You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While using INSTREAM we noticed that the speed to scan a file is the same or slower if you just used SCAN and point to a file. We thought the whole idea of INSTREAM is so that it would scan the file while its being read. Could you please help us diagnose the problem or did we miss understood INSTREAM.
How to reproduce the problem
put your files in a dir and run to get the baseline of SCAN:
sudo chmod 777 *
chgrp clamav *
echo "SCAN /yourDir" | nc localhost 3310
For INSTREAM we used java and we send 1k chunks, here is a snippet:
`public String scan(InputStream inputStream) throws IOException {
try (Socket socket = new Socket(CLAMAV_HOST, CLAMAV_PORT);
OutputStream out = socket.getOutputStream();
InputStream in = socket.getInputStream()) {
ClamAV need the whole file to do a scan. Many file formats put important structural bits at the end, such as the file entry directory of a ZIP. Some file formats like DMG can't even be identified without seeking to the end of the file.
The INSTREAM feature copies a file over a TCP stream to ClamD . ClamD writes the streamed bytes to a temp file on disk and then scans the temp file. It is going to be slower than scanning a file directly.
The purpose of INSTREAM is make a file available to ClamD that it would not normally have access to. E.g.
if the scan client (your program, clamdscan, clamonacc, etc) is on a different computer than ClamD , or
if the ClamD process does not have read-permissions to the file.
The second case may also be solved on unix / linux systems using the FILEDES (file descriptor passing) feature. In this mode, the scan client would open the file and then transfer the open file descriptor to ClamD over a UNIX socket. The unix or linux kernel translates the file descriptor from one process to the other, giving ClamD the ability to read from the open file even though it would not have permission to open the file itself.
File descriptor passing would be the same speed as having ClamD scan a file directly. But it requires using the UNIX socket (clamd.conf "LocalSocket" option) and not the TCP socket. It is a bit more complicated. You can see how we do it in C, here: https://github.com/Cisco-Talos/clamav/blob/main/common/clamdcom.c#L175-L216
I don't know how to do it in Java.
Describe the bug
While using INSTREAM we noticed that the speed to scan a file is the same or slower if you just used SCAN and point to a file. We thought the whole idea of INSTREAM is so that it would scan the file while its being read. Could you please help us diagnose the problem or did we miss understood INSTREAM.
How to reproduce the problem
put your files in a dir and run to get the baseline of SCAN:
sudo chmod 777 *
chgrp clamav *
echo "SCAN /yourDir" | nc localhost 3310
For INSTREAM we used java and we send 1k chunks, here is a snippet:
`public String scan(InputStream inputStream) throws IOException {
try (Socket socket = new Socket(CLAMAV_HOST, CLAMAV_PORT);
OutputStream out = socket.getOutputStream();
InputStream in = socket.getInputStream()) {
The text was updated successfully, but these errors were encountered: