Topic: Clam Antivirus taking a long time and seems to be doing a lot of double work

[Marco Hess]

Below is the result of a Clam Scan on my system that just came in. Note the time taken is just under 7 days, so tomorrow it starts all over again .

Also note the data scanned as 888047.47 MB. This is a bit much as my system has (only) about 513G in use.

So my question is: What are typical scan times for Clam AntiVirus. My system is an older machine (dual Celeron 1GHz with two 750G PATA drives). Is it normal to expect a scan to take a whole week?

Also, I am utilising the shadow copy features on this system. Could it be that Clam Antivirus is not taking the hardlinks into account and simply scans the same file multiple times as per its number of shadow copy entries?

Regards,

Marco

[bars.through-ip.com] Clam Antivirus Scan Results - Sat Mar 14 21:52:42 2009
----------- SCAN SUMMARY -----------
Known viruses: 514256
Engine version: 0.94.2
Scanned directories: 590572
Scanned files: 5749088
Infected files: 0
Data scanned: 888047.47 MB
Time: 595000.448 sec (9916 m 40 s)

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/main-root
                      686G  513G  138G  79% /
/dev/md1               99M   35M   60M  37% /boot

[cactus]

Also, I am utilising the shadow copy features on this system. Could it be that Clam Antivirus is not taking the hardlinks into account and simply scans the same file multiple times as per its number of shadow copy entries?

What hardlinks? Are they really related to the Shadow copy feature?

[Marco Hess]

I don't know. From what I understand, both the Shadow Copy feature and Affa Backup create 'difference' copies in such a way that each different backup shows you a full directory view of that backup tree but if the files exist unchanged in previous backups, the directory entry is merrily a link to the same physical file. Isn't this the case?

That is really the only explanation I can think of with regard to Clam AV scanning some 888G with the drive physically only holding 513G. So am thinking that Clam AV may simply traversing directories and scanning files without regard to the fact that the physical file may have been previously scanned through another directory entry.

Am I barking up the wrong tree?

Also what are other peoples experience with ClamAV scan times? They way it is on my system it is virtually under load ALL THE TIME due to the scanning taking almost a week (typical load as reported by 'top' under scan is 1.5 and 0.3 when not) and a few hours later it goes again.

Marco

Marco

[jokiin]

Also what are other peoples experience with ClamAV scan times?

----------- SCAN SUMMARY -----------
Known viruses: 519955
Engine version: 0.94.2
Scanned directories: 4900
Scanned files: 93096
Infected files: 6
Data scanned: 33239.17 MB
Time: 14165.836 sec (236 m 5 s)

P4 1.7GHz with 1G RAM

[Craig Cabrey]

----------- SCAN SUMMARY -----------
Known viruses: 519964
Engine version: 0.94.2
Scanned directories: 25643
Scanned files: 174160
Infected files: 3
Data scanned: 23723.84 MB
Time: 10630.372 sec (177 m 10 s)

[/]P4 1.6GHz 768MB[/]

[warren]

----------- SCAN SUMMARY -----------
Known viruses: 519962
Engine version: 0.94.2
Scanned directories: 3525
Scanned files: 143674
Infected files: 0
Data scanned: 26725.22 MB
Time: 5413.464 sec (90 m 13 s)


P4 3.2GHz  500MB

[CharlieBrady]

Is it normal to expect a scan to take a whole week?

Don't report problems here - Please report bugs and potential bugs in the bug tracker

[larieu]

first of all I see that your system scan 888047M approx 800G and your hdd contain "only" 140G
I compared with mine

Known viruses: 519962
Engine version: 0.94.2
Scanned directories: 31680
Scanned files: 475992
Infected files: 9
Data scanned: 93588.33 MB
Time: 26746.608 sec (445 m 46 s)

and df reports around 65 G
(there you must understand that it exist a time difference between the clamav report and when I checked that server hdd -  but from systemmonitor I see that no any dramatic change on HDD occurred)

my ratio is 1.43 (93G/65G)
your is bigger than 5

and my average speed to check the data is 93G*1000/445m/60 ( to convert in M/s) approx 3.4 M/s
your is 800G *1000 /9900/60 approx 1.3 M/s

my system is an dualcore P4 3G with SATA-II hdd with 16M cache and 2 G of RAM
probably yours is a little old - and the HDD is not so speedy which lead me to think that the problem is only from the "amount" of date data you need to check
for me, your system if has an SATA-I or IDE HDD and CPU around 2G, work OK
then you should look:

why the difference is so big between 800G reported as scanned and 140G real?

hope this will save some workaround