On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
Brett, thanks. Yes, clamav is running as a daemon. I'm running exim4, which passes things from 'incoming' to Mailscanner, which in turn pushes them through first clamav and then Spamassassin before sending them back to exim4 for delivery to local mailboxes.
Ahh, hmm - for virus scanning I can best suggest using exim4-daemon-heavy, and then using the data acl to scan for viruses (config snippet to follow in a bit ;)
I think they go to /var/spool/exim4_incoming/ - I can ferret around if it's significant?
The actual process running is /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout --unrar=/usr/bin/unrar .
See, now *that* isn't using the daemon! Lalala. Ooops.
So, rather than passing it on to "Mailscanner" (whatever that might be!), what you'll be wanting is:
--->8-- Begin Snippets --8<---
### In the beginning of the file near the top, somewhere around ### trusted_groups
# Our clamav server av_scanner = clamd:/var/run/clamav/clamd.ctl
acl_smtp_data = acl_check_data
### Under ACL CONFIGURATION after the begin acl
acl_check_data:
warn message = X-Virus-Details: This message contains malware ($malware_name)\n\ X-Virus-Found: YES demime = * malware = *
--->8-- End Snippets --8<---
What that'll do is, at SMTP time, run the mail through the clamav daemon and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found) to the mail so you can later process it in the routers.
Hope that all makes sense young sysadmin!
Cheers,