amavis clamscan

Discussion in 'Server Operation' started by olaulau, Dec 13, 2024.

  1. olaulau

    olaulau New Member

    Hi ;

    On my ispconfig host, I'm nearly constantly cpu flooded by clamscan processes, each eating 100% cpu, run by amavis.
    I know it's related to email filtering, but I don't know what are the rles, the configuration for all of that.
    In ISPConfig panel, my domains are configured with specific strategy that like viruses, and bypass virus checking.
    All mail boxes are configured to inherit strategy from their domain.
    But the server is often running clamscan processes from amavis !
    I know I can disable clamav globally but that's not my point, I want to control on which cases (domain / mailbox) I want to run virus scanning, and for the moment I am not able to disable it everywhere from the panel.

    Any tip ?
    Thanks.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is an indication that the ClamD service is not running, which makes amavis fallback to clamscan. Start the clamav daemon.
     
  3. olaulau

    olaulau New Member

    sorry I forgot to give my conf :
    ubuntu server 22.04 up to date
    ispconfig lastest version
    postfix / dovecot / amavis

    I also have those lines in amavis journal :
    Code:
    (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory
    I tried some things found on internet but nothing changed :
    -
    Code:
    Bytecode off
    for freshclam
    -
    Code:
    LocalSocket /var/run/clamav/clamd.ctl
    for clamd

    here is the status :
    Code:
    # systemctl restart clamav-daemon.service
    # systemctl status clamav-daemon.service
    ● clamav-daemon.service - LSB: ClamAV daemon
         Loaded: loaded (/etc/init.d/clamav-daemon; generated)
        Drop-In: /etc/systemd/system/clamav-daemon.service.d
                 └─extend.conf
         Active: active (exited) since Fri 2024-12-13 12:14:57 CET; 4s ago
           Docs: man:systemd-sysv-generator(8)
        Process: 2967885 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
        Process: 2967886 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
        Process: 2967887 ExecStart=/etc/init.d/clamav-daemon start (code=exited, status=0/SUCCESS)
            CPU: 8ms
    Dec 13 12:14:57 vm-ispconfig-01.d-l.fr systemd[1]: Starting LSB: ClamAV daemon...
    Dec 13 12:14:57 vm-ispconfig-01.d-l.fr systemd[1]: Started LSB: ClamAV daemon.
    # ps -Af | grep clamd
    root     2969426 2227951  0 12:19 pts/1    00:00:00 grep --color=auto clamd
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You must configure ClamA and Amavis to use the same socket file path and then restart clamd and amavisd.
     
  5. olaulau

    olaulau New Member

    by the way, why would it try to scan for viruses (through the daemon or with a new process) if it should bypass virus scan ?
    are there virus scan for outgoing emails too ?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    If virus scan is done or not is defined in the spamfilter policy that is applied to the account. And yes, amavisd is used for incoming and outgoing emails. But when you fix your clamav/amavis socket issue, then there will be nearly no load from the antivirus scan anyway.
     
  7. olaulau

    olaulau New Member

    Code:
    # grep ctl /etc/clamav/
    clamd.conf         freshclam.conf     onerrorexecute.d/  onupdateexecute.d/
    [email protected]:/etc/amavis# grep ctl /etc/clamav/clamd.conf
    LocalSocket /var/run/clamav/clamd.ctl
    
    Code:
    # systemctl restart clamav-daemon.service clamav-freshclam.service amavis.service amavis-mc.service amavisd-snmp-subagent.service 
    Code:
    # systemctl status clamav-daemon.service
    ● clamav-daemon.service - LSB: ClamAV daemon
         Loaded: loaded (/etc/init.d/clamav-daemon; generated)
        Drop-In: /etc/systemd/system/clamav-daemon.service.d
                 └─extend.conf
         Active: active (exited) since Fri 2024-12-13 12:26:51 CET; 1min 0s ago
           Docs: man:systemd-sysv-generator(8)
        Process: 2972415 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
        Process: 2972416 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
        Process: 2972418 ExecStart=/etc/init.d/clamav-daemon start (code=exited, status=0/SUCCESS)
            CPU: 12ms
    
    Dec 13 12:26:51 vm-ispconfig-01.d-l.fr systemd[1]: Starting LSB: ClamAV daemon...
    Dec 13 12:26:51 vm-ispconfig-01.d-l.fr systemd[1]: Started LSB: ClamAV daemon.
    Code:
    # ll /var/run/clamav/clamd.ctl
    ls: cannot access '/var/run/clamav/clamd.ctl': No such file or directory
    still having some warnings in amavis journal about the unix socket and some clamscan processes appearing.

    how is the outgoing virus scan working ? is there a global configuration, or set from the panel by domains / mailboxes like incoming emails ?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    For outgoing, it uses amavis defaults. But this is nothing you should really worry about as your whole problem is the missing ClamD socket.

    You must check why ClamD is not opening the socket, see e.g. ClamD log files and syslog. Amavis will of course complain if you tell it to use a non existing socket. Therefore you must fix this in ClamD. E.g. have you checked that there is a directory V at all and that ClamD is able to write there to create the socket?
     
  9. olaulau

    olaulau New Member

    Hi ;
    so I decided to completely remove and reinstall clamav stuff :

    Code:
    apt autoremove --purge clamav*
    apt install clamav-daemon
    after that, it didn't seem to change anything (the socket file was still no present).
    today, it seems the socket it present, and I don't see any clamscan process anymore. the load average also seems to be way more stable (I had a burst of CPU for each email with attachment).

    but ... i sometimes get this :
    which leads again to a clamscan process.
    fixed by :
    Code:
    adduser clamav amavis
    (and restarting the services).

    hope this will be fine now, and that it can help someone.
     
    Last edited: Dec 18, 2024
  10. olaulau

    olaulau New Member

    thanks for the help !
     

Share This Page