SOLVED clamscan High CPU Usage

osirion

Well-Known Member
Jan 16, 2007
54
4
158
Hey guys,
I have an issue where clamscan is using a bunch of CPU most of the day, eg:
13487 root 30 10 422m 333m 8640 D 78.2 8.7 2:15.63 clamscan


Checking out: vim /etc/cron.daily/manual_clamscan shows >
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

(which is the same as the recommended: Configure ClamAV Scanner - Documentation - cPanel Documentation)
for i in`awk'!/nobody/{print $2 | "sort | uniq" }'/etc/userdomains| sort| uniq`; do/usr/local/cpanel/3rdparty/bin/clamscan-i -r /home/$i 2>>/dev/null; done>> /root/infections&


Also, checked exim advanced editer and av_scanner is set to clamd:/var/clamd


I do the check to see if clamd is installed:
# whereis clamd
clamd:

So:
1) To my understanding, clamd isnt even installed though clamav is?
2) How do I change from clamav/clamscan to clamd so that I lower my CPU usage?

Thanks in advance :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
I do the check to see if clamd is installed:
# whereis clamd
clamd:
Hello :)

Per our documentation, if you use scripts that expect ClamAV binaries in the /usr/local/bin directory, create symbolic links with the following commands:

Code:
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
The "clamd" binary is located at:

/usr/local/cpanel/3rdparty/bin/clamd

To lower CPU usage, I suggest simply disabling the "clamscan" cron job you have configured.

Thank you.
 

osirion

Well-Known Member
Jan 16, 2007
54
4
158
Thanks cPanelMichael.
I am not looking to disable the clamscan cronjob because this is what scans my server daily for viruses and I dont want to leave my server at risk.

How do I change from 'clamscan' (which loads the 'virus db' each time) to 'clamd' which loads it once and hence lowers CPU/memory usage?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
How do I change from 'clamscan' (which loads the 'virus db' each time) to 'clamd' which loads it once and hence lowers CPU/memory usage?
Hello :)

I believe you may have misinterpreted some documentation. These are not two separate applications, but rather "clamscan" is part of ClamAV, as mentioned in the previous post.

Thank you.
 

TechWS

Registered
Dec 18, 2016
2
0
1
United States
cPanel Access Level
Root Administrator
But the problem the OP was confronted with was not answered. I'm having the same problem. I followed the documentation on enabling Clam AV and setup a Cron job for 1am in the morning. It ran and immediately took up all of the system resources. Our site monitoring was showing sites down but I figured I would let it run and get the scan done. I awoke to the system still scanning and sites sporadically responding. I killed the scan but now need to figure out how to scan the whole system without putting sites at risk
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
But the problem the OP was confronted with was not answered. I'm having the same problem. I followed the documentation on enabling Clam AV and setup a Cron job for 1am in the morning. It ran and immediately took up all of the system resources. Our site monitoring was showing sites down but I figured I would let it run and get the scan done. I awoke to the system still scanning and sites sporadically responding. I killed the scan but now need to figure out how to scan the whole system without putting sites at risk
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

To update, it looks like the support ticket was closed due to unsuccessful attempts to access the server. Feel free to reply to the support ticket if you'd like to open it back up so we can proceed to investigate further.

Thank you.