Which antivirus to use?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
nschoot
New user
New user
Posts: 14
Joined: 2014-02-26 22:07

Which antivirus to use?

Post by nschoot » 2018-12-27 14:59

Hi,

I am long time HMailserver user and all this time I've been using ClamAV as my virus scanner. However, the amount of memory that ClamAV needs is getting rediculous. Right now it's jusing 575MB of RAM.

I'm also running ClamWin, which could also be used for mail scanning, however, it takes 10+ seconds to perform the ClamWin Test in the HmailServer Administrator tool, so I'm not going to enable this as an alternative.

There are only two other options:

1. Disable AV (which does not seem a gigantic risk, since the Virus detected counter generally does not show a lot of viruses detected
2. Find an "external" antivirus tool which performs well and probably is not open source.

What's your experience? Any advice?

Note that this is a VPS, so adding RAM is not that trivial (= more costly than an AV subscription)

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Which antivirus to use?

Post by jimimaseye » 2018-12-27 15:29

HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Which antivirus to use?

Post by RvdH » 2018-12-28 00:56

jimimaseye wrote:
2018-12-27 15:29
viewtopic.php?f=21&t=26829
How should that help him? He likes to ditch Clam as you can read

@nschoot, the amount of RAM used by ClamAV is outrageous, i agree...but there are very few (working) alternatives
Some people tried Windows Defender/MSE, but in my experience this is'nt very reliable (false virus triggering when an attachment/file can't be read properly)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Which antivirus to use?

Post by jimimaseye » 2018-12-28 01:41

RvdH wrote:
2018-12-28 00:56
jimimaseye wrote:
2018-12-27 15:29
viewtopic.php?f=21&t=26829
How should that help him? He likes to ditch Clam as you can read
Thats what comes with reading on a tiny phone screen and not seeing the total detail (i missed him referencing clamav already)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

nschoot
New user
New user
Posts: 14
Joined: 2014-02-26 22:07

Re: Which antivirus to use?

Post by nschoot » 2018-12-31 14:29

Thanks for the replies. I am indeed using ClamAV as a service and ClamWin as "desktop protection".

Just thinking out loud a bit:

- I'm using ESET nod32 on other computers as desktop protection, but I'm not sure whether it would install on Windows Server. If it would it would be worth figuring whether it could work as an e-mail scanner...
- Any idea to what extent "on access" scanning would also catch viruses embedded in e-mail? Probably not as the mails are stored in "raw" format on disk, including the encoded attachments... Right?

User avatar
mattg
Moderator
Moderator
Posts: 20290
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Which antivirus to use?

Post by mattg » 2019-01-01 02:42

Read the 'incompatible software' here >> https://www.hmailserver.com/documentati ... quirements

That speaks about a specific component of NOD32, not all of NOD32

on access scanners are the real problem
You need to exclude the data directory.

How are you using ClamWIN?
Can you run this and post the detail please >> http://www.hmailserver.com/forum/viewto ... 20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1277
Joined: 2017-09-12 17:57

Re: Which antivirus to use?

Post by palinka » 2019-01-01 16:00

nschoot wrote:
2018-12-27 14:59
I'm also running ClamWin, which could also be used for mail scanning, however, it takes 10+ seconds to perform the ClamWin Test in the HmailServer Administrator tool, so I'm not going to enable this as an alternative.
That's a crazy long time. I can tell you that implementing Jimi's strategy of running clamwin/clamav as a service will bring the CPU overhead down substantially. Of course that won't solve your memory issues, but it's a good start.

viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20290
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Which antivirus to use?

Post by mattg » 2019-01-02 02:15

Depending on how the OP is using ClamWIN. If ClamWIN is used by the hmailserver builtin connector for ClamWIN, hmailserver will actually use MUCH more memory, as ClamWIN by itself is not multithreading.

That why the tutorial you mention was created. It creates a multi threading service from ClamWIN, like the way that ClamAV works on Linux.

Most scans on my system are 2-3 seconds. I connect to my Ubuntu server on my LAN. I also include Clam scans in my SpamAssassin set up.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8170
Joined: 2011-09-08 17:48

Re: Which antivirus to use?

