[clamav-users] Clamd no stop scan

Micah Snyder (micasnyd) micasnyd at cisco.com
Mon Apr 8 16:26:28 UTC 2019 

G’day,

Based on your clamdtop screenshot, it looks like your signature database is up to date with today’s update.  Friday’s daily update included a large number of signatures that slowed everything down, but they were dropped on Saturday so I don’t _think_ that should be the reason why you’re seeing slow scans now.  Would you be able to share the eml (or just attachment) with the long scan time directly with me?  I am curious what is taking so long.  I understand if it’s confidential and may not be shared.

Clamdscan is simply a client to submit scans to clamd and return the results of the scan.  Once clamd begins scanning a file, it will run until completion.  Interrupting the clamdscan process will not interrupt the clamd thread performing the scan.

-Micah


From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of JME via clamav-users <clamav-users at lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users at lists.clamav.net>
Date: Monday, April 8, 2019 at 11:22 AM
To: "clamav-users at lists.clamav.net" <clamav-users at lists.clamav.net>
Cc: "jmedard at amv-sa.fr" <jmedard at amv-sa.fr>
Subject: [clamav-users] Clamd no stop scan

Morning,

Some email scan are very slow. This is happening more and more often, and seems more related to Clamd's demime problems than real email attachments concerns.
Here is an example of an email that takes several minutes to analyze:

# time clamdscan 1hDTxy-0002Dk-Lc.eml
/tmp/eml/1hDTxy-0002Dk-Lc.eml: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 199.716 sec (3 m 19 s)

real    3m19,720s
user    0m0,004s
sys     0m0,000s


Regardless of this, regardless of the file transmitted to clamd by clamdscan, if the analysis is interrupted (for example after 5 seconds of analysis), the analysis of it continues, even after the ReadTimeout or any other TimeOut. Attached is a copy of clamdtop after making a CTRL + C clamdscan. It lasts until complete analysis (more than 5 minutes).

Do you find normal that the clamd process continues its analysis despite the end of the clamdscan call process and even after exceeding the various TimeOut?
Regards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190408/16612823/attachment.htm>

More information about the clamav-users mailing list