You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-user@james.apache.org by Vincenzo Gianferrari Pini <vi...@praxis.it> on 2003/05/22 00:20:08 UTC

[no virus] RE: Virus scanning

I don't have now statistics on the overhead of my antivirus approach. But before implementing the matcher I did a simulation, and it turned out that the overhead of starting a new Windows XP process running McAfees antivirus from a java VM was very low (see attachment).
Watching the behaviour of the matcher in the real environment, I saw (qualitatively) confirmed the simulation: there is instead some overhead involved in the matcher dumping the files to a working directory, before the scan.

Taking in account that the matcher optionally can check only messages with attachments (the way I use it), the overhead could be very low, depending on the incoming message throughput, and the ratio of messages with attachments to total messages. The point is: what *real* high volume use means? Some statistics from James users would be interesting for everyone, independently from the virus scanning issue. Let's open a tread about that in this list!

The only way to judge things requires collecting statistics. I will implement the antivirus matcher to do that and will (hopefully around the end of next week) publish them in this thread.

As I'm talking about the matcher, I think that in the future I will change the matcher to a mailet writing an "X-IsInfected: true" header (the matcher already does it) to be checked by a HasHeader matcher: it would allow for a cleaner way of passing config parameters (it's just an aesthetical enhancement)T

Vincenzo

> -----Original Message-----
> From: Steve Brewin [mailto:sbrewin@synsys.com]
> Sent: mercoledi 21 maggio 2003 22.42
> To: 'James Users List'
> Subject: RE: Virus scanning
> 
> 
> >Vincenzo,
> >
> >First, thanks for contributing this to the community.
> >
> >Since you've been using the matcher for several months,
> >I was wondering how it scales.
> 
> Just the question I was asking myself, which is why I ended up looking at
> ICAP (http://www.i-cap.org) today. Icap seems to be supported by the major
> anti-virus vendors and others.
> 
> The basic deal is that you can open a connection, stream your 
> contents over
> to an anti-virus service on a local or remote server and get an OK
> acknowledgement, cleaned up stream, or vetoing acknowledgement 
> back. As many
> connections can be opened as the the target server can support 
> and I can see
> no reason why multiple servers cannot be run in a load-balanced 
> environment.
> 
> This was just quick look. I intend to do more digging around. 
> Haven't found
> a Java wrapper for the services, though if pushed could use JNI 
> to the C/C++
> wrappers. Perhaps overkill for some James users.
> 
> I guess this is just telling us that a definitive anti-virus 
> mailet in James
> should be configurable to support a variety of means to invoke the
> anti-virus checking service.
> 
> The overhead of invoking a new process from the command line for each
> message is way too expensive for high volume use. No critiscm of 
> Vincenzo's
> implementation intended, for low volume users it gets the job 
> done and sure
> us better than nothing.
> 
> Steve
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
>

Re: [no virus] RE: Virus scanning

Posted by Cesar Bonadio <bo...@picture.com.br>.

Here are some information

I have developed the first version of the matcher antivirus and Vincenzo
made
several improvements based on that, we run the matcher on a DELL PIII 800
Mhz server with 512Mb
of ram and RAID 1 for 2 9GB disks

I found that the real problem is not related to open every message on the
disk, the biggest problem
is running several instances of the AV if you configure your james to run 10
threads for checking the spool
you will end up with up to 10 AV running at the same time, this can produce
a load of 7.0 8.0 on this server
real bad, we configure 4 threads and we have 1500 users the avarage load is
2.0 and we have an avarege
of 70 simultaneos connections.

I was trying to find a way to keep the AV on memory but could not find any.

[]s



---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org