Hi, I have just done a new install of ispconfig, on a server running ubuntu 18.04. I have used this server for 10 years, but had to replace the hard disk, hence new install. Everything is working except that clamd is now scanning constantly - it never stops, thrashing HDD, and is always using around 50 to 100% cpu. I managed to stop it hogging CPU (see below), but it is not working like it use to. I also upgraded the RAM from 2GB to 4GB, as had read that might help - 2GB was more that enough before. I have spent hours reading help forums, install/setup guides, etc, with not luck, so maybe someone here knows how to fix this. I am guessing clamd is a newer version to what I was using before as I didn't do any updates/upgrades on old system since it was installed in late 2018. The only directory clamd needs to scan is /var/vmail current version: ClamAV 0.103.6 I have tried to exclude every other dir on the server with: /etc/clamav/clamd.conf Code: OnAccessIncludePath /var OnAccessExcludePath /var/backups OnAccessExcludePath /var/crash OnAccessExcludePath /var/lib OnAccessExcludePath /var/local OnAccessExcludePath /var/lock OnAccessExcludePath /var/opt OnAccessExcludePath /var/run OnAccessExcludePath /var/snap OnAccessExcludePath /var/spool OnAccessExcludePath /var/tmp OnAccessExcludeUname clamav ExcludePath ^/bin ExcludePath ^/boot ExcludePath ^/dev ExcludePath ^/etc ExcludePath ^/home ExcludePath ^/lib ExcludePath ^/lib64 ExcludePath ^/lost+found ExcludePath ^/media ExcludePath ^/mnt ExcludePath ^/opt ExcludePath ^/proc ExcludePath ^/root ExcludePath ^/run ExcludePath ^/sbin ExcludePath ^/snap ExcludePath ^/srv ExcludePath ^/sys ExcludePath ^/tmp ExcludePath ^/usr ExcludePath ^/var I have read that ExcludePath doesn't work in clamd.conf, it only works with clamscan as parameters, but then other info says to put in clamd.conf. Anyways it does not seem to work. I ending up adding MemoryLimit=256M, CPUQuota=20%, Nice = 19 to the systemclt startup file for clamav which has stopped it from hogging all the CPU. /lib/systemd/system/clamav-daemon.service Code: [Unit] Description=Clam AntiVirus userspace daemon Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ # Check for database existence ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc} ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} [Service] ExecStart=/usr/sbin/clamd --foreground=true # Reload the database ExecReload=/bin/kill -USR2 $MAINPID StandardOutput=syslog TimeoutStartSec=420 MemoryLimit=256M CPUQuota=20% Nice = 19 [Install] WantedBy=multi-user.target I also tried not installing clamav, but then i get the error Code: (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)" in postfix. So I am wondering how I can stop it from trying to use clamav to fix this error. Thanks in advance for any help
What does systemctl status say about the clamav processes? Examine logs, clamd should not use all cpu so maybe it logs errors? Attach strace to clamd process to see what it is doing?
