0

Environment Centos 6 Cpanel 32GB Ram 512gb SSD drive / about half used

Took on managing a server and installed ClamAV. Used CRON to schedule a scan @ 1am. I notice that sites on the host stopped responding. Things like slow response to no database connection. I checked htop and saw high resource usage. Since it was so late I decided to let it run anticipating it would be done soon enough. Come to find it still running @ 9am in the morning and causing sporadic outages.

Looking for suggestions on a solution. Either a way to limit resource usage or an alternative to Clam AV

I'll elaborate in that this is a Cpanel server. The thread model is hacked wordpress sites and scanning .php files for infections. Which makes scanning worth while I'd think.

for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

This is the CRON job created to run ClamD. At first I realized that I had backups and Clamd scheduled at the same time. However after changing the time I get the same result.

Looking at htop there are several clamd processes running and it again maxes the server out.

CPanel support suggested removing the cron job. There is lots of talk about using the service instead but after reading everything I was confused even more.

techpad
  • 91
  • 1
  • 4

1 Answers1

0

You've told us nothing about how you are scanning the files. That you are running a "scheduled" scan rather implies you are running clamscan or clamdscan, but you've not shown us the code you are using. There are many, many bad ways to implement this and only a few good ones. Even with the good ones it can be rather resource heavy (appropriate use of ionice and nice may help).

If you run your virus scanner on a single file, it will spend a huge amount of time and disk bandwidth loading the fingerprint data (then a very short time checking the file). If you are using clamscan then switch to clamd + clamdscan.

Switching to a different AV isn't going to solve a problem with your implementation - IME sophos is slightly than clamscan, although sophos can also be configured to run as a daemon and an agent can feed it files for checking, but the api is not published and sophos doesn't ship a client.

Also, there are very few viruses for linux (and none in active circulation). There isno threat model sensibly addressedby scheduled scans.

symcbean
  • 21,009
  • 1
  • 31
  • 52