[Avcheck] Re: avcheck support for Sophie?

Michael Tokarev mjt@tls.msk.ru
Fri, 26 Apr 2002 15:05:03 +0400 

Orlando Andico wrote:
> 
> On Fri, 26 Apr 2002, Michael Tokarev wrote:
> ..
> > Umm.  Don't do that.  At least directly in /tmp.  Avcheck isn't
> > prepared, and in fact shouldn't, to work with word-writable directories.
> > It will create files with fixed names, something like "tmp-$PID", and
> ..
> 
> I'm using a /tmp/avcheck which is writable by "sweep" only.

Yes, that's ok.

[]
> I have done some changes to avcheck. I notice that it often gets a -1
> error from Sophie (e.g. "file is corrupted, cannot scan" or "cannot scan
> multi-volume archive"). I did something weird. If Sophie returns a -1 to
> Avcheck, Avcheck returns 0!! this is so that the queue doesn't get too
> large. With my 55k mail users, a growing queue is a big pain.
> 
> So basically in my installation, only a "1" return from Sophie will
> trigger the infected script. All other returns will pass-through the mail.

This is their MIME/email format handling -- just as I said before.
It seems email support in sweep is either incomplete or for marketing
purposes only.

> But I don't have enough CPU power. had to disable avcheck for a while.
> Maybe when I have another 2 UltraSPARC CPU's or maybe buy a dual-Athlon
> machine.

How many mails this system should handle (55k users doesn't say me
anything, while this number is relatively big, it's not about email
volume)?  And note that most virusscanners was written/optimized for
i386 machines -- e.g. avp runs very slow on sparcs compared to i386.
I don't know about sweep/sophos, but virus signatures are the same
for all architectures anyway.

You may try to measure performance (in kb/sec) of your system's ability
to scan mails.  There is a file, ftp://ftp.corpit.ru/pub/avcheck/avclient.c,
that may be used for that -- set up sophie (as you did already), grab
several 100s of emails, place those emails into separate directory (you
may use postfix's queues but don't forget to process postfix files by
postcat, or some user's maildirs), and run avclient on that directory.
Time spent by avclient and the amount of files will give you some numbers.
You may also run several avclient's in parallel, and may give the same
directory several times to each -- a good test but w/o any additional
forks, queue management etc overhead.

Regards,
 Michael.