[Avcheck] avcheck+drweb over NFS
adi
adi@acme.com
Sun, 28 Jul 2002 01:45:22 +0700 (JAVT)
On Sat, Jul 27, 2002 at 03:34:54PM +0400, Michael Tokarev wrote:
> So now what drweb can't read? A message or a command? I
> suspect it's a message.
yes, the message. I think I should to clarify that without
calling fsync() and close() (I think fsync() only is enough),
drwewd never detect eicar.msg. there is no information that
I can get from the log. If I send the message (using avcheck
from command line) repeatedly, say tens or hundreds times,
I see several lines in drwebd log that say that drwebd
cannot read the message (bad file descriptor etc).
> So does it works now? If it is, I think there may be an option
> added for this (to sync a file before calling a virusscanner).
hmm.. almost.. not so good. here is drwebd log:
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Fri Jul 26 05:58:49 2002 Error reading input (Bad file descriptor)
Sat Jul 27 16:06:30 2002 /tst/19132.mail.satunet.com/untitled-2 infected with Win32.HLLM.Klez
this happen recently. I already use fsync(), mount nfs partition
using sync option, export nfs partition using sync option. crazy
enough, huh? :-)))
on unrelated issue, please note that the message which infected
by Win32.HLLM.Klez is base64 crafted message. I only use trial
license key for drwebd. Nice, huh! :-)
> But I'm afraid this will be even more slower on nfs compared to
> local disk, since fsync() should return only after *remote*
> system comitted a file to disk, not after local system sent a
> file over the network.
not in my case, even I use sync option for all of operations.
I think it's because the machine where drwebd run is idle.
> Concerning using another machine for virusscanning - there are several
> questions. First of all, this is - *why* ;). I just don't know a
> reason why this may be needed (not to say there is no such reason,
> but that just *I* don't know it yet). If this question popped up,
> there should be some reason...
it's possible to use multiple mta but still only use 1 drwebd license <g>
just kidding. I separate drweb from postfix without any 'good' reason.
About weeks ago, my mail machine run very very slow. This is unusual case.
No info/warning message I can get from the log. The primary factor is mostly
I/O. Note that, I repeat, this is unusual case.
I don't blame drweb for this, but, I think move several services
on other machine could help. In my case, it is a lot easier to
move drwebd.
I consider to move drwebd back to postfix machine as NFS operation
isn't safe.
FYI, I use NFS over TCP/IP with sync option enable (client & server).
On average, the mail traffic is about 15,000 msgs/day. On a busy day,
it could reach 25,000 msgs/day.
Regards,
P.Y. Adi Prasaja