Good evening everyone, I have small VPS server with ISPconfig3 with total 4 GB of RAM. My VPS stucks when RAM si at the edge - this do clamscan when scanning mails. When no e-mails are in a queue, I have average 1 GB/4 GB RAM used, but when I have some incoming or outgoing e-mail, RAM is on the maximum and stucks VPS for few minutes. It's very annoying. I read some articles on the internet and tryed few tips what to do. But nothing works how I want. Have you some idea, how to configure clamav to use less memory? My e-mail flow isn't high - its few tens mails per hour. Thank you for your help. My actual /etc/clamav/clamd.conf: Code: #Automatically Generated by clamav-daemon postinst #To reconfigure clamd run #dpkg-reconfigure clamav-daemon #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 10 #120 MaxThreads 3 # 20 MaxConnectionQueueLength 15 LogSyslog false LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PreludeEnable no PreludeAnalyzerName ClamAV DatabaseDirectory /var/lib/clamav OfficialDatabaseOnly false SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 CrossFilesystems true PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanTime 120000 MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 10000 MaxPartitions 50 MaxIconsPE 100 PCREMatchLimit 10000 PCRERecMatchLimit 5000 PCREMaxFileSize 25M ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OnAccessMaxFileSize 5M ConcurrentDatabaseReload no
My understanding is clamav can not be made to use less memory. Only way it uses less memory is to use smaller database of virus signatures, but then it will not recognise all the malwares. I am surprised 4 GB is not enought to run clamav. Have you modified clamav settings, maybe it uses more memory than usual? Or do you mean the system just gets slow when clamav is running? You do not mention how much swap that host has. If it does not have swap, add 4 GB swap so the system can free some RAM when needed.
4GB is plenty of RAM, I run several (smaller) systems with all services that have just 2GB and also use ClamAV and they run perfectly fine. How many websites do you run and have you analyzed which services use the RAM? Did you consider to add a swap partition or drive?
Hello, thank you for your fast reply. I modified settings only like this, other lines are original: Code: ReadTimeout 10 MaxThreads 3 ConcurrentDatabaseReload no I have no swap on my VPS, because my provider doesn't support it. He can only give me swap for install Oracle database and only during installation process. I have few tens websites, every has database. I analyzed behaviour and its: When no e-mail in queue, and it's normal website activity: RAM is about 1 GB (sometimes 800 MB, sometimes 1,2 GB), no more. Only when clamav starts, I can see RAM slowly increase to their maximum. When on the maximum, VPScompletly stuck - can't load websites, can't use SSH, can't use provider terminal to restore server, can't do nothing. Only ping works fine without changed latency.
I say this would improve with added swap. Can you not add swapfile? It should be possible on any Linux. If your service provider is bad, find a better provider and send your money there.
Thank you for your answer. I tryed to add swap space, but it's not working "swapon: /swapfile: skipping - it appears to have holes.". My VPS provider told on his website this: At this moment, we are not using OpenVZ, but ourself virtualization system. But it's provider works. Have I any chance how to solve this problem myself by another way? I don't want to migrate to another provider, because I have a big music for a little money. I can double resources (RAM up to 8 GB/12GB) for double/triple money, but I want this will be a border solve. Is any way how to reconfigure clamscan to use setted maximum RAM/disk space?
did you allocate the size to the swapfile first? https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04
The point of swap has nothing to do with speed, it is because applications do not use all the memory they reserve, and using swap space allows you to overcommit the physical ram so you can safely run a lot more applications at once. If you are swapping pages for actively running processes, your performance is going to suffer (unless I suppose those are swapped to a ram-backed disk). Maybe you contact them and see if you have such a "justified case" that they mention?
Hello all, thank you for your answer. I tryed to install swapfile following more tutorials, like that one on the digitalocean - it was the first try. I have error on it. Code: sudo swapon /swapfile swapon: /swapfile: skipping - it appears to have holes. I temporarily upgraded VPS up to 8 GB RAM, and problem still exists. The case rate keeps. "Justified case" - this rule has every VPS. Only Oracle database has exceptions and only during install.
I just reread your initial post and there you say that clamscan is used on your system, but ISPConfig normally uses clamdscan. That's different and makes a huge difference in resource usage, clamscan is only used when clamdscan fails, so your whole issue might just be a problem in your clamd configuration so that it can't start. Ensure that clamd (the clamav daemon) is really started as this uses a lot less resources than clamscan. If clamd is started and working, then check the mail.log to see if you find any lines that show that amavis is doing a fallback to clamscan because connections to clamd failed. And one more thing, that all RAM is used on a Linux server is normal, so I hope that you did not just look at how much RAM is free, as an efficient Linux system always uses all RAM (unless it's a huge amount of too much RAM). So please don't look at the amount of free RAM only. See also here: https://www.linuxatemyram.com/ You say your system got stuck, this might be because of CPU usage and not RAM and if you really use clamscan instead of clamd, then it is to be expected that CPU usage rises a lot as clamscan starts one clamav process per mail while clamd starts just one clamav daemon process to scan all emails.
