HELP: clamav causing cpu overload

[Snowman30]

Im having a lot of trouble with clamav on a hyperthreaded 3Ghz server unning RH9 and the latest R of CPanel

every day the highest loads on the server are:

mailnull 64.10 3.46 0.0
Top Process %CPU 99.9 /usr/bin/clamscan --unzip -r --disable-summary --stdout .
Top Process %CPU 97.6 /usr/bin/clamscan --unzip -r --disable-summary --stdout .
Top Process %CPU 94.0 /usr/bin/clamscan --unzip -r --disable-summary --stdout .

im also getitng a lot of high loads like:

mailnull 0 99.9 0.0 /usr/sbin/exim-bd-q60m


anyideas what the cause could be or know of a way to fix it?

any advice would be most appreciated.

 

[chirpy]

Presumably, you are running MailScanner with the virus scanner set to clamav?

If so, you can greatly improve upon its performance by upgrading it to use the clamavmodule option:

/scripts/perlinstaller Mail::ClamAV

Then edit your MailScanner.conf, probably in:

/usr/mailscanner/etc/MailScanner.conf

and look for:

Virus Scanners = clamav

change it to:

Virus Scanners = clamavmodule

Then:

killall MailScanner

Wait a few seconds and make sure they're all stopped, then:

/usr/mailscanner/bin/check_mailscanner

 

[Snowman30]

hmm its stopped one error and created another

i now get lots ofhighloads on:

mailnull 0 99.9 0.0 /usr/sbin/exim-bd-q60m
mailnull 0 32.2 0.0 0 MailScanner <

and high loads like:

mailnull 0 99.9 0.0 /usr/sbin/exim-bd-q60m
mailnull 0 99.9 0.5 /usr/bin/perl-I/usr/mailscanner/lib/usr/mailscanner/bin/MailScanner/usr/mailscanner/etc/MailScanner.conf


and also a lot of MailScanner <defunct> as well

any ideas?

 

[synax]

I run a couple of 5000-10000 user mailinglists and Mailscanner and ClamAV cause the server to reboot or come close to it daily now.

I have tried changing to clamavmodule in MailScanner.conf, once I do this emails are not processed and I see a lot of "MailScanner <defunct>" showing up.


Any ideas are appreciated.

If I need to purchase some sort of mail scanning utility, I can do that. I just don't know what to do.

 

[chirpy]

The MailScanner <defunt> processes are perfectly normal for the app and can be safely ignored.

For the ClamAV module, have you installed the latest Mail::ClamAV and the latest (v.70) of the ClamAV software?

 

[casey]

Hey chirpy,

I get this every time I try to install it on an RH9 machine (tried 3 so far):

Starting "make" Stage
make[1]: Entering directory `/home/.cpan/build/Mail-ClamAV-0.08/_Inline/build/Mail/ClamAV'
/usr/bin/perl /usr/lib/perl5/5.8.1/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.1/ExtUtils/typemap ClamAV.xs > ClamAV.xsc && mv ClamAV.xsc ClamAV.c
cc -c -I/home/.cpan/build/Mail-ClamAV-0.08 -I/usr/include -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O3 -DVERSION=\"0.08\" -DXS_VERSION=\"0.08\" -fpic "-I/usr/lib/perl5/5.8.1/i686-linux/CORE" ClamAV.c
ClamAV.xs: In function `clamav_perl__scanbuff':
ClamAV.xs:140: warning: passing arg 3 of `cl_scanbuff' from incompatible pointer type
ClamAV.xs: In function `clamav_perl__scanfd':
ClamAV.xs:180: warning: passing arg 2 of `cl_scandesc' from incompatible pointer type
ClamAV.xs: In function `clamav_perl__scanfile':
ClamAV.xs:216: warning: passing arg 2 of `cl_scanfile' from incompatible pointer type
ClamAV.xs: In function `clamav_perl_constant':
ClamAV.xs:274: `CL_OLE2' undeclared (first use in this function)
ClamAV.xs:274: (Each undeclared identifier is reported only once
ClamAV.xs:274: for each function it appears in.)
ClamAV.xs:275: `CL_ENCRYPTED' undeclared (first use in this function)
make[1]: *** [ClamAV.o] Error 1
make[1]: Leaving directory `/home/.cpan/build/Mail-ClamAV-0.08/_Inline/build/Mail/ClamAV'

I'm making do with an older version of mail::clamav for now, but do you know why I get this error?

 

[chirpy]

I'll do some digging.

I've seen this mentioned several times for RH9 servers. I've installed without problems (that couldn't be easily fixed, anyway) on RH7.3, RHE3 and Fedora. Unfortunately, I don't have access to an RH9 box.

I'll let you know what I find.

 

[chirpy]

Since it seems to be failing when linking with the gdbm libraries, do you have both gdbm and gdbm_devel rpms installed?

rpm -qa | grep gdbm

should give you something like:

gdbm-1.8.0-20
gdbm-devel-1.8.0-20

If you don't have gdbm-devel installed, usually this will do it for you:

up2date -i gdbm-devel

Then try Mail::ClamAV again. Let me know if this helps, or not.

 

[synax]

Everything is up to date.

/scripts/perlinstaller Mail::ClamAV
Testing connection speed...(this could take a while)....Done
Five usable mirrors located
CPAN: Storable loaded ok
Going to read /home/.cpan/Metadata
Database was generated on Tue, 04 May 2004 22:33:39 GMT
Mail::ClamAV is up to date.
perlmod--Install done


clamscan -V
clamscan / ClamAV version 0.70-rc


But if I change the mailscanner.conf to clamavmodule the emails do not get sent out and you cannot receive anything.

