CLAMSCAN taking up 100% of our CPU

First off, I know pretty much nothing about Linux, so please take that into consideration. (any proposal or requests for information must come with step-by-step on how to get them):

We have an SMTP gateway server that is setup to receive all of our internet email & then scan it, then forward it on to our Exchange server.  Recently emails have been taking longer & longer to arrive until all of a sudden yesterday, they just stopped arriving.

Some information about our setup:

The SMTP gateway is a Linux box that has CLAMSCAN (AV I think) & SpamAssassin installed on it.  I am not sure what else it has installed & what it does with our email (it was set up by an ex-sys admin that is no longer with the company).  When I run the TOP command, I find that CLAMSCAN has a lot of instances running & they top out the CPU at 100+% most of the time.  I have found that if I kill the PIDs related to that, that email slowly begins to trickle in, but then it locks up again until I kill more PIDs.  That being said, I really need to find a way to fix this problem so that our email gets through faster than that (under 2 minutes ideally).  We are getting ready to replace the box with a Windows based gateway, however, for the time being, we need to free up all the pending emails & get this box performing well enough to make us feel comfortable.

Thanks for all your help
LVL 6
rustyrpageAsked:
Who is Participating?
 
grbladesCommented:
If that does not work then you could disable virus scanning by editing MailScanner.conf and changing :-
Virus Scanning = yes
to
Virus Scanning = no
and then restarting mailscanner.

Oviously this is not the ideal method.
0
 
Jan SpringerCommented:
clamscan is the most CPU intensive out of clamscan, clamav module, clamd.

Are you by chance also running mailscanner?
0
 
rustyrpageAuthor Commented:
It would appear so as mailscanner shows on the top list.  
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
rustyrpageAuthor Commented:
By the way, if I just sit here Putty'ed in, I can kill all CLAMSCAN processes & my emails come in immediately (well, within 30-60 seconds)
0
 
Jan SpringerCommented:
goto www.mailscanner.info.  read all of the documents.  recommended is updating mailscanner+spamassas+clam (to clamd or clamavmodule).

make sure that you are not using dead RBLs.  verify that DNS is working correctly.  verify that your clam updates are working properly.

what versions of mailscanner, spamassassin and clam are you using?  maybe there is a workaround with your existing implementation.
0
 
rustyrpageAuthor Commented:
As I said, any questions or information you need have to come with directions on how to get you that.  I literally have never used Linux.  I am a Windows guy
0
 
Rance_HallCommented:
one other problem that you may or may not be having, clamav comes with TWO AV scanners.

one called clamscan

and the other called clamdscan

the reason for the difference is:

clamd is a server instance that loads all the virus defs in memory ONCE.

clamdscan asks the server clamd instance to scan the file and return a result.

clamscan loads the virus defs EACH time its called.

At least one doc I read suggested NOT using clamdscan as there was some problem with clamd.

that problem is LONG since fixed and you should be running clamdscan to scan the files.

if you arent, that could be your problem by itself.

exactly what does top say?

is it possible that the userpermissions are such that clamd can not read the files that the mailer is generating and therefor getting "STUCK" on them instead of skipping them?
0
 
rustyrpageAuthor Commented:
Any of that is possible, but I have no idea how to verify etc.  All I know is that it was working fine & then stopped....nothing could have changed since no one ever touches that box.

As far as upgrading goes, I would really prefer not do any upgrades since we are going to be replacing this box anyway & don't feel comfortable doing an upgrade.

Is there any way to get CLAMSCAN to stop running at all?  Right now I am killing over 50 PIDs of it a minute just to keep email flowing.
0
 
grbladesCommented:
_jesper_ is correct. I run MailScanner myself aswell.

I think you will find that Mailscanner is capable of working better than any Windows based system but I can understand you wanting to switch if you are not very familiar with Linux. The most important thing is that you can support it after all.

Have a look in /etc/MailScanner/MailScanner.conf and there will be a line listing which virus scanners should be used. Can you post the line here.
The line probably lists 'clamav' as an option which means it uses clamscan. You could try changing the option to 'clamavmodule' and then restarting mailscanner (/etc/init.d/MailScanner restart) and seeing if that works. If you have a late enough version which supports clamavmodule then it should start working a bit quicker and at least be in a state where you can continue to use it until you get your replacement.
0
 
rustyrpageAuthor Commented:
When I try CD /mailscanner, it says that there is no such file or directory.  But, if I do an LS, it lists it there.  Any ideas?  (once again, I am dumb)
0
 
Jan SpringerCommented:
Linux is case sensitive ->

# cd /etc/MailScanner

Note the uppercase 'M' and 'S'
0
 
Jan SpringerCommented:
And while we're here:

# cp MailScanner.conf MailScanner.conf.20071009
# nano MailScanner.conf

when open, use <ctrl><w> to search for a string, i.e., virus scanning or clam.  The search is case insensitive.

make your changes and <ctrl><x> to save and <enter>
0
 
rustyrpageAuthor Commented:
It was set at ClamAV, I am trying to change it to Module to see what happens...what will the result be?
0
 
rustyrpageAuthor Commented:
Now it just has /usr/bin/clamscan taking up 100% of the CPU
0
 
Jan SpringerCommented:
You three choices for immediate action:

1) don't do virus scanning
2) turn off MailScanner, spamassassin and clam completely and turn sendmail/postfix/qmail on
3) upgrade MailScanner, spamassassin and clam

To find out what version of MailScanner you are running:

# MailScanner --lint
0
 
rustyrpageAuthor Commented:
Okay, so I put the CLAMAV back (since all emails stopped when I made that change) & then I put in the Antivirus = no to test that.

Do I just type in the # MailScanner --lint on any line?
0
 
rustyrpageAuthor Commented:
As an FYI, disabling anti-virus scanning now has me with 20-30 second send/receives.

However, the downside is that we are not running Antivirus on the server.  Are the extensions etc still being blocked?  (granted, my Exchange server can handle some of that)
0
 
Jan SpringerCommented:
MailScanner.conf has the extensions listed that it blocks.  Stopping the anti-virus scanner is a separate function.
0
 
rustyrpageAuthor Commented:
Thanks for sticking with us on this...it worked fine!  We are in the process of moving all of our mail processing to MX Logic so that we don't have to worry about this issue.

Thanks a bunch!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.