Re: [Clamav-users] PhishingScanURLs is dreadfully slow/CPU-intensive

John Rudd wrote:

> http://people.ucsc.edu/~jrudd/ClamAV/318642.mbox
> http://people.ucsc.edu/~jrudd/ClamAV/318715.mbox

Those scanned pretty quickly for me. I don't believe I'm seeing really bad behaviour on any particular message; I just see way more overhead on all messages.

On my customer's system, the heuristic caught about 30 e-mails out of a daily volume over 2 million (and they most likely would have been caught anyway by the anti-spam filter.) So I don't know what the Clam guys are doing wrong, but the huge overhead simply isn't worth the benefit IMO. Once again, I ask the developers to reconsider this feature, or at least make it off-by-default.

Just for kicks, I scanned John Rudd's files with and without phishing URLs:

With phishing URLS:

real    0m1.925s
user    0m1.820s
sys     0m0.100s

Without phishing URLS:

real    0m1.761s
user    0m1.630s
sys     0m0.140s

Since most of that time is probably to load signatures, it's a fairly significant overhead. Repeated runs show a consistent 200ms user-time overhead for doing the phishing URL scans. An "strace" reveals that indeed most of the time is spent loading signatures, so the actual impact on scanning time is huge.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.clamav.net Links clamav-users Request more information about Pantek

Regards,

David.