Re: [clamav-users] clamav overload ec2 instances
Hi Emanuel, I see you mention clamd and provide a clamd.conf file. But then you say you're running clamscan, which doesn't require clamd and loads the databases itself. So, if you have clamd running (uses a bunch of RAM to load databases) and then use clamscan (also uses a bunch of RAM to load the databases) instead of clamDscan (which would just send scan requests to clamd) -- yeah, I could see that running your container out of memory. Try using clamdscan instead of clamscan -- or shut down clamd and only use clamscan. Cheers, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. From: clamav-users on behalf of Emanuel Gonzalez Sent: Tuesday, July 19, 2022 10:29 AM To: clamav-users@lists.clamav.net Subject: [clamav-users] clamav overload ec2 instances Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan command /home/user/testfile the cpu usage is triggered and the instance stops responding. Here my config: clamd --version ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022 LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PreludeEnable no PreludeAnalyzerName ClamAV DatabaseDirectory /var/lib/clamav OfficialDatabaseOnly false SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 CrossFilesystems true PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 30 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanTime 12 MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 1 MaxPartitions 50 MaxIconsPE 100 PCREMatchLimit 1 PCRERecMatchLimit 5000 PCREMaxFileSize 25M ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 6 OnAccessMaxFileSize 5M Any ideas?? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] clamav overload ec2 instances
Hi there, On Tue, 19 Jul 2022, Emanuel Gonzalez wrote: Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan command /home/user/testfile the cpu usage is triggered and the instance stops responding. Here my config: clamd --version ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022 ... It would help if you were clearer about exactly what you are doing. How much RAM do you have available? If you are using the 'official' signature database you probably need at least 3, preferably 4 GBytes, as loading ten million signatures will use about a gigabyte of RAM. Loading ten million signatures takes a while. The 'clamd' daemon does that when it starts and when the signatures are updated (about daily for the 'official' signature database). The 'clamscan' utility does it every time you run it. The 'clamdscan' utility never does it. The 'clamdscan' utility uses 'clamd', but 'clamscan' does not. Please show us the exact command which you use when the problem appears. If you are running a clamd daemon *and* if you are really running 'clamscan' and not 'clamdscan' then you are probably using twice as much memory as you need to - not to mention having to wait for the clamscan process to read ten million signatures every time it runs. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] clamav overload ec2 instances
Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan command /home/user/testfile the cpu usage is triggered and the instance stops responding. Here my config: clamd --version ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022 LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket true LocalSocketGroup clamav LocalSocketMode 666 # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogSyslog false LogRotate true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PreludeEnable no PreludeAnalyzerName ClamAV DatabaseDirectory /var/lib/clamav OfficialDatabaseOnly false SelfCheck 3600 Foreground false Debug false ScanPE true MaxEmbeddedPE 10M ScanOLE2 true ScanPDF true ScanHTML true MaxHTMLNormalize 10M MaxHTMLNoTags 2M MaxScriptNormalize 5M MaxZipTypeRcg 1M ScanSWF true ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 CrossFilesystems true PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak false PartitionIntersection false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 30 SendBufTimeout 200 MaxQueue 100 ExtendedDetectionInfo true OLE2BlockMacros false AllowAllMatchScan true ForceToDisk false DisableCertCheck false DisableCache false MaxScanTime 12 MaxScanSize 100M MaxFileSize 25M MaxRecursion 16 MaxFiles 1 MaxPartitions 50 MaxIconsPE 100 PCREMatchLimit 1 PCRERecMatchLimit 5000 PCREMaxFileSize 25M ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 6 OnAccessMaxFileSize 5M Any ideas?? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat