[Avcheck] I guess we need faster disk channel, huh?

Michael Tokarev mjt@tls.msk.ru
Fri, 14 Dec 2001 16:44:46 +0300 

Ralf Hildebrandt wrote:
> 
> On Fri, Dec 14, 2001 at 12:48:21PM +0000, Len Conrad wrote:
> > This is a dedicated, FreeBSD avcheck relay-only machine.  sometimes, mail
> > can spend up to 22 minutes in the machine.
> 
> Question: Could /var/spool/avcheck/tst reside on a RAM disk?!

Yes, this is pretty safe: avcheck will not rely on permanent "nature"
of it's temp directory, it will return something to the calling process
(postfix's pipe daemon) until it enshures that an mta accepted the
(reinjected) mail.

But instead of using ram disk, is it better to use in-memory checking?
Avp "can" use shared memory for this sort of task (there are some defects
in the shm usage in avp, making it almost unusable with this scheme,
but I think someone may try to convince kaspersky folks to actually
correct the problem).

The problem with both in-memory scanning or using the ram disk (both
are pretty the same in this respect) is that memory is far more limited
than disk storage.  I intentionally used the on-disk temporary storage
in avcheck in order to be able to deal with large messages without big
memory pressure.

Well, and I know only one virusscanner that at least attempts to work
with in-memory scanning (avp).  I takled with drweb folks about this
issue and sent them example code for shm, but them not used/implemented
this feature for now.  (I don't know *all* virusscanners around but
only one I seen "claims" to work with shmem).

BTW, adding some more for this issue, avp is CPU bound, not (disk) i/o
bound, or at least should be.  The stats provided by Len shows that disk,
while being used, is not *heavily* used (if I interpreted the stats correctly) --
at least da0 Mb/s column has pretty low values (7 Mb/s max, >>1 most of the
time).  The long delay (22 min) -- it isn't clear where it really comes
from.

And another note.  For a *dedicated* virusscanning machine, it may be useful
to forward mail to a sending machine right from avcheck.  If the picture
is "postfix (machine1) -> postfix (machine2) -> avcheck -> postfix (machine2)
-> out (machine3)", then the pre-last step can safely be omitted.  To continue
this, there is no *real* need for postfix on machine2 at all.  For example
(hypotetical):

      +-- machine1 --+    +--- machine2 ---+
in -> | postfix smtp | -> | avcheck "smtpd"|
out <-| postfix smtpd| <- | avcheck smtp   |
      +--------------+    +----------------+

will be far better in this situation.  Hmmm....

DrWeb can work via tcp/ip.  There are a few mods for avcheck required for this
picture

|---------machine1--------|    |-machine2-|
 in -> postfix -> avcheck ->tcp-> drweb
                   |
 out<- postfix <---+

(postfix->out might be on another machine too, even with dns loadbalancing).

Interesting... ;)

Regards,
 Michael.