?
Solved

CLAMSCAN taking up 100% of our CPU

Posted on 2007-10-09
19
Medium Priority
?
1,757 Views
Last Modified: 2013-12-18
First off, I know pretty much nothing about Linux, so please take that into consideration. (any proposal or requests for information must come with step-by-step on how to get them):

We have an SMTP gateway server that is setup to receive all of our internet email & then scan it, then forward it on to our Exchange server.  Recently emails have been taking longer & longer to arrive until all of a sudden yesterday, they just stopped arriving.

Some information about our setup:

The SMTP gateway is a Linux box that has CLAMSCAN (AV I think) & SpamAssassin installed on it.  I am not sure what else it has installed & what it does with our email (it was set up by an ex-sys admin that is no longer with the company).  When I run the TOP command, I find that CLAMSCAN has a lot of instances running & they top out the CPU at 100+% most of the time.  I have found that if I kill the PIDs related to that, that email slowly begins to trickle in, but then it locks up again until I kill more PIDs.  That being said, I really need to find a way to fix this problem so that our email gets through faster than that (under 2 minutes ideally).  We are getting ready to replace the box with a Windows based gateway, however, for the time being, we need to free up all the pending emails & get this box performing well enough to make us feel comfortable.

Thanks for all your help
0
Comment
Question by:rustyrpage
  • 10
  • 6
  • 2
  • +1
19 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20043854
clamscan is the most CPU intensive out of clamscan, clamav module, clamd.

Are you by chance also running mailscanner?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20043875
It would appear so as mailscanner shows on the top list.  
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20043879
By the way, if I just sit here Putty'ed in, I can kill all CLAMSCAN processes & my emails come in immediately (well, within 30-60 seconds)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 20043984
goto www.mailscanner.info.  read all of the documents.  recommended is updating mailscanner+spamassas+clam (to clamd or clamavmodule).

make sure that you are not using dead RBLs.  verify that DNS is working correctly.  verify that your clam updates are working properly.

what versions of mailscanner, spamassassin and clam are you using?  maybe there is a workaround with your existing implementation.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044015
As I said, any questions or information you need have to come with directions on how to get you that.  I literally have never used Linux.  I am a Windows guy
0
 
LVL 8

Expert Comment

by:Rance_Hall
ID: 20044125
one other problem that you may or may not be having, clamav comes with TWO AV scanners.

one called clamscan

and the other called clamdscan

the reason for the difference is:

clamd is a server instance that loads all the virus defs in memory ONCE.

clamdscan asks the server clamd instance to scan the file and return a result.

clamscan loads the virus defs EACH time its called.

At least one doc I read suggested NOT using clamdscan as there was some problem with clamd.

that problem is LONG since fixed and you should be running clamdscan to scan the files.

if you arent, that could be your problem by itself.

exactly what does top say?

is it possible that the userpermissions are such that clamd can not read the files that the mailer is generating and therefor getting "STUCK" on them instead of skipping them?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044198
Any of that is possible, but I have no idea how to verify etc.  All I know is that it was working fine & then stopped....nothing could have changed since no one ever touches that box.

As far as upgrading goes, I would really prefer not do any upgrades since we are going to be replacing this box anyway & don't feel comfortable doing an upgrade.

Is there any way to get CLAMSCAN to stop running at all?  Right now I am killing over 50 PIDs of it a minute just to keep email flowing.
0
 
LVL 36

Expert Comment

by:grblades
ID: 20044211
_jesper_ is correct. I run MailScanner myself aswell.

I think you will find that Mailscanner is capable of working better than any Windows based system but I can understand you wanting to switch if you are not very familiar with Linux. The most important thing is that you can support it after all.

Have a look in /etc/MailScanner/MailScanner.conf and there will be a line listing which virus scanners should be used. Can you post the line here.
The line probably lists 'clamav' as an option which means it uses clamscan. You could try changing the option to 'clamavmodule' and then restarting mailscanner (/etc/init.d/MailScanner restart) and seeing if that works. If you have a late enough version which supports clamavmodule then it should start working a bit quicker and at least be in a state where you can continue to use it until you get your replacement.
0
 
LVL 36

Accepted Solution

by:
grblades earned 2000 total points
ID: 20044238
If that does not work then you could disable virus scanning by editing MailScanner.conf and changing :-
Virus Scanning = yes
to
Virus Scanning = no
and then restarting mailscanner.

Oviously this is not the ideal method.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044266
When I try CD /mailscanner, it says that there is no such file or directory.  But, if I do an LS, it lists it there.  Any ideas?  (once again, I am dumb)
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20044286
Linux is case sensitive ->

# cd /etc/MailScanner

Note the uppercase 'M' and 'S'
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20044297
And while we're here:

# cp MailScanner.conf MailScanner.conf.20071009
# nano MailScanner.conf

when open, use <ctrl><w> to search for a string, i.e., virus scanning or clam.  The search is case insensitive.

make your changes and <ctrl><x> to save and <enter>
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044313
It was set at ClamAV, I am trying to change it to Module to see what happens...what will the result be?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044328
Now it just has /usr/bin/clamscan taking up 100% of the CPU
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20044355
You three choices for immediate action:

1) don't do virus scanning
2) turn off MailScanner, spamassassin and clam completely and turn sendmail/postfix/qmail on
3) upgrade MailScanner, spamassassin and clam

To find out what version of MailScanner you are running:

# MailScanner --lint
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044402
Okay, so I put the CLAMAV back (since all emails stopped when I made that change) & then I put in the Antivirus = no to test that.

Do I just type in the # MailScanner --lint on any line?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20044501
As an FYI, disabling anti-virus scanning now has me with 20-30 second send/receives.

However, the downside is that we are not running Antivirus on the server.  Are the extensions etc still being blocked?  (granted, my Exchange server can handle some of that)
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 20044577
MailScanner.conf has the extensions listed that it blocks.  Stopping the anti-virus scanner is a separate function.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 20051819
Thanks for sticking with us on this...it worked fine!  We are in the process of moving all of our mail processing to MX Logic so that we don't have to worry about this issue.

Thanks a bunch!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question