Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1833 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Long execution time for "savscan" on Linux

rvandolson

We're attempting to troubleshoot long execution times of the savscan binary under Linux.  The binary gives a version number of 4.57.0 [Linux/Intel].

On a 32-bit RHEL4 machine, when we run the command standalone, with no files passed, it takes ~15s for the "help" message to show up.  strace tells us the majority of this time is spend opening and seeking through various *.ide files.

If I run readahead on these *.ide files first, the execution time trops to ~5s.

I've also noticed that on some clients, there are no *.ide files at all -- and the savscan binary only has to process through approximately 77 *.vdb files before loading up.

Right now I'm only trying to troubleshoot the slow execution of this binary and am not familiar with the internals of the Sophos client.

  • Are the *.ide files updated signatures?  Why do some clients not have any?
  • Is there a more efficient way to read the files of significance in /opt/sophos-av/lib/sav than how it's being done now?  I assume the long-running daemon (savscand) caches this information somehow?  Why couldn't savscan talk to savscand?

Thanks,

Ray

:5191


This thread was automatically locked due to age.
  • 0

    Correction, it looks like both systems are reading the IDE files.

    Ran an ltrace and seeing the following output:

    % time     seconds  usecs/call     calls      function
------ ----------- ----------- --------- --------------------
 54.11  270.284763       36843      7336 fgetc
 19.52   97.533668         399    244087 __ctype_get_mb_cur_max
 16.74   83.642919         453    184538 mblen
  3.22   16.107644         357     45094 mbtowc

     270 seconds spent making calls to fgetc() ???  This seems to be a little inaccurate, as the command doesn't take 4 minutes to run under ltrace, but clearly this is a bottleneck.

    :5192
  • 0

    1) .ide files are virus data updates. If you don't have any you should check your update settings are working. e.g. Run savupdate directly and see what it reports.

    2) The only way for performance improvements like that to get into the product is if enough customers call in and request them.

    :5200
Unfiltered HTML