[clamav-users] clamscan suddenly taking 25 minutes for a single mail

Eddie stunnel at attglobal.net
Tue Apr 6 19:40:46 UTC 2021 

I can go back to bed and sleep.  :-)

The only thing that runs on this server is the POP3 proxy code, nothing 
else.  And freshclam didn't pull any new signatures until after the 
slowdown started.  And take this with the same grain of salt I used to, 
when I worked support:  No, nothing was changed and the VM is healthy.

Running --debug and tail'ing the output, these are the 2 points that 
seem to account for almost all the 25 minutes:

--- Big snip ---

LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 
0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) 
maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) 
BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) 
maxpatlen 0 (ac_only mode)

---Very long wait here ---

LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0

--- More big snip ---

LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0  at line 3202
LibClamAV debug: cache_add: 2e27d1964afc50a27f3b833a85047d8f (level 0)
/root/test.msg: OK

---Very long wait here ---

LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up


Cheers.


On 4/6/2021 11:46 AM, Richard Graham wrote:
>
>     But I'd like to understand why, on Sunday morning, the scan time
>     which had been under a minute per mail, for over 4 months,
>     suddenly jumped to 25 minutes per mail and has remained at that.
>
>
> It's a good question.  Is there any way to reproduce what was 
> happening on Sunday morning?  ... and then compare it to what is 
> happening today?
>
> Has the size/location/access method to clamscan's signatures changed?  
> Is your system (drives, network, etc.) healthy?
>
> On Tue, Apr 6, 2021 at 8:31 PM Eddie <stunnel at attglobal.net 
> <mailto:stunnel at attglobal.net>> wrote:
>
>     Understood, which is why I'm looking to move to clamdscan.
>
>     But I'd like to understand why, on Sunday morning, the scan time
>     which had been under a minute per mail, for over 4 months,
>     suddenly jumped to 25 minutes per mail and has remained at that.
>
>     Cheers.
>
>     On 4/6/2021 10:39 AM, Richard Graham wrote:
>>     Clamscan can spend a looooong time loading signatures, etc.  If
>>     you run your command with strace (or monitor the process with
>>     lsof, etc.) you'll probably see clamscan is busy accessing
>>     signature files.
>>
>>     On Tue, Apr 6, 2021 at 5:44 PM Eddie via clamav-users
>>     <clamav-users at lists.clamav.net
>>     <mailto:clamav-users at lists.clamav.net>> wrote:
>>
>>         A POP3 proxy program I have running on a Debian 10.8 system,
>>         uses
>>         clamscan to check incoming e-mails.  At some point in the
>>         very early
>>         morning (US West Coast time) it suddenly started taking a
>>         very long time
>>         to scan each mail,  So much that the controlling process
>>         would time out
>>         before clamscan finished.  Up to this point it was running fine.
>>
>>         Running a test from the command line, on a very simple 1-line
>>         mail took
>>         around 25 minutes:
>>
>>         root at CleanMail:~# date ; clamscan test.msg -v --no-summary ; date
>>         Mon 05 Apr 2021 11:59:10 AM PDT
>>         Scanning /root/test.msg
>>         /root/test.msg: OK
>>         Mon 05 Apr 2021 12:24:06 PM PDT
>>         root at CleanMail:~#
>>
>>         Looking through the logs, I can't see anything happening in
>>         the period
>>         between the last good scan and the sloooooow ones.
>>
>>         Where should I be going next to track this down.
>>
>>         Cheers.
>>
>>         _______________________________________________
>>
>>         clamav-users mailing list
>>         clamav-users at lists.clamav.net
>>         <mailto:clamav-users at lists.clamav.net>
>>         https://lists.clamav.net/mailman/listinfo/clamav-users
>>         <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>>         Help us build a comprehensive ClamAV guide:
>>         https://github.com/vrtadmin/clamav-faq
>>         <https://github.com/vrtadmin/clamav-faq>
>>
>>         http://www.clamav.net/contact.html#ml
>>         <http://www.clamav.net/contact.html#ml>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210406/8d35ea0a/attachment.htm>

More information about the clamav-users mailing list