1

Problem background:

  • I am contractually bound to install a system Anti Virus solution on every host.
  • For this product I am running Linux (Red hat derived).
  • These instances are hosting Apache/PHP with Wordpress sites sitting on them (the database is a separate instance).
  • I have performance issues where the AV is scanning the Wordpress site's files on demand, but due to demand for the website this is a lot of repetitive scanning which causes massive CPU spikes and occasionally hangs the system.

Question:

I want to know if there is a standard AV exclusions list for Wordpress (or a best practice). I have tried to search online but can't find anything useful (A Wordpress AV plugin is not a system AV so will not pass with my contractual auditors)

Are there an other alternatives than giving the machine more CPU capacity and reducing IO latency?

** Edit **

We are bound by the contract to use one of the big vendors; for security reasons I am not allowed to name which one. It does on access based scanning and has a kernel plugin that enables this. Messages log gets written to on every file scanned. This is a significant number of files due to the sites usage. (60K hits a week on one site that causes the most trouble)

Sam
  • 617
  • 1
  • 6
  • 14
  • Where is the slowdown coming from? File locks? Check with files are being locked while the AV runs. I would start with excluding the mariadb/mysql/... Data files. Locks on those tend to cause performance issues on my servers with AV as well. – Bart De Vos Oct 24 '15 at 11:03
  • 2
    Before giving it more CPU, I'd give it more memory. The would allow more files to be cached in RAM, which would significantly reduce disk IO. – EEAA Oct 24 '15 at 13:41
  • 1
    which AV that you ran clamAV? – Aizuddin Zali Oct 24 '15 at 13:45
  • I have already added more RAM to the system but this didn't help much. The cache doesn't seem to be used by the AV. I have edited question regarding which AV. – Sam Oct 25 '15 at 21:25

1 Answers1

1

Your ultimate question is about an exclusion list, though your key problem seems to be CPU spikes. As an answer to that problem, did you instruct the kernel which processes you want to prioritise? With 'nice' you can give preference to the webserver, keep the AV CPU utilisation within reason.

https://unix.stackexchange.com/questions/151883/limiting-processes-to-not-exceed-more-than-10-of-cpu-usage

Good software that writes many log entries should have a buffer function (like Nginx has) so it doesn't do disk writes on every line, but only after it has N number of lines to write. Check your AV software to see whether it can do log write buffering.

Community
  • 1
JayMcTee
  • 3,923
  • 1
  • 13
  • 22
  • I'll check to see if the AV package can do log write buffering, thats a great idea. I reference spikes but it is actually an accumulation as far as I can tell. CPU utilisation rises over time until it consumes 100% CPU and the system becomes unresponsive. The logs show the same files being re checked repeatedly. – Sam Oct 26 '15 at 22:40