[clamav-users] clamav-milter feature requst

Reindl Harald h.reindl at thelounge.net
Thu Aug 4 15:25:09 EDT 2016



Am 04.08.2016 um 21:18 schrieb Matus UHLAR - fantomas:
>> Am 04.08.2016 um 19:47 schrieb Benny Pedersen:
>>> reason for this is that make this clamav signature is that its more ram
>>> effitive then make native spamasssasin rules
>
> On 04.08.16 19:50, Reindl Harald wrote:
>> different signatures for different clamd are your friend
>>
>> [root at testserver:/etc/mail/spamassassin]$ cat clamav.cf
>> loadplugin ClamAV clamav.pm
>>
>> full      CLAMAV_JNK  eval:check_clamav('/run/clamd/clamd-sa.sock')
>> describe  CLAMAV_JNK  ClamAV detected malware/phishing/junk
>> score     CLAMAV_JNK  6.0
>>
>> full      CLAMAV_MLW  eval:check_clamav('/run/clamd/clamd.sock')
>> describe  CLAMAV_MLW  ClamAV detected malware/phishing
>> score     CLAMAV_MLW  9.9
>
> I'm afraid that running multiple clamd (that's what clamav-milter uses)
> instances is least memory effective possibility

nope

one clamd with all signatures here has a memory usage of 800 MB, both 
together have around the same, eahc of them a part of it depending of 
what signatures they have loaded

"clamd is more RAM effective than a spamassassin rule" si just wrong, 
that's it - clamd is and never was RAM efefctive and it's memory usage 
is realted to the amount and size of signatures

what Benny want's is that he can control the type of answers depending 
on signatures (as far as it#s understandable what he really talks about 
which isn't easy usually) and that's exactly what you get by split your 
signatures to multiple instances and score them differently depening of 
the signature types

the clamav-milter should be *the very last* instance with onnly 100% 
sure signatures to bypass any shorcurcuit and otehr whitelistings and 
catch *real malware* end the end of the chain even from normally 
whitelisted people if their machines got infected

the *real underlying* problem is that there is no chance to get rid of 
20 years old samples without a massive amount of work and that it's time 
that the main/daily signatures are splitted and conditionally loadable

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160804/026579a3/attachment.sig>


More information about the clamav-users mailing list