamd. However, having multiple
> copies of libclamav in memory could cause problems due to excessive
> memory usage.
MailScanner's default number of children is 10. So, while it does
impose some extra memory footprint, we're not talking about tons of
dynamic invokations of libclamav in memory. And MailScanner's memory
requirements are fairly modest (I haven't seen any of my mailscanner
boxes spill over 512MB of memory in use; and they all have about 1.5MB
to play with). If mimedefang had an option for the same, it wouldn't
be much different (similar numbers of children).
And, the way it does virus scanning is to set aside, in a work
directory, around 100 messages (configurable), scan all of them in one
pass, and then look at the results.
They claim that both of these things (calling libclamav directly, and
not feeding messages to clamd one at a time) make mailscanner's method
faster than using clamd.
I suppose that, once Sept. is over (school starts this weekend, so I
can't do any real messing with the servers for a week or two), and once
we get our new hardware into the racks, I can try loading the clamav
perl module directly in mimedefang-filter, and see how the results go,
and compare them. If/when I get around to that, I'll post results
here.
> There is also the issue of having to periodically check
> to see if the signature files have been updated (freshclam has a
> mechanism to inform clamd).
Yeah, I don't know how exactly they deal with that. Probably at the
start of each group-scan they do some form of check, and then do the
group scan.
More information about the MIMEDefang
mailing list