[clamav-users] How to boost clamav? Reloading database results in a talking timeout?

G.W. Haywood clamav at jubileegroup.co.uk
Thu Sep 5 09:35:04 UTC 2019 

Hi there,

On Thu, 5 Sep 2019, Thomas Barth via clamav-users wrote:

> freshclam just downloads the standard databases to keep them fresh.
>
> In /etc/clamav/freshclam.conf you can set the check interval. That s ok.
> # Check for new database 24 times a day
> Checks 24

Good so far.

> But it s /usr/sbin/clamd who loads the databases into memory.

Yes.

> In /etc/clamav/clamd.conf there should be a value of 12 for an every
> two hour load, right?

No.

> It seems that the two hour loading is hardcoded in the daemon.

No.  There are two ways to trigger reloading the databases.

One is to set the 'SelfCheck' interval.  The other is to send a
'RELOAD' command on the port or socket on which the daemon is
listening.  For example if the daemon is listening on TCP port
127.0.0.1:3311 manually I might do this at a shell prompt:

$ /bin/echo 'RELOAD' | /bin/nc localhost 3311 | /usr/bin/logger -p mail.debug 2>&1

The 'SelfCheck' interval tells the daemon to reload the databases only
if something has changed:

mail6:~$ >>> grep 'SelfCheck' /var/log/mail.debug ...
Sep  4 02:15:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 03:37:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  4 05:02:02 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 06:24:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  4 07:49:13 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 09:11:11 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload.
Sep  4 10:36:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload.
Sep  4 12:03:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload.
Sep  4 13:27:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 14:54:15 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  4 16:14:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 17:41:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  4 19:01:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 20:28:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  4 21:48:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  4 23:15:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 00:35:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 02:07:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 03:26:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 04:59:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  5 06:17:12 mail6 clamd[5479]: SelfCheck: Database status OK.
Sep  5 07:46:14 mail6 clamd[7689]: SelfCheck: Database status OK.
Sep  5 09:04:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload.

I PING the daemons every minute.  I've patched the, er, patched daemon
also to reply in lower case to PING commands, so that I can see which
one replies when.

Here's my *unpatched* daemon reloading this morning:

Sep  5 09:02:12 mail6 root: PONG
Sep  5 09:02:14 mail6 root: pong
Sep  5 09:03:12 mail6 root: PONG
Sep  5 09:03:14 mail6 root: pong
Sep  5 09:04:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 09:04:14 mail6 clamd[5479]: Reading databases from /etc/mail/clamav
Sep  5 09:04:14 mail6 root: pong
Sep  5 09:05:14 mail6 root: pong
Sep  5 09:06:14 mail6 root: pong
Sep  5 09:07:14 mail6 root: pong
Sep  5 09:07:59 mail6 clamd[5479]: Database correctly reloaded (8869225 signatures)
Sep  5 09:05:12 mail6 root: PONG
Sep  5 09:06:12 mail6 root: PONG
Sep  5 09:04:12 mail6 root: PONG
Sep  5 09:07:12 mail6 root: PONG
Sep  5 09:08:12 mail6 root: PONG
Sep  5 09:08:14 mail6 root: pong
Sep  5 09:09:12 mail6 root: PONG
Sep  5 09:09:14 mail6 root: pong
Sep  5 09:10:12 mail6 root: PONG

Here's the *patched daemon reloading:

Sep  5 02:06:12 mail6 root: PONG
Sep  5 02:06:14 mail6 root: pong
Sep  5 02:07:12 mail6 root: PONG
Sep  5 02:07:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload.
Sep  5 02:07:14 mail6 clamd[7689]: Reading databases from /etc/mail/clamav
Sep  5 02:07:14 mail6 root: pong
Sep  5 02:08:12 mail6 root: PONG
Sep  5 02:08:14 mail6 root: pong
Sep  5 02:09:12 mail6 root: PONG
Sep  5 02:09:14 mail6 root: pong
Sep  5 02:10:12 mail6 root: PONG
Sep  5 02:10:14 mail6 root: pong
Sep  5 02:11:12 mail6 root: PONG
Sep  5 02:11:14 mail6 root: pong
Sep  5 02:11:35 mail6 clamd[7689]: Database correctly reloaded (8871522 signatures)
Sep  5 02:12:12 mail6 root: PONG
Sep  5 02:12:14 mail6 root: pong
Sep  5 02:13:12 mail6 root: PONG
Sep  5 02:13:14 mail6 root: pong
Sep  5 02:14:12 mail6 root: PONG
Sep  5 02:14:14 mail6 root: pong

See the difference?

The patched daemon does what you want.  The unpatched one doesn't.

-- 

73,
Ged.

More information about the clamav-users mailing list