How can I check the status of ClamAV and fix any problems?

Check the Status of the ClamAV Daemon

You can check the ClamAV daemon status under the Anti-virus line in the Services dashboard widget. It should be green and Active. You can click on the Active or Inactive in the status column to get more information.

Clamd status

Check the Status of the ClamAV Daemon From the Command Line

AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux

systemctl status clamd@scan 

Debian/Ubuntu

systemctl status clamav-daemon

Viewing the ClamAV Daemon Logs

You can view the ClamAV deamon logs in Warden under Logs -> Anti-virus Logs. To view the logs on the command line:

AlmaLinux/Centos/RockyLinux/RHEL/CloudLinux

tail -f /var/log/clamd.scan

Debian/Ubuntu

tail -f /var/log/clamav/clamav.log

High Server Load / CPU Usage Problems

Normally high server load is caused by the clamscan binary when the ClamAV daemon is down. By default Amavis will fall back to the secondary clamscan binary when the ClamAV daemon is down or having problems. Note that the clamscan binary is NOT the same as clamd. Clamd is the highly efficient daemon version of ClamAV while clamscan is the inefficient non-demonized version. Clamscan is not suitable for scanning large amounts of mail because the ClamAV signatures have to be loaded into memory for every scan (This is what causes the high load on the server). Look below for how to disable the clamscan secondary fallback scanner if you don't want Amavis to fall back to it.

How to Disable the Clamscan Fallback Scanner

On AlmaLinux/RockyLinux/RHEL/CloudLinux edit the file /etc/amavisd/warden.conf On Debian/Ubuntu edit the file /etc/amavis/conf.d/99-warden Under the @av_scanners line add the line:

@av_scanners_backup = ();

Restart Amavis

// AlmaLinux/RockyLinux/CloudLinux/RHEL
systemctl restart amavisd

// Debian/Ubuntu
systemctl retart amavis

ClamAV Memory Problems

The most common problem is not enough free memory for the ClamAV daemon. You can check the free memory of the server using the command: free -m:

# free -m
              total        used        free      shared  buff/cache   available
Mem:          64049       30895       15313        3113       17840       29387
Swap:         15259        4333       10926

If the server is running low on free memory sometimes the out of memory killer (OOM Killer) will kill the ClamAV daemon. We recommend a minimum of at least 4 GB of server memory (sometimes more depending on how much you have running):

// AlmaLinux/Centos/RockyLinux/CloudLinux/RHEL
zgrep "Out of memory" /var/log/messages*  

// Debian/Ubuntu
zgrep "Out of memory" /var/log/syslog* 

Jun 19 19:35:21 el8p18 kernel: Out of memory: Killed process 1650121 (clamd) total-vm:3118856kB, anon-rss:2262988kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5888kB oom_score_adj:0
Jun 19 20:30:33 el8p18 kernel: Out of memory: Killed process 1992340 (clamd) total-vm:3072516kB, anon-rss:1895824kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5792kB oom_score_adj:0
Jun 19 21:22:52 el8p18 kernel: Out of memory: Killed process 2007089 (clamd) total-vm:3093760kB, anon-rss:1779240kB, file-rss:0kB, shmem-rss:0kB, UID:981 pgtables:5816kB oom_score_adj:0

Create a Swap File if your VM Doesn't Have One

Some times service providers create a virtual machine without any swap file. If your virtual machine doesn't have a swap file then you should create one. You can check if your VM has a swap file using the command:

# cat /proc/swaps 
Filename                                Type            Size            Used            Priority
/dev/dm-1                               partition       2097148         735832          -2

Instructions for creating a swap file can be found here.

Disable the Out of Memory Killer for ClamAV

Edit the ClamAV service file:

// RHEL/CloudLinux/AlmaLinux/RockyLinux
systemctl edit --full clamd@scan

// Debian/Ubuntu
# systemctl edit --full clamav-daemon

Add the option OOMScoreAdjust=-1000 to the [Service] section:

Example (taken from Ubuntu 22.04):

[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Service]
ExecStart=/usr/sbin/clamd --foreground=true
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
TimeoutStartSec=420
OOMScoreAdjust=-1000

[Install]
WantedBy=multi-user.target

Restart ClamAV

// RHEL/CloudLinux/AlmaLinux/RockyLinux
systemctl restart clamd@scan

// Debian/Ubuntu
systemctl restart clamav-daemon

Disable Concurrent Database Reloads to Free Up Memory

If the option ConcurrentDatabaseReload in enabled in ClamAV then during a database reload clamd will load the new DB first and then drop the old one. This concurrent database reload strategy allows it to keep scanning files while loading the new database. The drawback is that it requires twice as much memory as during normal operations. As a result the clamd process can keep getting killed. For servers with under 8 GB of memory we recommend that you disable this option. You can disable this under Warden -> Settings -> Anti-virus Settings -> Concurrent database reload (make sure it is unchecked).

  • CPU, clamav, memory, server load
  • 0 Usuários acharam útil
Esta resposta lhe foi útil?

Artigos Relacionados

How do I fix the error: Mysql Server has gone away?

When looking at the mail log of the server you see this log entry from Amavis: Aug 3 01:00:20...

What changes does Warden make to the postfix configuration files to enable Amavis?

Important Warden will configure postfix differently depending if you selected to install the...

How hard is it to uninstall if I do not require Warden Anti-spam and Virus Protection any more?

Uninstalling Warden is as easy as going to Extensions -> My Extensions -> Warden Anti-spam...

How can I fix the error: host 127.0.0.1[127.0.0.1] said: 552 5.3.4 Declared message size (1208029 B) exceeds size limit for recipient?

You can set the message size limit for Amavis under Settings -> Policy Settings -> Misc...

How do I fix the error: Unit is masked. when trying to start SpamAssassin?

You should not try to start the SpamAssassin service. Warden disables (masks) the SpamAssassin...