[Avcheck] Re: text message shouldn't be scanned?

Michael Tokarev mjt@tls.msk.ru
Wed, 02 Jan 2002 15:42:32 +0300 

adi wrote:
> 
> On Tue, Jan 01, 2002 at 11:12:21PM +0300, Michael Tokarev wrote:
> > Interesting results.  The bottom line should be the same, and 14sec
> > with Avp should be greather than 15sec avnull...  Anyway, the difference
> > between Avp and DrWeb is significant.
> 
> Ups.. forgot to mention that I set DRWEB_HEURISTIC_ON command flag,
> while testing drwebd yesterday. Sorry ;-(
> 
> README.AVP mention about using avp with heuristic scanning on though.
> 
> Here is the result if I don't use DRWEB_HERURISTIC_ON (as avcheck
> default will do):

In avcheck, DRWEB_HEURISTIC_ON is commented out.  I intentionally not
used any compiled-in settings in avcheck in order to be able to control
settings in a virusscanner's config file.

[16 sec time]

> Looks pretty fast, doesn't it? :-)

Yes.  BTW, why you use dietlibc and static linking for this?  Just curious.

Well ok.  I did some preliminary meashurements here yesterday and found
that avp is faster than drweb.  On a 6000+ messages maildir consisting
of postfix's postmaster notifications and a few (~20) admin virus alerts
(this is my postmaster maildir folder), 12Mb total size, with modified
"avcheck" that only passes files to a virusscanner (pretty like drwebdc
in drweb distro, there is no equivalent in avp), on Athlon 1.4Mhz machine
with 512Mb ram and 10Krpm scsi disks, the results was:

          HeuristicOff  HeuristicOn
AvpDaemon 1m18s         1m20s
DrWeb     1m57s         1m57s

I used AvpDaemon 3.0 build 135.3 (old) and DrWeb 4.27 (just released).
Unfortunately the key for Avp I used so far for testing (thank you Ralf
for this) was expired so I can't test never avp version (but I don't
expect a big difference).  HeuristicOff for avp was set up as
CodeAnalyser=No and RedundantScan=No in defUnix.prf (and Yes for On),
and for DrWeb this was HeuristicAnalysis = (No|Yes).  It's interesting
that DrWeb does not depend on Heuristic settings.  Note also that
avp can't handle filenames with colons (:), so it isn't possible to
check maildirs directly with it (daemon only).

Well, DrWeb is definitely *slower* than Avp in this test -- unlike I said
earlier.  Interesting.

Regards,
 Michael.