Clamav use up 99.9 % cpu

Discussion in 'General' started by andypl, May 22, 2007.

  1. andypl

    andypl New Member

    Hi
    I have problem with clamav on ispconfig.
    Clamav use up 99.9 % cpu the consider is switching to clamd/clamdscan.
    My question is how to disable clamscan and enable clamd on ispconfig ?
    Sorry for my pour english
    Best regards
     
  2. till

    till Super Moderator

    To enable clamd instead of clamav, you must first install the clamd daemon of your linux distribution. Then edit the file /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin and reconfigure clamassassin to use clamd of your linux distribution instead of clamav that comes with ISPconfig.
     
  3. andypl

    andypl New Member

    Found this solutions on web

    I modify antivirus.rc.master
    Maybe some users helps :)
    Now i have fresh ClamAV version

    # Rules for running ClamAV

    CLAMSCAN=/usr/bin/clamdscan
    VIRUSTARGET=/dev/null

    :0
    * > 10000
    * multipart
    {
    # Okay, large multipart message run through clamscan
    VIRUS=`$CLAMSCAN --mbox --disable-summary --stdout -`

    :0 Di
    * VIRUS ?? FOUND
    $VIRUSTARGET
     
  4. till

    till Super Moderator

    I still recommend to modify the clamassassin script instaed of modifying the antivirus.rc.master.

    Your solution might work for you but be aware that e.g. the --mbox option is not supported anymore in the latest clamav versions.
     
  5. Davide

    Davide HowtoForge Supporter

    After doing this on a Debian 3.1, mail is being scanned by clamd, and deleted if it contains virus (tried with eicar), but warning mail is not sent to "antivirus admin", nor to sender.

    Is it necessary to change something more to make warning mails work?

    Thank you very much
     
  6. till

    till Super Moderator

    Which clamd / clamav version do you have installed? You need a 0.90.x version for the clamassassin script that is used in ISPConfig.
     
  7. Davide

    Davide HowtoForge Supporter

    I have installed 0.90.3 from debian-volatile:

    Code:
    dpkg --get-selections |grep clam |awk {'print $1'}|while read pkg
    > do
    > apt-cache policy $pkg
    > done
    clamav-base:
      Installed: 0.90.3-0volatile1
      Candidate: 0.90.3-0volatile1
      Version Table:
     *** 0.90.3-0volatile1 0
            500 http://volatile.debian.org sarge/volatile/main Packages
            100 /var/lib/dpkg/status
         0.90.2-1~bpo.1 0
              1 http://www.backports.org sarge-backports/main Packages
         0.84-2.sarge.16 0
            500 http://security.debian.org sarge/updates/main Packages
         0.84-2.sarge.15 0
            500 http://ftp.fi.debian.org sarge/main Packages
    clamav-daemon:
      Installed: 0.90.3-0volatile1
      Candidate: 0.90.3-0volatile1
      Version Table:
     *** 0.90.3-0volatile1 0
            500 http://volatile.debian.org sarge/volatile/main Packages
            100 /var/lib/dpkg/status
         0.90.2-1~bpo.1 0
              1 http://www.backports.org sarge-backports/main Packages
         0.84-2.sarge.16 0
            500 http://security.debian.org sarge/updates/main Packages
         0.84-2.sarge.15 0
            500 http://ftp.fi.debian.org sarge/main Packages
    clamav-freshclam:
      Installed: 0.90.3-0volatile1
      Candidate: 0.90.3-0volatile1
      Version Table:
     *** 0.90.3-0volatile1 0
            500 http://volatile.debian.org sarge/volatile/main Packages
            100 /var/lib/dpkg/status
         0.90.2-1~bpo.1 0
              1 http://www.backports.org sarge-backports/main Packages
         0.84-2.sarge.16 0
            500 http://security.debian.org sarge/updates/main Packages
         0.84-2.sarge.15 0
            500 http://ftp.fi.debian.org sarge/main Packages
    libclamav2:
      Installed: 0.90.3-0volatile1
      Candidate: 0.90.3-0volatile1
      Version Table:
     *** 0.90.3-0volatile1 0
            500 http://volatile.debian.org sarge/volatile/main Packages
            100 /var/lib/dpkg/status
         0.90.2-1~bpo.1 0
              1 http://www.backports.org sarge-backports/main Packages
    
     
  8. till

    till Super Moderator

  9. Davide

    Davide HowtoForge Supporter

    I've used the modification you reccommends:

    Code:
    # grep "CLAMSCAN=" /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin
    #CLAMSCAN=/home/admispconfig/ispconfig/tools/clamav/bin/clamscan
    CLAMSCAN=/usr/bin/clamdscan
      SHORTCLAMSCAN=`${ECHO} ${CLAMSCAN} | ${SED} -e "s/.*\///"`
    
    Code:
    # grep "ScanMail" /etc/clamav/clamd.conf
    ScanMail true
    Code:
    # grep "NotifyClamd" /etc/clamav/freshclam.conf
    NotifyClamd /etc/clamav/clamd.conf
    
    Code:
    # grep "NotifyClamd" /home/admispconfig/ispconfig/tools/clamav/etc/freshclam.conf
    #NotifyClamd
    #NotifyClamd /config/file/path
    NotifyClamd /etc/clamav/clamd.conf
    I haven't changed anymore...
     