Post by jimimaseye » 2019-01-02 09:56

From reading the opening post it would seem the OP is using Clamav in the same way: Clamav for HMS email scanning and he has Clamwin as an option but doesnt use it. Effectively he has already converted to Clamd. His problem is that he doesnt like the amount of memory Clamd uses (and I concur that it sits around using 575MB of RAM. This is something that some users of Clamav argue is not acceptable compared to other products and he is looking for an alternative (eg, Avira free edition on my laptop is running at about 200MB).

Personally, being a server, one should expect to have a lot of RAM be required by running services and software and given the effectiveness of the Sane definitions its worth trying to adapt to it by installing more if necessary. (If he isnt using the Sane or Securiteinfo definitions then yes it really not worth the memory footprint).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

nschoot
New user
New user
Posts: 14
Joined: 2014-02-26 22:07

Re: Which antivirus to use?

Post by nschoot » 2019-01-04 00:35

I appreciate all the ideas and suggestions ... But using ClamWin would only make sense when it would be without ClamAV... Because my main motivation to do this would be to get rid of the ClamAV memory usage (by getting rid of ClamAV). In the mean time I learnt that the time ClamWin is taking is to load the AV signatures. While doing this, the RAM usage increases to the size of ClamAV, so this is a dead end for me. (It's not even considering the problem that HMailserver would potentially fire up multiple instances when mail would be received in parallel).

So, back to the drawing board...

(btw, I totally missed that remark about Eset in the system requirements. Thanks for pointing that out. In the mean time I also found that Nod32 won't install on Windows Server, so it's a dead in multiple ways).

nschoot
New user
New user
Posts: 14
Joined: 2014-02-26 22:07

Re: Which antivirus to use?

Post by nschoot » 2019-01-04 00:55

Btw, thanks for the sanesecurity hint... I wasn't aware of those definitions. :shock: Now I obviously have no other choice to add those to ClamAV as well :cry: :lol: ... So my ClamAV memory usage is now 625MB...

Note that for normal operation, the available RAM kind of suffices. I just started noticing that my server didn't update anymore because of lack of RAM during the update process. I enabled a pagefile now - which is not ideal - but works for now.

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Which antivirus to use?

Post by insomniac2k2 » 2019-01-04 03:16

Well at least you now have a working antivirus solution instead of just a memory hog. ClamAV alone is just bad! :)
nschoot wrote:
2019-01-04 00:55
Btw, thanks for the sanesecurity hint... I wasn't aware of those definitions. :shock: Now I obviously have no other choice to add those to ClamAV as well :cry: :lol: ... So my ClamAV memory usage is now 625MB...

Note that for normal operation, the available RAM kind of suffices. I just started noticing that my server didn't update anymore because of lack of RAM during the update process. I enabled a pagefile now - which is not ideal - but works for now.

agatha
Normal user
Normal user
Posts: 46
Joined: 2015-10-30 11:13

Re: Which antivirus to use?

Post by agatha » 2019-07-29 14:07

ClamAV works quite good. And yes, it needs some RAM as it loads the signatures into the RAM. So it is fast, when Mails are scanned.

In my setting, it uses about 1,2 GB RAM. But so what? RAM is cheap and for little money you buy a lot of performance.

paultilley100
Normal user
Normal user
Posts: 72
Joined: 2017-01-05 23:48

Re: Which antivirus to use?

Post by paultilley100 » 2019-08-02 15:56

nschoot wrote:
2019-01-04 00:35


(In the mean time I also found that Nod32 won't install on Windows Server, so it's a dead in multiple ways).
Definately not dead.... just the wrong version. Im using ESET File Security (For MS Windows Server) on Server 2012.
Works great!

nschoot
New user
New user
Posts: 14
Joined: 2014-02-26 22:07

Re: Which antivirus to use?

Post by nschoot » 2019-11-12 11:24

agatha wrote:
2019-07-29 14:07
ClamAV works quite good. And yes, it needs some RAM as it loads the signatures into the RAM. So it is fast, when Mails are scanned.

In my setting, it uses about 1,2 GB RAM. But so what? RAM is cheap and for little money you buy a lot of performance.
It's not that cheap... with servers running as VPS-es nowadays... Every GB of RAM adds to the monthly bill. But besides that, it's also a bit of principle to me. It's a virus scanner for pete's sake, it's supposed to be a helper service running next to the main services. But instead it's almost (if not) the heaviest application that runs on this server. Back in the Exchange days, I was running 3 or 4 scanning engines and it wasn't that heavy.

I guess you get what you pay for...

Post Reply