On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
Brett, thanks. Yes, clamav is running as a daemon. I'm running exim4, which passes things from 'incoming' to Mailscanner, which in turn pushes them through first clamav and then Spamassassin before sending them back to exim4 for delivery to local mailboxes.
Ahh, hmm - for virus scanning I can best suggest using exim4-daemon-heavy, and then using the data acl to scan for viruses (config snippet to follow in a bit ;)
I think they go to /var/spool/exim4_incoming/ - I can ferret around if it's significant?
The actual process running is /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout --unrar=/usr/bin/unrar .
See, now *that* isn't using the daemon! Lalala. Ooops.
So, rather than passing it on to "Mailscanner" (whatever that might be!), what you'll be wanting is:
--->8-- Begin Snippets --8<---
### In the beginning of the file near the top, somewhere around ### trusted_groups
# Our clamav server av_scanner = clamd:/var/run/clamav/clamd.ctl
acl_smtp_data = acl_check_data
### Under ACL CONFIGURATION after the begin acl
acl_check_data:
warn message = X-Virus-Details: This message contains malware ($malware_name)\n\X-Virus-Found: YES demime = * malware = *
--->8-- End Snippets --8<---
What that'll do is, at SMTP time, run the mail through the clamav daemon and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found) to the mail so you can later process it in the routers.
Hope that all makes sense young sysadmin!
I *think* so (cautiously). The acl says it uses clamav for virus scanning, but the actual call for /usr/bin/clamscan I found in /etc/Mailscanner/wrappers/clamav-wrapper, where I changed the line ClamScan=$1/bin/clamscan to ClamScan=$1/bin/clamdscan
I restarted Mailscanner and htop showed /usr/sbin/clamd (I suppose the daemon knows all the options?) It ran at 100% and now cpu usage has dropped to between 1% and 20% with the odd spike.
I'm really nervous in case it isn't actually working anymore though - shame I can't send myself a virus to check :-) I don't know why we use Mailscanner - haven't really sussed what it is,, although it is on my list somewhere of ToFindOuts.
Thanks, Brett, Can you hear the server sighing with gratitude from there?
Jenny