[ALUG] clamav on etch and cpu usage
hopkins.jenny at gmail.com
Wed Jun 20 17:49:50 BST 2007
On 20/06/07, Brett Parker <iDunno at sommitrealweird.co.uk> wrote:
> On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
> > On 20/06/07, Brett Parker <iDunno at sommitrealweird.co.uk> wrote:
> > >On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
> > >> Hullo there,
> > >>
> > >> Our server is running nearly constantly at 100% cpu usage, the culprit
> > >> being clamscan.
> > >>
> > >> Server is running debian stable, so clamav version is 0.90.1-2
> > >>
> > >> I see a bug reported here
> > >> http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
> > >>
> > >> which seems to be for a later version so there's not much point in
> > >> upgrading clamav.
> > >
> > >Are you running clamav as a daemon? How are things getting passed to
> > >clamscan? Is this part of mailserver setup? What are you running as the
> > >mail server? If it is part of the mailserver - where is it putting the
> > >files before scanning them?
> > >
> > Brett, thanks.
> > Yes, clamav is running as a daemon. I'm running exim4, which passes
> > things from 'incoming' to Mailscanner, which in turn pushes them
> > through first clamav and then Spamassassin before sending them back to
> > exim4 for delivery to local mailboxes.
> Ahh, hmm - for virus scanning I can best suggest using
> exim4-daemon-heavy, and then using the data acl to scan for viruses
> (config snippet to follow in a bit ;)
> > I think they go to /var/spool/exim4_incoming/ - I can ferret around if
> > it's significant?
> > The actual process running is
> > /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500
> > --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout
> > --unrar=/usr/bin/unrar .
> See, now *that* isn't using the daemon! Lalala. Ooops.
> So, rather than passing it on to "Mailscanner" (whatever that might
> be!), what you'll be wanting is:
> --->8-- Begin Snippets --8<---
> ### In the beginning of the file near the top, somewhere around
> ### trusted_groups
> # Our clamav server
> av_scanner = clamd:/var/run/clamav/clamd.ctl
> acl_smtp_data = acl_check_data
> ### Under ACL CONFIGURATION after the begin acl
> warn message = X-Virus-Details: This message contains malware ($malware_name)\n\
> X-Virus-Found: YES
> demime = *
> malware = *
> --->8-- End Snippets --8<---
> What that'll do is, at SMTP time, run the mail through the clamav daemon
> and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found)
> to the mail so you can later process it in the routers.
> Hope that all makes sense young sysadmin!
I *think* so (cautiously).
The acl says it uses clamav for virus scanning, but the actual call
for /usr/bin/clamscan I found in
/etc/Mailscanner/wrappers/clamav-wrapper, where I changed the line
I restarted Mailscanner and htop showed
/usr/sbin/clamd (I suppose the daemon knows all the options?)
It ran at 100% and now cpu usage has dropped to between 1% and 20%
with the odd spike.
I'm really nervous in case it isn't actually working anymore though -
shame I can't send myself a virus to check :-)
I don't know why we use Mailscanner - haven't really sussed what it
is,, although it is on my list somewhere of ToFindOuts.
Can you hear the server sighing with gratitude from there?
More information about the main