Stream mode scanner for the free ClamAv anti-virus

In an article published in The Journal of Systems and Software No. 81, four researchers discuss the benefits of setting up a stream-mode anti-virus scanner on the free ClamaAv anti-virus software.

Traditionally, in a professional environment, anti-virus detection of e-mails does not take place on a user workstation, as the user may forget to update his program, thus endangering the whole system. Such deployment also raises the question of maintenance costs. The preferred solution is to install anti-virus software on the mail server, which acts as a gateway and entry point for e-mails coming in from the Internet.

Whether you decide to use a free or paid anti-virus, the anti-virus works in two possible ways: in storage mode or in stream mode. In storage mode, all content is received and stored before scanning, whereas in stream mode, only a portion of the content is scanned and immediately released afterwards, without storage. Storage mode requires a storage space large enough to handle all the content to be scanned, and also poses a problem of processing time, since disk read and write times are obviously slower than memory write and read times.

Most commercial anti-virus products use the storage mode, while the operation of the few stream-mode solutions, such as ZyXEL’s ZyWall UTM, is little-known due to commercial secrecy. The authors therefore set out to design a stream scanner based entirely on open source products, such as the free ClamAv anti-virus, the Zlib and Compress ::Zlib libraries. They then compared performance with another free anti-virus.

The system is designed to satisfy a number of constraints, including: the buffer space required, which must be easily reduced to allow a large number of connections, mixing decompression and anti-virus scanning on segments of the file without the need to store the entire file; and the platform, which must be sufficiently malleable to facilitate the addition of new protocols in addition to the existing ones. SMTP and POP3. The system is then implemented in Perl and run on a Linux machine (2.6.10) with Postfix as MTA. Two types of e-mail are used for the test: the first with a 1 MB executable attachment, the second with the same executable but compressed to 37%.

The results show that using stream mode on the free ClamAv antivirus delivers better performance, reduced latency and higher throughput. In scanning, the stream mode proxy delivers a throughput of 21.79 Mbps, compared with 6.9 Mbps for the free storage mode anti-virus. This speed increases to 8.05 Mbps for scan+decompression, compared with 3.82 Mbps for free anti-virus. In terms of space usage, the ClamAv free antivirus proxy takes up 176 Kb per client in memory, while its competitor takes up 7350 Kb per client. What’s more, stream mode doesn’t use any temporary files on disk, whereas storage mode takes up more disk space the more clients are connected and the more e-mails are sent. As stream mode is entirely in memory, it can also be used on systems without a hard disk, such as an embedded system. Finally, each device has its own bottleneck: mail transfer for storage mode and anti-virus scanning for stream mode.

Stream scanning, hitherto the preserve of a few commercial anti-virus programs, is now proving its worth with free anti-virus products, and it would not be surprising if applications such as ClamAv were to incorporate this mode in the near future.