Hi there,
On Thu, 17 Mar 2022, An Schall via clamav-users wrote:
> we have a server operating RHEL 6.x and which is using GPFS as a file
> system. We process high volume data on this server and are evaluating
> whether clamAV / clamd is a feasible solution to run AV scans against
> the processed data.
Perhaps you can be a little more forthcoming about the data?
> As I could not find an official page that lists features / supported
> platforms, etc.
If what you need to know can not be found at
https://docs.clamav.net/ please feel free to list the deficiencies here, or perhaps better
raise an issue on Github:
https://github.com/Cisco-Talos/clamav/issues/ > I would like to ask the community:
>
> - Does clamAV / clamd support GPFS as a filesystem?
ClamAV does not care what filesystem you use to store data - it can be
used to scan directly a stream of data which is not in any filesystem.
Most filesystems thesedays support multi-user, multi-tasking operating
systems and you might need to quarantine incoming data so that it can
be scanned before you permit access to it by a potentially vulnerable
application, but that's up to you and how you arrange things. There's
a daemon called 'clamonacc' which can use operating system features to
prevent access to suspect files 'on the fly' but, if I understand your
requirements at all, the performance might be an issue.
> - Is it feasible to enable real-time antivirus checks / monitoring
You need to define the terms which you are using. I do not know what
"real-time" means in that sentence. If it means can you scan data as
it arrives somewhere on a wire then as per the previous paragraph the
answer is yes. If it means can you run a daemon which prevents access
to suspect files by scanning them when some other process attempts to
read them, the answer is also yes with the above performance caveat.
In both cases you should consider the *detection* performance too, see
my final comment below.
I think most people use ClamAV without thinking very much about it to
scan a filesystem every once in a while. But ClamAV is more a toolkit
than it is an application and you can use it in many ways. I use it
only to scan electronic mail, primarily to stop spam and other junk.
> - Do you believe that clamAV / clamd is suitable to scan high volume data?
Again please define your terms, and in this case suggest what hardware
you might be planning to use. Obviously you can scale the capacity of
your scanning system to suit the volumes of data to be scanned simply
by applying more hardware (money) to the problem. Whatever you do, if
you are going to scan petabytes of unknown data for many millions of
disparate threats it's going to take some effort (and probably time).
> - Are there any upper limits on the size of the volume to be scanned
> (besides the 4GB max. file size)
Although the documentation might state otherwise in places, unless I
have missed something (since the move to Github I haven't been able to
make head nor tail of the ClamAV changes) the maximum is 2GB, not 4GB.
The limit is on the size of a single file (or - I believe - the length
of a data stream) and not the size of a volume in the filesystem. The
sizes of filesystems and volumes are irrelevant to ClamAV as it simply
uses the operating system facilities to access the scanned data, just
like any other application. Typically a ClamAV process while scanning
will use about 1GByte of RAM. This can be a single-use process which
loads its signature database on demand (the database can take a little
time to load, as it usually contains of the order of ten million sigs)
or it can be a long-lived daemon - 'clamd'. In either case there are
numerous configuration options which can set limits, including but not
limited to the size of individual files. You can, and I occasionally
do, run multiple clamd daemons. In my case this is usually about test
and experiment but you could do the same for parallel processing if it
appears to you to be necessary. A clamd daemon can take advantage of
multi-cored hardware, and, given enough RAM, you can run more than one
instance of clamd on a system. The 'clamonacc' utility itself uses a
'clamd' daemon to do its actual scanning.
Finally please consider the probability that ClamAV will find what you
think you are looking for. In my experience the people who ask the
sorts of questions which you are asking never seem to consider that a
threat might evade detection, and there's a somewhat depressingly good
chance that it will do just that - no matter what scanner you use. If
you search the archives of this mailing list you'll find some numbers,
but on a *very* good day one in five will get through. On a bad day,
just one of those will compromise your entire network.
HTH.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml