ClamAV Upgrade Causing RAM / CPU Usage spike

Hi, I'm not sure if the very recent ClamAV upgrade via yum was through your repository or not, but it seems to have spiked my RAM / CPU usage to the point of crashing my system within a few minutes after reboot. My system barely used any RAM before hand, and now it is using all of it and all the swap too. -Mk

Status: 
Active

Comments

3704 mike.xxxxxxxxxxxx 226312 kB /usr/bin/clamscan - 3373 mike.xxxxxxxxxxxx 153860 kB /usr/bin/clamscan - 3717 root 152072 kB clamscan -

Joe's picture
Submitted by Joe on Tue, 05/11/2010 - 21:02 Pro Licensee

ClamAV is an absolute hog. I wouldn't be surprised if restarting it requires significant resources, and the update does trigger a restart. I've done a couple of updates without incident, but it was on quite large machines. I just looked and 0.96 does, unfortunately, seem to be even bigger than 0.95.x, though the change notes claim it is more efficient.

Unfortunately, there really isn't anything we can do about it, as it's not our code.

There are a few mentions of increased memory usage in the clamav forums, as well as other projects that package clamav. But, I'm not seeing any mention of patches or fixes to reduce memory usage. I think we're stuck with it.

You could force a downgrade to the previous version, and add an exclude to your yum configuration to prevent if from being upgraded in the future.

I can't really win here. We're getting yelled at constantly for the old version warnings in the 0.95.3 version, and the 0.96 version has higher memory requirements.

Ok, thanks for the input...I'll fiddle around with the new version some and post any significant news back here that you may be able to pass on in the future to others with the same issue. Sounds like murphy's law is alive and well regarding clamAV and VPS servers.

Joe's picture
Submitted by Joe on Tue, 05/11/2010 - 21:09 Pro Licensee

Oh, I just noticed you're running clamscan rather than the daemonized version...this would lead to memory thrashing, if you get more than one mail every few minutes.

You should try switching to the clamd mode.

Found a possible bug just now, on the 'Spam and Virus Scanning' page when I hit the 'Enable ClamAV Server' button:

============================================================================
Configuring and enabling the ClamAV scanning server ..

Creating ClamAV configuration file /etc/clamd.d/virtualmin.conf ..
.. done

Fixing ClamAV bootup action /etc/rc.d/init.d/clamd-virtualmin ..
.. already done

Linking ClamAV server to /usr/sbin/clamd.virtualmin ..
.. done

Starting ClamAV server and enabling at boot ..
.. failed to start : Starting clamd.virtualmin: ERROR: Please define server type (local and/or TCP). [FAILED]

.. all done
=========================================================================

Cool, thanks for the info on using the daemon instead...any ideas on how to workaround the above error when I try using the daemon?

Joe's picture
Submitted by Joe on Tue, 05/11/2010 - 21:19 Pro Licensee

Looks like they may have changed the configuration for the daemon. I've assigned this to Jamie. We probably need some slight changes to Virtualmin to make things work (oddly, I didn't see any errors when my daemons restarted...I'm going to check the logs...).

Jamie: srv2 has been upgraded, if you want to see a system running the new version. It's only in the repos for CentOS5/i386, as I mentioned on the phone earlier today if you want to see it on one of your test systems.

I'm disabling virus scanning for now...but when I go to "Features and Plugins" an uncheck 'virus filtering', I get this error, even after editing 'owner limits' for each server to disable virus filtering:

===========================================================
Failed to save enabled features : The feature Virus filtering cannot be disabled, as it is used by the following virtual servers : xxxxxxx.net xxxxxxx.com xxxxxxxx.com
===============================================================

Disabling virus / spam scanning per-email account as a temp. workaround...if I notice anything else I'll let you all know about it. I think I'm set for now until there is a patch. Thanks v. much for your time. :o)