Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1710 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Long execution time for "savscan" on Linux

rvandolson

We're attempting to troubleshoot long execution times of the savscan binary under Linux.  The binary gives a version number of 4.57.0 [Linux/Intel].

On a 32-bit RHEL4 machine, when we run the command standalone, with no files passed, it takes ~15s for the "help" message to show up.  strace tells us the majority of this time is spend opening and seeking through various *.ide files.

If I run readahead on these *.ide files first, the execution time trops to ~5s.

I've also noticed that on some clients, there are no *.ide files at all -- and the savscan binary only has to process through approximately 77 *.vdb files before loading up.

Right now I'm only trying to troubleshoot the slow execution of this binary and am not familiar with the internals of the Sophos client.

  • Are the *.ide files updated signatures?  Why do some clients not have any?
  • Is there a more efficient way to read the files of significance in /opt/sophos-av/lib/sav than how it's being done now?  I assume the long-running daemon (savscand) caches this information somehow?  Why couldn't savscan talk to savscand?

Thanks,

Ray

:5191


This thread was automatically locked due to age.
Parents
  • 0

    Correction, it looks like both systems are reading the IDE files.

    Ran an ltrace and seeing the following output:

    % time     seconds  usecs/call     calls      function
------ ----------- ----------- --------- --------------------
 54.11  270.284763       36843      7336 fgetc
 19.52   97.533668         399    244087 __ctype_get_mb_cur_max
 16.74   83.642919         453    184538 mblen
  3.22   16.107644         357     45094 mbtowc

     270 seconds spent making calls to fgetc() ???  This seems to be a little inaccurate, as the command doesn't take 4 minutes to run under ltrace, but clearly this is a bottleneck.

    :5192
Reply
  • 0

    Correction, it looks like both systems are reading the IDE files.

    Ran an ltrace and seeing the following output:

    % time     seconds  usecs/call     calls      function
------ ----------- ----------- --------- --------------------
 54.11  270.284763       36843      7336 fgetc
 19.52   97.533668         399    244087 __ctype_get_mb_cur_max
 16.74   83.642919         453    184538 mblen
  3.22   16.107644         357     45094 mbtowc

     270 seconds spent making calls to fgetc() ???  This seems to be a little inaccurate, as the command doesn't take 4 minutes to run under ltrace, but clearly this is a bottleneck.

    :5192
Children
No Data