Mailing List Archive

On 23-11-2019 13:04, Frans de Boer wrote:
> LS,
>
> I noticed a significant degradation of the performance on my systems,
> which ended when I stopped clamonacc.
>
> As I looked further, it seems that clamonacc is constantly looping
> around the same file. As far as I can tell, the last file it scanned -
> but not sure about that. I can easily reproduce that by using
> .bash_history.
> After a command, say top, I stopped that and clamonacc keeps on
> displaying 'performing scan....'.
>
> As another process is also running and updating a file - which I have
> excluded but is not (.BOINC Manager) - it displays the scanning of
> that other file, and resumes by scanning .bash_history over and over
> again.
>
> This happens also with any other file.
>
> Remedy: disable clamonacc or go back to 0.101.5.
>
> Regards, Frans.
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hm, no single reaction. Am I the only one?

---Frans.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 10 Dec 2019, Frans de Boer wrote:
> On 23-11-2019 13:04, Frans de Boer wrote:
>
>> I noticed a significant degradation of the performance on my systems, which
>> ended when I stopped clamonacc.
>>
>> As I looked further, it seems that clamonacc is constantly looping around
>> the same file. As far as I can tell, the last file it scanned - but not
>> sure about that. I can easily reproduce that by using .bash_history.
>> After a command, say top, I stopped that and clamonacc keeps on displaying
>> 'performing scan....'.
>>
>> As another process is also running and updating a file - which I have
>> excluded but is not (.BOINC Manager) - it displays the scanning of that
>> other file, and resumes by scanning .bash_history over and over again.
>>
>> This happens also with any other file.
>>
>> Remedy: disable clamonacc or go back to 0.101.5.

Or don't do pointless scans. Do you really expect that some malicious
actor is going to try to subvert your bash history?! In a multi-user,
multi-tasking operating system, operating normally, there must be
thousands of examples of files and other resources which are accessed
repeatedly by the operating system and/or user processes, perhaps in
the background. If you tell clamonacc to scan them every time they're
accessed, then that's what it's going to try to do. Perhaps what you
see is not something which 0.102 does wrong, but what earlier versions
weren't doing right. I've never used clamonacc, and have no intention
of doing so, so I'm afraid I can't say.

> Hm, no single reaction. Am I the only one?

If you really are the only one suffering from this issue, perhaps a
very clean install is called for. Remove all old libraries, binaries,
configuration files etc. before doing a clean install from source, and
see what happens.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 11-12-2019 11:37, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 10 Dec 2019, Frans de Boer wrote:
>> On 23-11-2019 13:04, Frans de Boer wrote:
>>
>>> I noticed a significant degradation of the performance on my
>>> systems, which ended when I stopped clamonacc.
>>>
>>> As I looked further, it seems that clamonacc is constantly looping
>>> around the same file. As far as I can tell, the last file it scanned
>>> - but not sure about that. I can easily reproduce that by using
>>> .bash_history.
>>> After a command, say top, I stopped that and clamonacc keeps on
>>> displaying 'performing scan....'.
>>>
>>> As another process is also running and updating a file - which I
>>> have excluded but is not (.BOINC Manager) - it displays the scanning
>>> of that other file, and resumes by scanning .bash_history over and
>>> over again.
>>>
>>> This happens also with any other file.
>>>
>>> Remedy: disable clamonacc or go back to 0.101.5.
>
> Or don't do pointless scans.  Do you really expect that some malicious
> actor is going to try to subvert your bash history?!  In a multi-user,
> multi-tasking operating system, operating normally, there must be
> thousands of examples of files and other resources which are accessed
> repeatedly by the operating system and/or user processes, perhaps in
> the background.  If you tell clamonacc to scan them every time they're
> accessed, then that's what it's going to try to do.  Perhaps what you
> see is not something which 0.102 does wrong, but what earlier versions
> weren't doing right.  I've never used clamonacc, and have no intention
> of doing so, so I'm afraid I can't say.
>
>> Hm, no single reaction. Am I the only one?
>
> If you really are the only one suffering from this issue, perhaps a
> very clean install is called for.  Remove all old libraries, binaries,
> configuration files etc. before doing a clean install from source, and
> see what happens.
>
- I did already (many times I may add) remove all associated files, to
no avail.
- I did excluded the whole boinc directory, but still it gets scanned by
clamonacc.
- Every 4-6 hours I scan if there are new files in various repositories
and one machine is used as a NAS, to serve all kind of devices,
including Windows systems. I have thus also the obligation to protect
those users form malware, using a online malware scanner.

The 0.101 series and before had extrascanning enabled - it worked in the
past, at some memory cost. Now, I can't even have onAccess only without
a great loss of performance . Leaving systems vulnerable.

So, yes, every time a file is accessed it should check if it is only
accessing (opening) a file, or that a write/modify is in place. In the
later case, it should scan the contents afterwards. If only opening, or
subsequent reads without prior writes, it can check the hash only. Ok,
there is a little more to it, but above is simplified.

I now can only scan twice a day: during lunch break a short scan and
after business hours, a long scan.

--- Frans.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 11 Dec 2019, Frans de Boer wrote:

> - I did excluded the whole boinc directory, but still it gets scanned by
> clamonacc.

I think I remember that there was an issue with unwanted scans which
was mentioned in posts on this list very recently, have you searched
the archives for other posts about on-access scanning?

> - Every 4-6 hours I scan if there are new files in various repositories
> and one machine is used as a NAS, to serve all kind of devices,
> including Windows systems. I have thus also the obligation to protect
> those users form malware, using a online malware scanner.

In my opinion, in that sort of situation simply scanning with ClamAV
is not adequate. You need more than one form of malware protection.

> The 0.101 series and before had extrascanning enabled - it worked in the
> past ...

I agree that for NAS applications it seems better to scan on writing
the files to the storage rather than just when reading them. Do you
mean that the OnAccessExtraScanning option no longer works? Do you
have Dynamic Directory Determination enabled (OnAccessDisableDDD=no)?
Perhaps you should post your full clamd.conf file.

> ... at some memory cost.

What was the memory cost? Do you have measurments of the various
contributions to memory consumption from the ClamAV utilities? Do
you monitor memory consumption in some way, such as Nagios/Icinga?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml