Community Discussions and Support
ClamAV - 98% CPU Resources

I emailed the author of the clamav version I'm running.
He suggested trying the SVN version.

I've tried that and now it launches in a couple of seconds with NO event log errors.

Thanks :)

<P>I emailed the author of the clamav version I'm running. He suggested trying the SVN version.</P> <P>I've tried that and now it launches in a couple of seconds with NO event log errors. </P> <P>Thanks :)</P>

Just installed ClamAV from http://hideout.ath.cx/clamav/

Started it using a batch file:
cd\
cd clamav\
cd bin
clamd.exe

Clamd.exe is using about 98% CPU Resources.. The machine goes very slow and the clamd crashes.
I've had this running on a test PC with out issue.

Config Details:
C:/clamav/etc/clamd.conf: clamd directives
-----------------
LogFile not set
LogFileUnlock = no
LogFileMaxSize = 1048576
LogTime = no
LogClean = no
LogVerbose = no
LogSyslog = no
LogFacility = "LOG_LOCAL6"
PidFile not set
TemporaryDirectory not set
ScanPE = yes
ScanELF = yes
DetectBrokenExecutables = no
ScanMail = yes
MailFollowURLs = no
MailMaxRecursion = 64
PhishingSignatures = yes
AlgorithmicDetection = yes
ScanHTML = yes
ScanOLE2 = yes
ScanPDF = no
ScanArchive = yes
ArchiveMaxFileSize = 10485760
ArchiveMaxRecursion = 8
ArchiveMaxFiles = 1000
ArchiveMaxCompressionRatio = 250
ArchiveLimitMemoryUsage = no
ArchiveBlockEncrypted = no
ArchiveBlockMax = no
DatabaseDirectory = "C:/clamav/share/clamav"
TCPAddr = "127.0.0.1"
TCPSocket = 3310
LocalSocket not set
MaxConnectionQueueLength = 15
StreamMaxLength = 26214400
StreamMinPort = 1024
StreamMaxPort = 2048
MaxThreads = 10
ReadTimeout = 120
IdleTimeout = 300
MaxDirectoryRecursion = 15
FollowDirectorySymlinks = no
FollowFileSymlinks = no
ExitOnOOM = no
Foreground = no
Debug = no
LeaveTemporaryFiles = no
FixStaleSocket = no
User not set
AllowSupplementaryGroups = no
SelfCheck = 1800
VirusEvent not set
NodalCoreAcceleration = no
ClamukoScanOnAccess not set
ClamukoScanOnOpen not set
ClamukoScanOnClose not set
ClamukoScanOnExec not set
ClamukoIncludePath not set
ClamukoExcludePath not set
ClamukoMaxFileSize = 5242880

C:/clamav/etc/freshclam.conf: freshclam directives
-----------------
LogVerbose = no
LogSyslog = no
LogFacility = "LOG_LOCAL6"
PidFile not set
DatabaseDirectory = "C:/clamav/share/clamav"
Foreground = no
Debug = no
AllowSupplementaryGroups = no
DatabaseOwner = "clamav"
Checks = 12
UpdateLogFile = "c:\mercury\logs\clamav\freshclam.log"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "database.clamav.net"
MaxAttempts = 3
ScriptedUpdates = yes
HTTPProxyServer not set
HTTPProxyPort not set
HTTPProxyUsername not set
HTTPProxyPassword not set
HTTPUserAgent not set
NotifyClamd not set
OnUpdateExecute not set
OnErrorExecute not set
OnOutdatedExecute not set
LocalIPAddress not set
ConnectTimeout = 30
ReceiveTimeout = 30

Clamwall.ini:
[ClamWall]
AdminMail=admin
LogFile=C:\MERCURY\LOGS\Clamav\cw~Y~W.log
TagName=X-CLAMWALL
BanExtension=PIF,LNK,SCR,VBS,SHS,BAT,COM,EXE,CMD,EML,CPL,VBE,WBT,WSH
Debug=1
ReportSender=0
ClearPostPart=1
ClearPrePart=1
UUKill=1
SaveDir=C:\MERCURY\virus\
ScanTimeout=120000
NoLocal=0
NoScanLocal=0
Enabled=0
Scratch=C:\MERCURY\Scratch
Queue=
NoLocalScan=0

[ClamAV]
ClamIP=127.0.0.1
ClamPort=3310
ClamSelf=1
ClamDir=C:\clamav\bin
ClamHide=0

Machine Details:
Windwos 2003 Server, 1GB Ram

Any ideas ??

<P>Just installed ClamAV from <A href="http://hideout.ath.cx/clamav/">http://hideout.ath.cx/clamav/</A></P> <P>Started it using a batch file: cd\ cd clamav\ cd bin clamd.exe</P> <P>Clamd.exe is using about 98% CPU Resources.. The machine goes very slow and the clamd crashes. I've had this running on a test PC with out issue.</P> <P>Config Details: C:/clamav/etc/clamd.conf: clamd directives ----------------- LogFile not set LogFileUnlock = no LogFileMaxSize = 1048576 LogTime = no LogClean = no LogVerbose = no LogSyslog = no LogFacility = "LOG_LOCAL6" PidFile not set TemporaryDirectory not set ScanPE = yes ScanELF = yes DetectBrokenExecutables = no ScanMail = yes MailFollowURLs = no MailMaxRecursion = 64 PhishingSignatures = yes AlgorithmicDetection = yes ScanHTML = yes ScanOLE2 = yes ScanPDF = no ScanArchive = yes ArchiveMaxFileSize = 10485760 ArchiveMaxRecursion = 8 ArchiveMaxFiles = 1000 ArchiveMaxCompressionRatio = 250 ArchiveLimitMemoryUsage = no ArchiveBlockEncrypted = no ArchiveBlockMax = no DatabaseDirectory = "C:/clamav/share/clamav" TCPAddr = "127.0.0.1" TCPSocket = 3310 LocalSocket not set MaxConnectionQueueLength = 15 StreamMaxLength = 26214400 StreamMinPort = 1024 StreamMaxPort = 2048 MaxThreads = 10 ReadTimeout = 120 IdleTimeout = 300 MaxDirectoryRecursion = 15 FollowDirectorySymlinks = no FollowFileSymlinks = no ExitOnOOM = no Foreground = no Debug = no LeaveTemporaryFiles = no FixStaleSocket = no User not set AllowSupplementaryGroups = no SelfCheck = 1800 VirusEvent not set NodalCoreAcceleration = no ClamukoScanOnAccess not set ClamukoScanOnOpen not set ClamukoScanOnClose not set ClamukoScanOnExec not set ClamukoIncludePath not set ClamukoExcludePath not set ClamukoMaxFileSize = 5242880</P> <P>C:/clamav/etc/freshclam.conf: freshclam directives ----------------- LogVerbose = no LogSyslog = no LogFacility = "LOG_LOCAL6" PidFile not set DatabaseDirectory = "C:/clamav/share/clamav" Foreground = no Debug = no AllowSupplementaryGroups = no DatabaseOwner = "clamav" Checks = 12 UpdateLogFile = "c:\mercury\logs\clamav\freshclam.log" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "database.clamav.net" MaxAttempts = 3 ScriptedUpdates = yes HTTPProxyServer not set HTTPProxyPort not set HTTPProxyUsername not set HTTPProxyPassword not set HTTPUserAgent not set NotifyClamd not set OnUpdateExecute not set OnErrorExecute not set OnOutdatedExecute not set LocalIPAddress not set ConnectTimeout = 30 ReceiveTimeout = 30 </P> <P>Clamwall.ini: [ClamWall] AdminMail=admin LogFile=C:\MERCURY\LOGS\Clamav\cw~Y~W.log TagName=X-CLAMWALL BanExtension=PIF,LNK,SCR,VBS,SHS,BAT,COM,EXE,CMD,EML,CPL,VBE,WBT,WSH Debug=1 ReportSender=0 ClearPostPart=1 ClearPrePart=1 UUKill=1 SaveDir=C:\MERCURY\virus\ ScanTimeout=120000 NoLocal=0 NoScanLocal=0 Enabled=0 Scratch=C:\MERCURY\Scratch Queue= NoLocalScan=0</P> <P>[ClamAV] ClamIP=127.0.0.1 ClamPort=3310 ClamSelf=1 ClamDir=C:\clamav\bin ClamHide=0 </P> <P>Machine Details: Windwos 2003 Server, 1GB Ram Any ideas ??</P>

[quote user="tomt"]

Just installed ClamAV from http://hideout.ath.cx/clamav/

Started it using a batch file:
cd\
cd clamav\
cd bin
clamd.exe

Clamd.exe is using about 98% CPU Resources.. The machine goes very slow and the clamd crashes.
I've had this running on a test PC with out issue.


Any ideas ??

[/quote]

 

First thing to do is to setup clamd.exe logging and see what the clamd log says  when you run clamd.exe manually.

[quote user="tomt"]<p>Just installed ClamAV from <a href="http://hideout.ath.cx/clamav/" mce_href="http://hideout.ath.cx/clamav/">http://hideout.ath.cx/clamav/</a></p> <p>Started it using a batch file: cd\ cd clamav\ cd bin clamd.exe</p> <p>Clamd.exe is using about 98% CPU Resources.. The machine goes very slow and the clamd crashes. I've had this running on a test PC with out issue.</p><p> Any ideas ??</p><p>[/quote]</p><p> </p><p>First thing to do is to setup clamd.exe logging and see what the clamd log says  when you run clamd.exe manually. </p>

I just noticed that when I start clamd it takes about 5 minutes to load with the CPU @ 98%.
Once it's loaded, CPU drops back to normal.

Here's the log. Any way to get it to load up faster ??

+++ Started at Sun Jul  8 18:20:47 2007
clamd daemon 0.90.3 (OS: cygwin, ARCH: i386, CPU: i686)
Log file size limited to 1048576 bytes.
Reading databases from C:\clamav\share\clamav
Loaded 134556 signatures.
Bound to address 127.0.0.1 on tcp port 3310
Setting connection queue length to 15
Archive: Archived file size limit set to 10485760 bytes.
Archive: Recursion level limit set to 8.
Archive: Files limit set to 1000.
Archive: Compression ratio limit set to 250.
Archive support enabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
Mail: Recursion level limit set to 64.
OLE2 support enabled.
PDF support disabled.
HTML support enabled.
Self checking every 1800 seconds.
Set stacksize to 1048576

<P>I just noticed that when I start clamd it takes about 5 minutes to load with the CPU @ 98%. Once it's loaded, CPU drops back to normal. Here's the log. Any way to get it to load up faster ??</P> <P>+++ Started at Sun Jul  8 18:20:47 2007 clamd daemon 0.90.3 (OS: cygwin, ARCH: i386, CPU: i686) Log file size limited to 1048576 bytes. Reading databases from C:\clamav\share\clamav Loaded 134556 signatures. Bound to address 127.0.0.1 on tcp port 3310 Setting connection queue length to 15 Archive: Archived file size limit set to 10485760 bytes. Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Algorithmic detection enabled. Portable Executable support enabled. ELF support enabled. Mail files support enabled. Mail: Recursion level limit set to 64. OLE2 support enabled. PDF support disabled. HTML support enabled. Self checking every 1800 seconds. Set stacksize to 1048576 </P>

[quote user="tomt"]

I just noticed that when I start clamd it takes about 5 minutes to load with the CPU @ 98%.
Once it's loaded, CPU drops back to normal.

Here's the log. Any way to get it to load up faster ??

+++ Started at Sun Jul  8 18:20:47 2007
clamd daemon 0.90.3 (OS: cygwin, ARCH: i386, CPU: i686)
Log file size limited to 1048576 bytes.
Reading databases from C:\clamav\share\clamav
Loaded 134556 signatures.
Bound to address 127.0.0.1 on tcp port 3310
Setting connection queue length to 15
Archive: Archived file size limit set to 10485760 bytes.
Archive: Recursion level limit set to 8.
Archive: Files limit set to 1000.
Archive: Compression ratio limit set to 250.
Archive support enabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
Mail: Recursion level limit set to 64.
OLE2 support enabled.
PDF support disabled.
HTML support enabled.
Self checking every 1800 seconds.
Set stacksize to 1048576

[/quote]

 

Your startup log is very similar to mine and I do not know what is causing yours to take 5 minutes to start.  I suspect that there is some function calling a directory that does not exist.  In my case though I have clamd.exe and freshclam running as daemons and starting via a batch file so Clamwall only passes the message to clamd via port 3310 and never sees freshclam.  Here's my basic stuff.

---------------------------------- clamav.bat ---------------------------------------------------------- 

echo off
c:\
cd\clamav\bin
clamd.exe
freshclam.exe -d

 

------------------------------------------------------- clamwall.ini ------------------------------------------------------------------ 

[ClamWall]
AdminMail=maiser
LogFile=C:\MERCURY\LOGS\clamwall\cw~Y~M.log
TagName=X-CLAMWALL
BanExtension=PIF,LNK,SCR,VBS,SHS,BAT,COM,EXE,CMD,EML,CPL,VBE,WBT,WSH
Debug=0
ReportSender=0
ClearPostPart=1
ClearPrePart=1
UUKill=0
SaveDir=C:\MERCURY\LOGS\clamwall\
ScanTimeout=120000
NoLocal=1
NoScanLocal=0
Enabled=1
Scratch=C:\MERCURY\Scratch
Queue=
NoLocalScan=0

[ClamAV]
ClamIP=127.0.0.1
ClamPort=3310
ClamSelf=0
ClamDir=C:\MERCURY\clamav

ClamHide=0

[quote user="tomt"]<p>I just noticed that when I start clamd it takes about 5 minutes to load with the CPU @ 98%. Once it's loaded, CPU drops back to normal. Here's the log. Any way to get it to load up faster ??</p> <p>+++ Started at Sun Jul  8 18:20:47 2007 clamd daemon 0.90.3 (OS: cygwin, ARCH: i386, CPU: i686) Log file size limited to 1048576 bytes. Reading databases from C:\clamav\share\clamav Loaded 134556 signatures. Bound to address 127.0.0.1 on tcp port 3310 Setting connection queue length to 15 Archive: Archived file size limit set to 10485760 bytes. Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Algorithmic detection enabled. Portable Executable support enabled. ELF support enabled. Mail files support enabled. Mail: Recursion level limit set to 64. OLE2 support enabled. PDF support disabled. HTML support enabled. Self checking every 1800 seconds. Set stacksize to 1048576 </p><p>[/quote]</p><p> </p><p>Your startup log is very similar to mine and I do not know what is causing yours to take 5 minutes to start.  I suspect that there is some function calling a directory that does not exist.  In my case though I have clamd.exe and freshclam running as daemons and starting via a batch file so Clamwall only passes the message to clamd via port 3310 and never sees freshclam.  Here's my basic stuff.</p><p>---------------------------------- clamav.bat ---------------------------------------------------------- </p><p>echo off c:\ cd\clamav\bin clamd.exe freshclam.exe -d</p><p> </p><p>------------------------------------------------------- clamwall.ini ------------------------------------------------------------------ </p><p>[ClamWall] AdminMail=maiser LogFile=C:\MERCURY\LOGS\clamwall\cw~Y~M.log TagName=X-CLAMWALL BanExtension=PIF,LNK,SCR,VBS,SHS,BAT,COM,EXE,CMD,EML,CPL,VBE,WBT,WSH Debug=0 ReportSender=0 ClearPostPart=1 ClearPrePart=1 UUKill=0 SaveDir=C:\MERCURY\LOGS\clamwall\ ScanTimeout=120000 NoLocal=1 NoScanLocal=0 Enabled=1 Scratch=C:\MERCURY\Scratch Queue= NoLocalScan=0 [ClamAV] ClamIP=127.0.0.1 ClamPort=3310 ClamSelf=0 ClamDir=C:\MERCURY\clamav ClamHide=0 </p>

Thanks Thomas.
I'm staring via a batch file, but it is so slow !!

Any one think of any thing I've missed ??

<P>Thanks Thomas. I'm staring via a batch file, but it is so slow !!</P> <P>Any one think of any thing I've missed ??</P>

What happen when you run freshclam?

 IIRC, when you use clamself mode, it will try to do an update upon startup.

<P>What happen when you run freshclam?</P> <P> IIRC, when you use clamself mode, it will try to do an update upon startup.</P>

Are there any other processes running on this machine that might interfere with Clamd?

 /Rolf
 

<p>Are there any other processes running on this machine that might interfere with Clamd? </p><p> /Rolf  </p>

It's on a windows 2003 server, so there quite a lot running.
But nothing conflicting, that I can see ? 

I'll check the event log and see if that gives any clues ! 

<p>It's on a windows 2003 server, so there quite a lot running. But nothing conflicting, that I can see ? </p><p>I'll check the event log and see if that gives any clues ! </p>

Event Log shows 2 errors several times, all relating to ClamAV.

Event ID: 32 & Event ID: 59

Something to do with dependant assembly Microsoft v80.crt

Could this be causing the speed issue ? 

 

<p>Event Log shows 2 errors several times, all relating to ClamAV.</p><p>Event ID: 32 & Event ID: 59</p><p>Something to do with dependant assembly Microsoft v80.crt</p><p>Could this be causing the speed issue ? </p><p> </p>

I found this that might or might not be related: Link . Wouldn't hurt to try it, I suppose.

Other than that, do you have any real time virus scanning on the server that might want to check the ClamAV virus definitions file before ClamAV can load it?

/Rolf 


 

<p>I found this that might or might not be related: <a href="http://www.computerhelparticles.com/windows-xp-perform-maintain/9077-new-problem-arising-after-win-update.html" target="_blank" mce_href="http://www.computerhelparticles.com/windows-xp-perform-maintain/9077-new-problem-arising-after-win-update.html">Link</a> . Wouldn't hurt to try it, I suppose.</p><p>Other than that, do you have any real time virus scanning on the server that might want to check the ClamAV virus definitions file before ClamAV can load it?</p><p>/Rolf </p><p> </p><p> </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft