Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Has anyone else had similar? Should I 'downgrade'?
Thanks, Jenny
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
As far as I can tell from that bug report, that's only saying that it will use 100% CPU at startup.
Cheers,
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
Brett, thanks. Yes, clamav is running as a daemon. I'm running exim4, which passes things from 'incoming' to Mailscanner, which in turn pushes them through first clamav and then Spamassassin before sending them back to exim4 for delivery to local mailboxes.
I think they go to /var/spool/exim4_incoming/ - I can ferret around if it's significant?
The actual process running is /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout --unrar=/usr/bin/unrar .
As far as I can tell from that bug report, that's only saying that it will use 100% CPU at startup.
Oh, ok, beg pudding.
Thanks,
Jenny
On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
Brett, thanks. Yes, clamav is running as a daemon. I'm running exim4, which passes things from 'incoming' to Mailscanner, which in turn pushes them through first clamav and then Spamassassin before sending them back to exim4 for delivery to local mailboxes.
Ahh, hmm - for virus scanning I can best suggest using exim4-daemon-heavy, and then using the data acl to scan for viruses (config snippet to follow in a bit ;)
I think they go to /var/spool/exim4_incoming/ - I can ferret around if it's significant?
The actual process running is /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout --unrar=/usr/bin/unrar .
See, now *that* isn't using the daemon! Lalala. Ooops.
So, rather than passing it on to "Mailscanner" (whatever that might be!), what you'll be wanting is:
--->8-- Begin Snippets --8<---
### In the beginning of the file near the top, somewhere around ### trusted_groups
# Our clamav server av_scanner = clamd:/var/run/clamav/clamd.ctl
acl_smtp_data = acl_check_data
### Under ACL CONFIGURATION after the begin acl
acl_check_data:
warn message = X-Virus-Details: This message contains malware ($malware_name)\n\ X-Virus-Found: YES demime = * malware = *
--->8-- End Snippets --8<---
What that'll do is, at SMTP time, run the mail through the clamav daemon and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found) to the mail so you can later process it in the routers.
Hope that all makes sense young sysadmin!
Cheers,
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 03:24:14PM +0100, Jenny Hopkins wrote:
On 20/06/07, Brett Parker iDunno@sommitrealweird.co.uk wrote:
On Wed, Jun 20, 2007 at 02:22:57PM +0100, Jenny Hopkins wrote:
Hullo there,
Our server is running nearly constantly at 100% cpu usage, the culprit being clamscan.
Server is running debian stable, so clamav version is 0.90.1-2
I see a bug reported here http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=425661
which seems to be for a later version so there's not much point in upgrading clamav.
Are you running clamav as a daemon? How are things getting passed to clamscan? Is this part of mailserver setup? What are you running as the mail server? If it is part of the mailserver - where is it putting the files before scanning them?
Brett, thanks. Yes, clamav is running as a daemon. I'm running exim4, which passes things from 'incoming' to Mailscanner, which in turn pushes them through first clamav and then Spamassassin before sending them back to exim4 for delivery to local mailboxes.
Ahh, hmm - for virus scanning I can best suggest using exim4-daemon-heavy, and then using the data acl to scan for viruses (config snippet to follow in a bit ;)
I think they go to /var/spool/exim4_incoming/ - I can ferret around if it's significant?
The actual process running is /usr/bin/clamscan --unzip --jar --tar --tgz --deb --max-ratio=500 --tempdir=/tmp/clamav.13537 -r --disable-summary --stdout --unrar=/usr/bin/unrar .
See, now *that* isn't using the daemon! Lalala. Ooops.
So, rather than passing it on to "Mailscanner" (whatever that might be!), what you'll be wanting is:
--->8-- Begin Snippets --8<---
### In the beginning of the file near the top, somewhere around ### trusted_groups
# Our clamav server av_scanner = clamd:/var/run/clamav/clamd.ctl
acl_smtp_data = acl_check_data
### Under ACL CONFIGURATION after the begin acl
acl_check_data:
warn message = X-Virus-Details: This message contains malware ($malware_name)\n\X-Virus-Found: YES demime = * malware = *
--->8-- End Snippets --8<---
What that'll do is, at SMTP time, run the mail through the clamav daemon and add a header (well, actually 2 - X-Virus-Details and X-Virus-Found) to the mail so you can later process it in the routers.
Hope that all makes sense young sysadmin!
I *think* so (cautiously). The acl says it uses clamav for virus scanning, but the actual call for /usr/bin/clamscan I found in /etc/Mailscanner/wrappers/clamav-wrapper, where I changed the line ClamScan=$1/bin/clamscan to ClamScan=$1/bin/clamdscan
I restarted Mailscanner and htop showed /usr/sbin/clamd (I suppose the daemon knows all the options?) It ran at 100% and now cpu usage has dropped to between 1% and 20% with the odd spike.
I'm really nervous in case it isn't actually working anymore though - shame I can't send myself a virus to check :-) I don't know why we use Mailscanner - haven't really sussed what it is,, although it is on my list somewhere of ToFindOuts.
Thanks, Brett, Can you hear the server sighing with gratitude from there?
Jenny
On Wed, 2007-06-20 at 17:49 +0100, Jenny Hopkins wrote:
I'm really nervous in case it isn't actually working anymore though - shame I can't send myself a virus to check :-) I don't know why we use Mailscanner - haven't really sussed what it is,, although it is on my list somewhere of ToFindOuts.
http://www.eicar.org/anti_virus_test_file.htm
Is your friend, it is a tiny file that is registered by most (if not all) anti virus scanners as a virus but poses no actual threat.
It doesn't test the effectiveness of your scanners detection patterns, but it does at least prove that the scanner is working.
I also believe that clamav has it's own similar test file which is not necessarily detected by other scanners (handy when you are trying to download eicar through a filtering proxy)
On Wed, Jun 20, 2007 at 05:49:50PM +0100, Jenny Hopkins wrote:
I *think* so (cautiously). The acl says it uses clamav for virus scanning, but the actual call for /usr/bin/clamscan I found in /etc/Mailscanner/wrappers/clamav-wrapper, where I changed the line ClamScan=$1/bin/clamscan to ClamScan=$1/bin/clamdscan
I restarted Mailscanner and htop showed /usr/sbin/clamd (I suppose the daemon knows all the options?) It ran at 100% and now cpu usage has dropped to between 1% and 20% with the odd spike.
That's much better :)
I'm really nervous in case it isn't actually working anymore though - shame I can't send myself a virus to check :-)
Course you can - eicar is everyones friend (as Wayne said ;)
I don't know why we use Mailscanner - haven't really sussed what it is,, although it is on my list somewhere of ToFindOuts.
Potentially the exim4 config was built from an exim3 one, exim3 didn't have shiny acls of doom which are a major part of exim4 (and very very very useful :)
Thanks, Brett, Can you hear the server sighing with gratitude from there?
No problem - we loikes mail we do! (Now, if you can just find me enough time to shift our mailserver from exim3 to exim4, that'd be grand :)
Cheers,
-
Brett Parker -
Jenny Hopkins -
Wayne Stallwood