Hi Taleman, thanks for the reply.. below is what you suggested, but I can't see errors etc.. Code: top - 19:45:48 up 9 min, 1 user, load average: 2.21, 1.23, 0.76 Tasks: 120 total, 2 running, 81 sleeping, 0 stopped, 0 zombie %Cpu(s): 90.9 us, 8.8 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem : 1912268 total, 69124 free, 1701292 used, 141852 buff/cache KiB Swap: 2097148 total, 1168380 free, 928768 used. 61996 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1576 amavis 20 0 1121332 958564 2072 R 93.5 50.1 0:55.90 clamscan As you can see above clanscan is using 93% of cpu, and clamd does the same when it is running. Code: root@kia:~# systemctl status clamav-daemon.service ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: active (running) since Sun 2022-07-17 19:27:29 NZST; 1min 37s ago Docs: man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/ Process: 515 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS) Process: 443 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS) Main PID: 518 (clamd) Tasks: 1 (limit: 2163) CGroup: /system.slice/clamav-daemon.service └─518 /usr/sbin/clamd --foreground=true Jul 17 19:27:24 kia.xxxx.nz systemd[1]: Starting Clam AntiVirus userspace daemon... Jul 17 19:27:29 kia.xxxx.nz systemd[1]: Started Clam AntiVirus userspace daemon. root@kia:~# cat /var/log/clamav/clamav.log Code: Sun Jul 17 19:27:33 2022 -> +++ Started at Sun Jul 17 19:27:33 2022 Sun Jul 17 19:27:33 2022 -> Received 0 file descriptor(s) from systemd. Sun Jul 17 19:27:33 2022 -> clamd daemon 0.103.6 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Sun Jul 17 19:27:33 2022 -> Log file size limited to 4294967295 bytes. Sun Jul 17 19:27:33 2022 -> Reading databases from /var/lib/clamav Sun Jul 17 19:27:33 2022 -> Not loading PUA signatures. Sun Jul 17 19:27:33 2022 -> Bytecode: Security mode set to "TrustSigned". Sun Jul 17 19:29:26 2022 -> Loaded 8622360 signatures. Sun Jul 17 19:29:44 2022 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl Sun Jul 17 19:29:44 2022 -> LOCAL: Setting connection queue length to 15 Sun Jul 17 19:29:44 2022 -> Limits: Global time limit set to 120000 milliseconds. Sun Jul 17 19:29:44 2022 -> Limits: Global size limit set to 104857600 bytes. Sun Jul 17 19:29:44 2022 -> Limits: File size limit set to 26214400 bytes. Sun Jul 17 19:29:44 2022 -> Limits: Recursion level limit set to 16. Sun Jul 17 19:29:44 2022 -> Limits: Files limit set to 10000. Sun Jul 17 19:29:44 2022 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes. Sun Jul 17 19:29:44 2022 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes. Sun Jul 17 19:29:44 2022 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes. Sun Jul 17 19:29:44 2022 -> Limits: MaxScriptNormalize limit set to 5242880 bytes. Sun Jul 17 19:29:44 2022 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes. Sun Jul 17 19:29:44 2022 -> Limits: MaxPartitions limit set to 50. Sun Jul 17 19:29:44 2022 -> Limits: MaxIconsPE limit set to 100. Sun Jul 17 19:29:44 2022 -> Limits: MaxRecHWP3 limit set to 16. Sun Jul 17 19:29:44 2022 -> Limits: PCREMatchLimit limit set to 10000. Sun Jul 17 19:29:44 2022 -> Limits: PCRERecMatchLimit limit set to 5000. Sun Jul 17 19:29:44 2022 -> Limits: PCREMaxFileSize limit set to 26214400. Sun Jul 17 19:29:44 2022 -> Archive support enabled. Sun Jul 17 19:29:44 2022 -> AlertExceedsMax heuristic detection disabled. Sun Jul 17 19:29:44 2022 -> Heuristic alerts enabled. Sun Jul 17 19:29:44 2022 -> Portable Executable support enabled. Sun Jul 17 19:29:44 2022 -> ELF support enabled. Sun Jul 17 19:29:44 2022 -> Mail files support enabled. Sun Jul 17 19:29:44 2022 -> OLE2 support enabled. Sun Jul 17 19:29:44 2022 -> PDF support enabled. Sun Jul 17 19:29:44 2022 -> SWF support enabled. Sun Jul 17 19:29:44 2022 -> HTML support enabled. Sun Jul 17 19:29:44 2022 -> XMLDOCS support enabled. Sun Jul 17 19:29:44 2022 -> HWP3 support enabled. Sun Jul 17 19:29:44 2022 -> Self checking every 3600 seconds.
