[Rspamd-Users] ClamAV and rspamd : log question

[G.W. Haywood]

Hi there,

On Mon, 20 Feb 2023, Mickaël Dequidt wrote:

>> If your guess is correct it seems in conflict with the documentation ...
>
> I would have interpreted that way as well, and that's the general way of 
> implementing greylisting, as I reckon. ...
> having 
> activated debugging for this module, I can now confirm that greylisting is 
> evaluated at the same time as other modules, during the actual and complete 
> analysis of a message. Said analysis (clamav scanning in particular) being 
> cached in redis ...
> ...
> I can only advise that this piece of information be added to the online doc, 
> if rspamd admins consider it to be noteworthy (I certainly do !)

Hmmmmmm.  My experience is that many malicious messages are fairly
new, and when a new campaign appears there's usually a lag of some
hours before the signature databases get updated to reflect that.

If negative results are cached, and the virus database is updated within
the greylisting time, then there's a potential for something which would
have been caught to get missed simply because the cached negative result
was provided by an out-of-date signature database.

In my view if you're going to cache scan results, the cache should be
invalidated if the signature database was changed after the caching.
I don't know if the Redis cache is invalidated on signature updates or
not but ClamAV does much of that itself, so I'm not sure how much will
be gained by caching the result in Redis as well.  Just the time taken
to send the data to the scanner and for it to calculate a hash I guess,
which I would expect usually to be much less than the scan time for a
typical database with something of the order of ten million signatures
although it could be significant in a high-traffic system.

Anyway I'm glad you're happy with what's happening now.

> Thanks all for your help.

You're very welcome. :)

-- 

73,
Ged.