Mailing List Archive

G’day,

Based on your clamdtop screenshot, it looks like your signature database is up to date with today’s update. Friday’s daily update included a large number of signatures that slowed everything down, but they were dropped on Saturday so I don’t _think_ that should be the reason why you’re seeing slow scans now. Would you be able to share the eml (or just attachment) with the long scan time directly with me? I am curious what is taking so long. I understand if it’s confidential and may not be shared.

Clamdscan is simply a client to submit scans to clamd and return the results of the scan. Once clamd begins scanning a file, it will run until completion. Interrupting the clamdscan process will not interrupt the clamd thread performing the scan.

-Micah


From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of JME via clamav-users <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Monday, April 8, 2019 at 11:22 AM
To: "clamav-users@lists.clamav.net" <clamav-users@lists.clamav.net>
Cc: "jmedard@amv-sa.fr" <jmedard@amv-sa.fr>
Subject: [clamav-users] Clamd no stop scan

Morning,

Some email scan are very slow. This is happening more and more often, and seems more related to Clamd's demime problems than real email attachments concerns.
Here is an example of an email that takes several minutes to analyze:

# time clamdscan 1hDTxy-0002Dk-Lc.eml
/tmp/eml/1hDTxy-0002Dk-Lc.eml: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 199.716 sec (3 m 19 s)

real 3m19,720s
user 0m0,004s
sys 0m0,000s


Regardless of this, regardless of the file transmitted to clamd by clamdscan, if the analysis is interrupted (for example after 5 seconds of analysis), the analysis of it continues, even after the ReadTimeout or any other TimeOut. Attached is a copy of clamdtop after making a CTRL + C clamdscan. It lasts until complete analysis (more than 5 minutes).

Do you find normal that the clamd process continues its analysis despite the end of the clamdscan call process and even after exceeding the various TimeOut?
Regards

Thanks,

I send you an example of a live mail.



On the other hand, I am surprised that clamd does not stop the analysis if ReadTimeout is exceeded and if there is no more "contact" with clamdscan! What is this Timout for otherwise?



It's a pity that clamd is using resources unnecessarily in this case.



JME





De : Micah Snyder (micasnyd) <micasnyd@cisco.com>
Envoyé : lundi 8 avril 2019 18:26
À : ClamAV users ML <clamav-users@lists.clamav.net>
Cc : jmedard@amv-sa.fr
Objet : Re: [clamav-users] Clamd no stop scan



G’day,



Based on your clamdtop screenshot, it looks like your signature database is up to date with today’s update. Friday’s daily update included a large number of signatures that slowed everything down, but they were dropped on Saturday so I don’t _think_ that should be the reason why you’re seeing slow scans now. Would you be able to share the eml (or just attachment) with the long scan time directly with me? I am curious what is taking so long. I understand if it’s confidential and may not be shared.



Clamdscan is simply a client to submit scans to clamd and return the results of the scan. Once clamd begins scanning a file, it will run until completion. Interrupting the clamdscan process will not interrupt the clamd thread performing the scan.



-Micah





From: clamav-users <clamav-users-bounces@lists.clamav.net <mailto:clamav-users-bounces@lists.clamav.net> > on behalf of JME via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Date: Monday, April 8, 2019 at 11:22 AM
To: "clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> " <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >
Cc: "jmedard@amv-sa.fr <mailto:jmedard@amv-sa.fr> " <jmedard@amv-sa.fr <mailto:jmedard@amv-sa.fr> >
Subject: [clamav-users] Clamd no stop scan



Morning,



Some email scan are very slow. This is happening more and more often, and seems more related to Clamd's demime problems than real email attachments concerns.

Here is an example of an email that takes several minutes to analyze:



# time clamdscan 1hDTxy-0002Dk-Lc.eml

/tmp/eml/1hDTxy-0002Dk-Lc.eml: OK



----------- SCAN SUMMARY -----------

Infected files: 0

Time: 199.716 sec (3 m 19 s)



real 3m19,720s

user 0m0,004s

sys 0m0,000s





Regardless of this, regardless of the file transmitted to clamd by clamdscan, if the analysis is interrupted (for example after 5 seconds of analysis), the analysis of it continues, even after the ReadTimeout or any other TimeOut. Attached is a copy of clamdtop after making a CTRL + C clamdscan. It lasts until complete analysis (more than 5 minutes).



Do you find normal that the clamd process continues its analysis despite the end of the clamdscan call process and even after exceeding the various TimeOut?

Regards