Ah, you are right. Clamscan stucked my VPS few times, many times did it clamav - by logs from my OOM provider report. I checked /etc/init.d/clamav-daemon status and see an error here (ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)): Code: clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: active (running) since Tue 2022-05-31 08:03:10 CEST; 3s ago Docs: man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ Process: 5332 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS) Process: 5331 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE) Main PID: 5333 (clamd) Tasks: 1 (limit: 629145) Memory: 146.5M (limit: 256.0M) CPU: 906ms CGroup: /system.slice/clamav-daemon.service └─5333 /usr/sbin/clamd --foreground=true May 31 08:03:10 email systemd[1]: Starting Clam AntiVirus userspace daemon... May 31 08:03:10 email mkdir[5331]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists May 31 08:03:10 email systemd[1]: Started Clam AntiVirus userspace daemon. And /var/log/mail.log Code: amavis[995217]: (995217-06) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory My folder /run/clamav exists, but with clamav:root and nothing is here. When I remove it, its automatically recreate with this chown. I dont know how to fix it. :/
Which Linux distribution and version do you use? The message "May 31 08:03:10 email mkdir[5331]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists" might just be a warning as clamd stated it started anyway. But amavis tries to connect to a different directory /run/clamav/ vs. /var/run/clamav/, so maybe the socket path in amavis does not match with the one used by clamd.
lsb_release -a Code: No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.13 (stretch) Release: 9.13 Codename: stretch "/run/clamav/" exists, empty "/var/run/clamav/" exists, empty ON "/var/lib/clamav" exists bytecode.cld (1438720) clamd.sock (0) daily.cld (180502K) freshclam.dat (69) mail.cld (453177k) mirrors.dat (208) /var/log/clamav/clamav.log Code: 1 Tue May 31 08:32:41 2022 -> +++ Started at Tue May 31 08:32:41 2022 2 Tue May 31 08:32:41 2022 -> Received 0 file descriptor(s) from systemd. 3 Tue May 31 08:32:41 2022 -> clamd daemon 0.103.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) 4 Tue May 31 08:32:41 2022 -> Log file size limited to 4294967295 bytes. 5 Tue May 31 08:32:41 2022 -> Reading databases from /var/lib/clamav 6 Tue May 31 08:32:41 2022 -> Not loading PUA signatures. 7 Tue May 31 08:32:41 2022 -> Bytecode: Security mode set to "TrustSigned". 8 Tue May 31 08:32:42 2022 -> +++ Started at Tue May 31 08:32:42 2022 9 Tue May 31 08:32:42 2022 -> Received 0 file descriptor(s) from systemd. 10 Tue May 31 08:32:42 2022 -> clamd daemon 0.103.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) 11 Tue May 31 08:32:42 2022 -> Log file size limited to 4294967295 bytes. 12 Tue May 31 08:32:42 2022 -> Reading databases from /var/lib/clamav 13 Tue May 31 08:32:42 2022 -> Not loading PUA signatures. 14 Tue May 31 08:32:42 2022 -> Bytecode: Security mode set to "TrustSigned".
Try this: Find the place where the amavis socket is configured, e.g. with the command: grep -R -n /var/run/clamav/clamd.ctl /etc/amavis Then edit that file and change the path to: /var/lib/clamav/clamd.sock and then restart amavis.
Thank you, but I dont understand. grep -R -n /var/run/clamav/clamd.ctl /etc/amavis Code: /etc/amavis/conf.d/15-av_scanners:20: \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
The grep command shows the searched for string "/var/run/clamav/clamd.ctl" is found in file /etc/amavis/conf.d/15-av_scanners on line 20. @till asked you to edit that file and change the pathname from /var/run/clamav/clamd.ctl to /var/lib/clamav/clamd.sock. By the way, this problem would have been easier to solve if if you had started with this: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Thank you for your reply all. I'm happy you wants to help me. I edited 15-av_scanners and changed /var/run/clamav/clamd.ctl to /var/lib/clamav/clamd.sock (/var/lib/clamav/clamd.sock exists with 0 bytes - it's empty). I tryed "service amavis restart" and "/etc/init.d/clamav-daemon restart" and problem still exists: Code: ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: active (running) since Tue 2022-05-31 09:46:01 CEST; 3s ago Docs: man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ Process: 38673 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS) Process: 38671 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE) Main PID: 38675 (clamd) Tasks: 1 (limit: 629145) Memory: 166.3M (limit: 256.0M) CPU: 1.123s CGroup: /system.slice/clamav-daemon.service └─38675 /usr/sbin/clamd --foreground=true May 31 09:46:01 email systemd[1]: clamav-daemon.service: Service hold-off time over, scheduling restart. May 31 09:46:01 email systemd[1]: Stopped Clam AntiVirus userspace daemon. May 31 09:46:01 email systemd[1]: clamav-daemon.service: Failed to reset devices.list: Operation not permitted May 31 09:46:01 email systemd[1]: Starting Clam AntiVirus userspace daemon... May 31 09:46:01 email mkdir[38671]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists May 31 09:46:01 email systemd[1]: Started Clam AntiVirus userspace daemon. E-mails still works fine. Edit: I tryed "ispconfig_update.sh --force" and amavis-daemon reinstall but problem still exists.
it's a socket, it must be empty. The " /bin/mkdir: cannot create directory ‘/run/clamav’" is just a notice and not your problem, ignore that. The question is is your system still get stalled when mail arrives.
Aha, thank you for your answer. I'll ignore the warning "(code=exited, status=1/FAILURE)". I through everything red highlighted is bad. E-mails at this moment looks good, but with stucking VPS I'm able to get this information during my one/two days normal work. For now, thank you very much for your patience and help.
The failure is from a program run before the start, that's not a failure of the ClamAV daemon itself. That ClamAV is running can be seen in these lines: Active: active (running) since Tue 2022-05-31 09:46:01 CEST; 3s ago and also in the logged message: May 31 09:46:01 email systemd[1]: Started Clam AntiVirus userspace daemon
