[clamav-users] clamonacc loop

[Frans de Boer]

On 11-12-2019 11:37, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 10 Dec 2019, Frans de Boer wrote:
>> On 23-11-2019 13:04, Frans de Boer wrote:
>>
>>> I noticed a significant degradation of the performance on my 
>>> systems, which ended when I stopped clamonacc.
>>>
>>> As I looked further, it seems that clamonacc is constantly looping 
>>> around the same file. As far as I can tell, the last file it scanned 
>>> - but not sure about that. I can easily reproduce that by using 
>>> .bash_history.
>>> After a command, say top, I stopped that and clamonacc keeps on 
>>> displaying 'performing scan....'.
>>>
>>> As another process is also running and updating a file - which I 
>>> have excluded but is not (.BOINC Manager) - it displays the scanning 
>>> of that other file, and resumes by scanning .bash_history over and 
>>> over again.
>>>
>>> This happens also with any other file.
>>>
>>> Remedy: disable clamonacc or go back to 0.101.5.
>
> Or don't do pointless scans.  Do you really expect that some malicious
> actor is going to try to subvert your bash history?!  In a multi-user,
> multi-tasking operating system, operating normally, there must be
> thousands of examples of files and other resources which are accessed
> repeatedly by the operating system and/or user processes, perhaps in
> the background.  If you tell clamonacc to scan them every time they're
> accessed, then that's what it's going to try to do.  Perhaps what you
> see is not something which 0.102 does wrong, but what earlier versions
> weren't doing right.  I've never used clamonacc, and have no intention
> of doing so, so I'm afraid I can't say.
>
>> Hm, no single reaction. Am I the only one?
>
> If you really are the only one suffering from this issue, perhaps a
> very clean install is called for.  Remove all old libraries, binaries,
> configuration files etc. before doing a clean install from source, and
> see what happens.
>
- I did already (many times I may add) remove all associated files, to 
no avail.
- I did excluded the whole boinc directory, but still it gets scanned by 
clamonacc.
- Every 4-6 hours I scan if there are new files in various repositories 
and one machine is used as a NAS, to serve all kind of devices, 
including Windows systems. I have thus also the obligation to protect 
those users form malware, using a online malware scanner.

The 0.101 series and before had extrascanning enabled - it worked in the 
past, at some memory cost. Now, I can't even have onAccess only without 
a great loss of performance . Leaving systems vulnerable.

So, yes, every time a file is accessed it should check if it is only 
accessing (opening) a file, or that a write/modify is in place. In the 
later case, it should scan the contents afterwards. If only opening, or 
subsequent reads without prior writes, it can check the hash only. Ok, 
there is a little more to it, but above is simplified.

I now can only scan twice a day: during lunch break a short scan and 
after business hours, a long scan.

--- Frans.