Mailing List Archive

[clamav-users] clamav overload ec2 instances
Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan
command /home/user/testfile the cpu usage is triggered and the instance
stops responding.

Here my config:

clamd --version
ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022


LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

Any ideas??
Re: [clamav-users] clamav overload ec2 instances [ In reply to ]
Hi there,

On Tue, 19 Jul 2022, Emanuel Gonzalez wrote:

> Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan
> command /home/user/testfile the cpu usage is triggered and the instance stops
> responding.
>
> Here my config:
>
> clamd --version
> ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022
> ...

It would help if you were clearer about exactly what you are doing.

How much RAM do you have available? If you are using the 'official'
signature database you probably need at least 3, preferably 4 GBytes,
as loading ten million signatures will use about a gigabyte of RAM.

Loading ten million signatures takes a while. The 'clamd' daemon does
that when it starts and when the signatures are updated (about daily
for the 'official' signature database). The 'clamscan' utility does
it every time you run it. The 'clamdscan' utility never does it.

The 'clamdscan' utility uses 'clamd', but 'clamscan' does not.

Please show us the exact command which you use when the problem appears.

If you are running a clamd daemon *and* if you are really running
'clamscan' and not 'clamdscan' then you are probably using twice as
much memory as you need to - not to mention having to wait for the
clamscan process to read ten million signatures every time it runs.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] clamav overload ec2 instances [ In reply to ]
Hi Emanuel,

I see you mention clamd and provide a clamd.conf file. But then you say you're running clamscan, which doesn't require clamd and loads the databases itself. So, if you have clamd running (uses a bunch of RAM to load databases) and then use clamscan (also uses a bunch of RAM to load the databases) instead of clamDscan (which would just send scan requests to clamd) -- yeah, I could see that running your container out of memory.

Try using clamdscan instead of clamscan -- or shut down clamd and only use clamscan.

Cheers,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Emanuel Gonzalez <emanuel.gonzalez@donweb.com>
Sent: Tuesday, July 19, 2022 10:29 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Subject: [clamav-users] clamav overload ec2 instances


Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan command /home/user/testfile the cpu usage is triggered and the instance stops responding.

Here my config:

clamd --version
ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022


LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

Any ideas??