[ALUG] clamav on etch and cpu usage

Brett Parker iDunno at sommitrealweird.co.uk
Wed Jun 20 15:41:07 BST 2007 

On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
> On 20/06/07, Brett Parker <iDunno at sommitrealweird.co.uk> wrote:
> >On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
> >> Hullo there,
> >>
> >> Our server is running nearly constantly at 100% cpu usage, the culprit
> >> being clamscan.
> >>
> >> Server is running debian stable, so clamav version is 0.90.1-2
> >>
> >> I see a bug reported here
> >> http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
> >>
> >> which seems to be for a later version so there's not much point in
> >> upgrading clamav.
> >
> >Are you running clamav as a daemon? How are things getting passed to
> >clamscan? Is this part of mailserver setup? What are you running as the
> >mail server? If it is part of the mailserver - where is it putting the
> >files before scanning them?
> >
> 
> Brett, thanks.
> Yes, clamav is running as a daemon.  I'm running exim4, which passes
> things from 'incoming' to Mailscanner, which in turn pushes them
> through first clamav and then Spamassassin before sending them back to
> exim4 for delivery to local mailboxes.

Ahh, hmm - for virus scanning I can best suggest using
exim4-daemon-heavy, and then using the data acl to scan for viruses
(config snippet to follow in a bit ;)

> I think they go to /var/spool/exim4_incoming/ - I can ferret around if
> it's significant?
> 
> The actual process running is
> /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500
> --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout
> --unrar=/usr/bin/unrar .

See, now *that* isn't using the daemon! Lalala. Ooops.

So, rather than passing it on to "Mailscanner" (whatever that might
be!), what you'll be wanting is:

--->8-- Begin Snippets --8<---

### In the beginning of the file near the top, somewhere around
### trusted_groups

# Our clamav server
av_scanner = clamd:/var/run/clamav/clamd.ctl

acl_smtp_data = acl_check_data

### Under ACL CONFIGURATION after the begin acl

acl_check_data:

        warn message = X-Virus-Details: This message contains malware ($malware_name)\n\
X-Virus-Found: YES
        demime = *
        malware = *
 
--->8--  End Snippets  --8<---

What that'll do is, at SMTP time, run the mail through the clamav daemon
and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found)
to the mail so you can later process it in the routers.

Hope that all makes sense young sysadmin!

Cheers,
-- 
Brett Parker

More information about the main mailing list