Below is some of the output from strace -p <pid of clamd>, i dont really understand it.. Code: mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d23e000 read(6, "\337eZ\276\240\354\320\263\203#\357\35\374\316laB\255C=A\257\2758X\221\3(\21(\321P"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d1fe000 read(6, "\204G\fU\351\351\217\364\223{\324(\217_\362WG\374\37\22&\250%D\261U\235Q\f51\212"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d1be000 read(6, "^&6\22\233)\223z\261\264\2572\333\325pq2TeT\34l6\330bc\2\f\247\250\260\334"..., 8192) = 8192 read(6, "Ng\311\222\221HeC\315v\377\353\207\37~~.\346\7o\0265\267LU\355\4\f\233Y\276\355"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d17e000 read(6, "FC\213'\246\27f\210\370\361\243F\251<<\321\320\4W\272\226\303\316\361\262\374\10!\6GF\32"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d13e000 read(6, "r\305\30.c\265\346\236\347x\332\205\237\2238\345g\366;\336\221\16\355\227S\371\274y\7\17|X"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d0fe000 read(6, "\361%\332\257\363~\211\372Z \377{\365+\346\2429i\213\340\346\274\276\305e\3655\202\342\267\320\16"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d0be000 read(6, "mv'\4D\0214\330\255N\2377\20\355vr\244[\365>\233pfFA\206\243\202\250\4*\r"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d07e000 read(6, "\255\363M\320\35\224\300X\340\227\323\24\374I\242\336\304\vY\31\231\35\346\3\367\354\235\215\310Nd\37"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584d03e000 read(6, "}\372\304O%\201\10\340\361\251#\37\202CWD)\263q\234\303F \16\250I\216bC3`x"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584cffe000 read(6, "\"\250b\311\301\305\354i;\24\306\324\2658\270\234\\\233w\363\200\357O\226\212\257n\252\246;\235\342"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584cfbe000 read(6, "\251\325\216K\32@\303\322T\201\210\213\227\226u\310W\t\315b\244\2664\375\311\331\352\223V\364\3322"..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584cf7e000 read(6, "\220>\325\26\365\346\211\266s\250\273\337\22\315\261\355\364\253v\370]\322\f\215\225\266\323\231W\266\312."..., 8192) = 8192 mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f584cf3e000
If I stop and disable clamav the CPU usage goes back to normal - average around 2%. How can I remove clamd/amavis from the server so mail still gets received and delivered, and remove the mail filter from dovecot/postfix ? I did try apt-get remove, but it still tries to use the avamis. I get this error: Code: Jul 17 08:45:56 tui amavis[2824]: (02824-02) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 659.\n (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) In /etc/postfix/main.cf i have commented out: Code: #content_filter = lmtp:[127.0.0.1]:10024 #smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf And changed the above to: Code: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf Is this all I need to do to disable amavis ?
What kind of setup does the server use? You posted in the forum for non ISPConfig systems, so you set up amavis and postfix manually? And you should check what the underlying issue is, if you receive a lot of emails, then it is normal that the scanner of the system uses some CPU power. But it can also be that e.g. signature files are broken and causing ClamAV to use a lot of CPU power. Removing Amavis will probably cause various issues not only spam and virus scanning will stop but also DKIM signing might not work anymore which then may cause other systems to reject your emails.
Hi Till, i used the ispconfig setup - perfect server ubuntu 18.04. Apart from the clamd/avamis problem everything else works fine. Sorry didn't realise I had posted in wrong place. I don't receive alot of emails... maybe 10 to 20 a day. I used this exact same setup 4 years ago to do my server and it worked without this problem, so I am guessing the upgrades have caused the problem. I realise I wont have spam filtering and anti virus, but the clamd/clamscan is taking 90% plus CPU and continuously accessing HDD.
If you use ISPConfig, start with this: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ From that learn at least to use CODE tags when posting listings and code.
Is clamscan and clamd running at the same time? I think only one of them should be running on an e-mail server. If amavis or what ever starts both, it may be because it tries to connect to clamd, fails and then starts clamscan. I think this is the cause: Code: (!)ClamAV-clamd av-scanner FAILED: run_av error: Try to figure out why that happens.
I did notice that clamscan was running too sometimes, but clamd was always running. If clamscan isn't spose to be running when clamd is, this maybe because of me. I have tried so many fixes suggested on websites - uninstalled, reinstall, changing setting etc. I am going to try to set up one server without clamav running just so I have a stable system that works - at the moment everything is slow due to clamd, accessing webmail take ages, and even sending emails between accounts on server. And then I will do a fresh install on another machine and try to fix the problems.
