[clamav-users] Clamd no stop scan

jmedard at amv-sa.fr jmedard at amv-sa.fr
Mon Apr 8 17:03:37 UTC 2019 

Thanks,

I send you an example of a live mail.

 

On the other hand, I am surprised that clamd does not stop the analysis if ReadTimeout is exceeded and if there is no more "contact" with clamdscan! What is this Timout for otherwise?

 

It's a pity that clamd is using resources unnecessarily in this case.

 

JME

 

 

De : Micah Snyder (micasnyd) <micasnyd at cisco.com> 
Envoyé : lundi 8 avril 2019 18:26
À : ClamAV users ML <clamav-users at lists.clamav.net>
Cc : jmedard at amv-sa.fr
Objet : Re: [clamav-users] Clamd no stop scan

 

G’day,

 

Based on your clamdtop screenshot, it looks like your signature database is up to date with today’s update.  Friday’s daily update included a large number of signatures that slowed everything down, but they were dropped on Saturday so I don’t _think_ that should be the reason why you’re seeing slow scans now.  Would you be able to share the eml (or just attachment) with the long scan time directly with me?  I am curious what is taking so long.  I understand if it’s confidential and may not be shared. 

 

Clamdscan is simply a client to submit scans to clamd and return the results of the scan.  Once clamd begins scanning a file, it will run until completion.  Interrupting the clamdscan process will not interrupt the clamd thread performing the scan. 

 

-Micah

 

 

From: clamav-users <clamav-users-bounces at lists.clamav.net <mailto:clamav-users-bounces at lists.clamav.net> > on behalf of JME via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> >
Reply-To: ClamAV users ML <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> >
Date: Monday, April 8, 2019 at 11:22 AM
To: "clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> " <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net> >
Cc: "jmedard at amv-sa.fr <mailto:jmedard at amv-sa.fr> " <jmedard at amv-sa.fr <mailto:jmedard at amv-sa.fr> >
Subject: [clamav-users] Clamd no stop scan

 

Morning,

 

Some email scan are very slow. This is happening more and more often, and seems more related to Clamd's demime problems than real email attachments concerns.

Here is an example of an email that takes several minutes to analyze:

 

# time clamdscan 1hDTxy-0002Dk-Lc.eml

/tmp/eml/1hDTxy-0002Dk-Lc.eml: OK

 

----------- SCAN SUMMARY -----------

Infected files: 0

Time: 199.716 sec (3 m 19 s)

 

real    3m19,720s

user    0m0,004s

sys     0m0,000s

 

 

Regardless of this, regardless of the file transmitted to clamd by clamdscan, if the analysis is interrupted (for example after 5 seconds of analysis), the analysis of it continues, even after the ReadTimeout or any other TimeOut. Attached is a copy of clamdtop after making a CTRL + C clamdscan. It lasts until complete analysis (more than 5 minutes).

 

Do you find normal that the clamd process continues its analysis despite the end of the clamdscan call process and even after exceeding the various TimeOut?

Regards

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190408/3a6331f6/attachment.htm>

More information about the clamav-users mailing list