  10. till

    till Super Moderator

    The changes look ok. Then I have no Idea why the notifications do not work. Have you checked the mail.log that really no email was send by the clamassassin script?
     
  11. Davide

    Davide HowtoForge Supporter

    I can't see mail sent in mail.log, and I can't see *where* mail is sent inside clamassassin.

    If a virus is detected, headers are rewritten, and "bailiferr" function is called:
    Code:
    else
      # If the result is 1, then a virus was detected
      if [ ${RESULT} = 1 ]
      then
        # Chop off the tempfile name off the virus message
        # This is a bit complex because there may be multiple status lines
        REASON=`${SED} -e 's/[^:]*: //' -e '/ FOUND$/!d' \
          -e 's/ FOUND$/ FOUND /' < ${LOGTMP} | ${SED} -n -e 'H;${x;s/\n//g;p;}'`
        # Extract the subject so it can be modified if SUBJECTHEAD is set
        # Note that some versions of formail will add a leading space to the
        # subject line, so we strip off one leading space if present.
        SUBJECT=`${FORMAIL} -c -x "Subject:" < ${MSGTMP} | ${SED} -e "s/^ //"`
        # Spit out the message with the headers showing it is infected and how
        ${FORMAIL} -f -I "Subject: ${SUBJECTHEAD}${SUBJECT}" \
          -I "X-Virus-Status: Yes" -I "X-Virus-Report: ${REASON}" \
          -I "X-Virus-Checker-Version: ${VERSION}" < ${MSGTMP}
    [B]    bailiferr $?[/B]
      else
    
    That function deletes the message but no mail is sent:

    Code:
    bail()
    {
      ${RM} -f ${MSGTMP} ${LOGTMP}
      exit ${1}
    }
    
    # Routine to bail if error code is passed
    bailiferr()
    {
      if [ ${1} != 0 ]
      then
        bail ${1}
      fi
    }
    
    Am I not seeing something?
    Where mail is sent inside spamassassin script?

    Thank you!
     
  12. nerbas

    nerbas New Member

    clamd helped my cpu a LOT (see attachment and guess when I changed :) - thanks for the howto!
     

    Attached Files:

  13. erebus

    erebus New Member

    If clamd saves up so much CPU, why isn't it the default option in the ISPConfig package?

    Also, why is it needed to install distro's specific clamd? I see clamdscan binary inside ISPConfig...

    Please enlight us.
     
  14. nerbas

    nerbas New Member

    Well, as I'm not developing ISPconfig I can't really tell you... :)

    I guess it's simpler to provide the clamscan package with ISPconfig so that you'll have a working environment from the start. You could always tweak the settings to your liking (on thing I like a lot about ISPconfig). Setting up a daemon (clamd) requires some priviledges - maybe that is why ISPconfig get's delivered with it's own package. ...but: I'm only guessing, let's see what a developer has to say :)
     
  15. erebus

    erebus New Member

    Anyone? I am interested in using clamd on Centos 4.5...
     
  16. jonwatson

    jonwatson New Member

    Hi,

    This change has been made on a system I have, but the individual user .antivirus.rc files still have this in them:

    Code:
    :0fw
    | /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin
    
    :0:
    * ^X-Virus-Status: Yes
    /dev/null
    
    Should this line also be changed to point to clamd for all users or is this now ignored since the main config file has been changed?

    Thanks
     
  17. jonwatson

    jonwatson New Member

    Anyone....?

    Thanks
     
  18. till

    till Super Moderator

    This file should not be changed.
     
  19. jonwatson

    jonwatson New Member

    OK, thanks Till.

    How can I verify that incoming emails are being scanned, then? I ask because we were getting errors in the X-AntiVirus header prior to switching to clamd, but now we get no anti virus headers at all. I'm not sure if the anti virus header only shows up in emails with positive virus signatures in them or if it should show in in all emails when scanned.

    Any guidance would he helpful.

    Thanks,

    Jon
     
  20. till

    till Super Moderator

Share This Page