 

[chirpy]

Have you checked your /var/log/maillog to make sure that MailScanner is not throwing up errors?

 

[synax]

I don't see any errors. I found this a couple of times, looks to be happening reguarly though.


May 2 11:06:44 mind MailScanner[28501]: Virus and Content Scanning: Starting
May 2 11:06:45 mind MailScanner[28501]: Uninfected: Delivered 1 messages
May 2 11:06:54 mind MailScanner[20014]: New Batch: Scanning 1 messages, 11897 bytes
May 2 11:06:55 mind MailScanner[20014]: Virus and Content Scanning: Starting
May 2 11:06:55 mind MailScanner[20014]: Uninfected: Delivered 1 messages
May 2 11:06:55 mind MailScanner[20014]: MailScanner child dying of old age
May 2 11:06:55 mind MailScanner[29700]: MailScanner E-Mail Virus Scanner version 4.22-5 starting...
May 2 11:06:55 mind MailScanner[29700]: Using locktype = posix
May 2 11:06:55 mind MailScanner[29700]: Creating hardcoded struct_flock subroutine for linux (Linux-type)

 

[chirpy]

That's a normal log for a normally running installation of MailScanner

 

[synax]

Is there a way to test clamavmodule like you would clamscan?

 

[casey]

Originally posted by chirpy
Since it seems to be failing when linking with the gdbm libraries, do you have both gdbm and gdbm_devel rpms installed?

rpm -qa | grep gdbm

should give you something like:

gdbm-1.8.0-20
gdbm-devel-1.8.0-20

If you don't have gdbm-devel installed, usually this will do it for you:

up2date -i gdbm-devel

Then try Mail::ClamAV again. Let me know if this helps, or not.

Thanks for trying, but I've got both of those installed already. I've also tried forcing a reinstall of Inline, ExtUtils, and anything else I could think of.

 

[chirpy]

Casey,

I can only think to email the chap who wrote it:

http://search.cpan.org/~sabeck/

 

[casey]

Originally posted by chirpy
Casey,

I can only think to email the chap who wrote it:

http://search.cpan.org/~sabeck/

Thanks Jonathan,

I just did. I'll let you know what he says...

 

[casey]

For Jonathan and anyone else having problems, I found out the cause...by accident. I had one of my servers set to upgrade perl. I got a perl update last night, and all of a sudden I was able to install mail::clamav on it. So the problem is an outdated perl.
-------------
[edit]
It looks like that was not the problem. That worked for one server, but not the others. The others already had the latest perl...I have no idea now. The developer insists it's an old libclamav, but I have uninstalled previous versions and reinstalled the latest over and over again. I don't know why it would be old.

 

[casey]

I did a complete reinstall of perl on my test server, and mail::clamav still errors out with the same error. I have no idea. Obviously perl has nothing to do with it, so that was just a coincidence.

 

[chirpy]

casey,

I wonder if you have libclamav in more than one location. Here's what I get on a RHE installation:

locate libclamav | xargs ls -la
-rw-r--r--    1 root     root       344714 Apr 17 11:55 /usr/local/lib/libclamav.a
-rwxr-xr-x    1 root     root          746 Apr 17 11:55 /usr/local/lib/libclamav.la
lrwxrwxrwx    1 root     root           18 Apr 17 11:55 /usr/local/lib/libclamav.so -> libclamav.so.1.0.4
lrwxrwxrwx    1 root     root           18 Apr 17 11:55 /usr/local/lib/libclamav.so.1 -> libclamav.so.1.0.4
-rwxr-xr-x    1 root     root       237775 Mar 15 23:24 /usr/local/lib/libclamav.so.1.0.3
-rwxr-xr-x    1 root     root       241594 Apr 17 11:55 /usr/local/lib/libclamav.so.1.0.4

But on a Fedora installation (which admittedly does work OK):

locate libclamav | xargs ls -la
-rw-r--r--  1 root root 572058 Apr 27 09:59 /usr/lib/libclamav.a
-rwxr-xr-x  1 root root    734 Apr 27 09:59 /usr/lib/libclamav.la
lrwxrwxrwx  1 root root     18 Apr 27 09:59 /usr/lib/libclamav.so -> libclamav.so.1.0.3
lrwxrwxrwx  1 root root     18 Apr 27 09:59 /usr/lib/libclamav.so.1 -> libclamav.so.1.0.3
-rwxr-xr-x  1 root root 301959 Apr 27 09:59 /usr/lib/libclamav.so.1.0.3
-rw-r--r--  1 root root 751898 Apr 27 10:05 /usr/local/lib/libclamav.a
-rwxr-xr-x  1 root root    746 Apr 27 10:05 /usr/local/lib/libclamav.la
lrwxrwxrwx  1 root root     18 Apr 27 10:05 /usr/local/lib/libclamav.so -> libclamav.so.1.0.4
lrwxrwxrwx  1 root root     18 Apr 27 10:05 /usr/local/lib/libclamav.so.1 -> libclamav.so.1.0.4
-rwxr-xr-x  1 root root 389697 Mar 18 15:05 /usr/local/lib/libclamav.so.1.0.3
-rwxr-xr-x  1 root root 395735 Apr 27 10:05 /usr/local/lib/libclamav.so.1.0.4

It might be work considering removing clamav the libraries from /usr/lib/ (if you have duplicates as above and they're the older ones) and try Mail::ClamAV again.

 

[chirpy]

In fact, it does appear that with a normal upgrade install of clamav it does install into /usr/local/* instead of /usr/*, so you might want to (be v.careful!):

rm /usr/lib/*clamav*
rm -R /usr/share/clamav/
rm /usr/include/clamav.h

(you can always re-install clamav if this causes any problems)