[clamav-users] clamd using up all cpu on certain hosts

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Nov 20 15:06:11 UTC 2018


lukn,

Sorry about all the trouble.  I wish I knew more about what was happening.  I hope it's not a legitimate bug slipping by.  Let us know if you end up finding anything else.

Regards,
Micah


On Nov 20, 2018, at 2:40 AM, lukn <lukn555 at gmail.com<mailto:lukn555 at gmail.com>> wrote:

Hi Micah and Henrik

I'm slowly getting to the conclusion that the old hosts are reaching EOL
which would explain the misbehaviour (just got a few unexplicable SSH
connection losses...).

grep -v '^$' clamd.conf | grep -v '^#'
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose yes
TCPSocket 3310
TCPAddr 127.0.0.1
User clamav

As to Henrik's suggestion to use strace - now it gets really spooky.
Once excecuted under strace it took less than 2mins for clamd to start
up normally and then run as excpected without hogging the CPU. Of course :-/

I'd say: never mind those old boxes, gotta replace them anyway
eventually...

thx
lukn

On 16.11.18 20:45, Micah Snyder (micasnyd) wrote:
That is... bizarre. What does your clamd configuration look like?  Specifically, do you have `ScanOnAccess` enabled and set to watch specific mount or directory paths?

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 16, 2018, at 9:52 AM, lukn <lukn555 at gmail.com<mailto:lukn555 at gmail.com><mailto:lukn555 at gmail.com>> wrote:

Hello list

I'm having a weird CPU hogging issue here. I'm running some servers as
VM hosts based on CentOS7 with qemu/kvm. On these I'm running various
VMs with CentOS 7 and legacy CentOS 6 (all have latest updates
installed). All of them are running clamd 0.100.2 which got installed
from a self compiled RPM (built from official source, no patches), so
software on all hosts and VMs should be identical.

However, in VMs on one host machine, clamd is idling, on the other it's
running at 200-350% CPU (4 vcores) according to top - even when there is
nothing to be scanned.

If I migrate a VM from the "idle" to the "busy" host, their clamd starts
to spin too. If I migrate a VM from the "busy" to the "idle" host, clamd
remains quiet.

The only noticeable difference between clamd going nuts and clamd
staying calm is the CPU of the host system:

busy:
model name      : Intel(R) Xeon(R) CPU           E5645  @ 2.40GHz

idle:
model name      : Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz


As mentioned, clamd is installed from a self compiled rpm, this is the
%build section of the spec file, nothing fancy in there:

%build
./configure --prefix=%{_prefix} --enable-milter
make check
make

The issue only occured recently... maybe some borked signature?
Any ideas?

regards
lukn
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net><mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181120/3fbb5897/attachment.htm>


More information about the clamav-users mailing list