[ALUG] clamav on etch and cpu usage

Jenny Hopkins hopkins.jenny at gmail.com
Wed Jun 20 17:49:50 BST 2007


On 20/06/07, Brett Parker <iDunno at sommitrealweird.co.uk> wrote:
> On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
> > On 20/06/07, Brett Parker <iDunno at sommitrealweird.co.uk> wrote:
> > >On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
> > >> Hullo there,
> > >>
> > >> Our server is running nearly constantly at 100% cpu usage, the culprit
> > >> being clamscan.
> > >>
> > >> Server is running debian stable, so clamav version is 0.90.1-2
> > >>
> > >> I see a bug reported here
> > >> http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
> > >>
> > >> which seems to be for a later version so there's not much point in
> > >> upgrading clamav.
> > >
> > >Are you running clamav as a daemon? How are things getting passed to
> > >clamscan? Is this part of mailserver setup? What are you running as the
> > >mail server? If it is part of the mailserver - where is it putting the
> > >files before scanning them?
> > >
> >
> > Brett, thanks.
> > Yes, clamav is running as a daemon.  I'm running exim4, which passes
> > things from 'incoming' to Mailscanner, which in turn pushes them
> > through first clamav and then Spamassassin before sending them back to
> > exim4 for delivery to local mailboxes.
>
> Ahh, hmm - for virus scanning I can best suggest using
> exim4-daemon-heavy, and then using the data acl to scan for viruses
> (config snippet to follow in a bit ;)
>
> > I think they go to /var/spool/exim4_incoming/ - I can ferret around if
> > it's significant?
> >
> > The actual process running is
> > /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500
> > --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout
> > --unrar=/usr/bin/unrar .
>
> See, now *that* isn't using the daemon! Lalala. Ooops.
>
> So, rather than passing it on to "Mailscanner" (whatever that might
> be!), what you'll be wanting is:
>
> --->8-- Begin Snippets --8<---
>
> ### In the beginning of the file near the top, somewhere around
> ### trusted_groups
>
> # Our clamav server
> av_scanner = clamd:/var/run/clamav/clamd.ctl
>
> acl_smtp_data = acl_check_data
>
> ### Under ACL CONFIGURATION after the begin acl
>
> acl_check_data:
>
>         warn message = X-Virus-Details: This message contains malware ($malware_name)\n\
> X-Virus-Found: YES
>         demime = *
>         malware = *
>
> --->8--  End Snippets  --8<---
>
> What that'll do is, at SMTP time, run the mail through the clamav daemon
> and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found)
> to the mail so you can later process it in the routers.
>
> Hope that all makes sense young sysadmin!
>
I *think* so (cautiously).
The acl says it uses clamav for virus scanning, but the actual call
for /usr/bin/clamscan I found in
/etc/Mailscanner/wrappers/clamav-wrapper, where I changed the line
ClamScan=$1/bin/clamscan
to
ClamScan=$1/bin/clamdscan

I restarted Mailscanner and htop showed
/usr/sbin/clamd (I suppose the daemon knows all the options?)
It ran at 100% and now cpu usage has dropped to between 1% and 20%
with the odd spike.

I'm really nervous in case it isn't actually working anymore though -
shame I can't send myself a virus to check :-)
I don't know why we use Mailscanner - haven't really sussed what it
is,, although it is on my list somewhere of ToFindOuts.

Thanks, Brett,
Can you hear the server sighing with gratitude from there?

Jenny




More information about the main mailing list