ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
High CPU when scanning email
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
I have setup clamwin to scan my email. Today, I tried to send a fairly large email and clamwin wants to sit at 35-40%. I can kill the process, but it restarts and doesn't seem to go down. The mail queue is empty... How can I correct this?

Thanks,

Robert
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
How long have you been using ClamWin to scan your email? Have you had this problem ever since you have been scanning email?

How do you scan email--with a manual scan or a scheduled scan?

What sort of computer are your using?

Have you made any recent changes in your equipment--hardware, RAM,?

Are you using another antivirus along with ClamWin? If so, how does the other AV act during a ClamWin scan? Is it busy also?

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Thanks GuitarBob for responding so quickly.

I've been using command line scanning with my email server (Desknow) for about 10 years.

The command which gets invoked my Desknow is:

C:\Progra~2\ClamWin\bin\clamscan.exe --database=C:\Docume~1\AllUse~1\.clamwin\db --log=C:\Mgnt\ClamScanLog.txt %FILE%

I actually performed a complete system restore from a week ago. There was only hits on CPU when the scan took place. However, just updated the virus db and tested with eicar and no virus is getting detected. Troublesome to say the lease...

I'm running Win2k16 server and disabled Defender scanning on my email folders.

The command line scanner seems to take an awful long time to scan as the log shows ... It just repeats as if it is stuck. But at 0.01MB size makes me wonder why.
I sure wish there was a date timestamp in the log. I tried to to amend this with a java app I wrote, but it wasn't reliably noting the file change in the log file.



----------- SCAN SUMMARY -----------
Known viruses: 6309062
Engine version: 0.99.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 104.144 sec (1 m 44 s)

-------------------------------------------------------------------------------


----------- SCAN SUMMARY -----------
Known viruses: 6309062
Engine version: 0.99.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 94.225 sec (1 m 34 s)

-------------------------------------------------------------------------------
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
Robert, I informed the ClamWin developers about your problem. I think one of them will join in here to help in a day or so.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Thanks again for your help. With further analysis, it appears that the scan process runs numerous times for the same message with attachment. Not sure why as I have tested this before in the past. Still waiting for the eicar test to pass. The log is showing at least a dozen scans so far each taking about 73 seconds or so - still not done yet. Furthermore and more troubling is that the eicar test aren't even caught and I know I've tested this in the past and have always worked.

Robert
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
Are you using the same EICAR that you have used in the past? Some forms of EICAR are sometimes not detected--for instance those that are nested in a large (unreasonable) number of zips and similar tricks that would probably not be used by malware authors. Some AV sites use that as a test to tell you that you need another AV.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Sure have. I tested with another site and ClamWin only caught one virus. Others passed no problem.
As per the email test:

You receive this email because you registered for the Byteplant Email Security Check.

This mail contains a harmless executable attachment named "attached.bat".

Even though it is harmless, it should have been removed (or replaced) by your attachment blocker.
Find out more here on how to protect yourself against unwanted email attachments:
http://www.byteplant.com/cleanmail

Within the attachment - echo Your system is vulnerable
pause

I just don't understand this failure and the fact that according to the log, it appears to scan each attachment a number of times each taking 72 seconds or so...

Robert
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
Until we hear from a developer regarding your actual problem, is ClamWin the only AV that you are using on the PC/server that handles the email? Clam AV does not have anyone working on it full-time, and they do not prepare enough virus signatures in my opinion. I think you need another AV--and a real-time one at that. I think that either Windows Defender (Security Essentials for older computers) or Fortinet's Forticlient would suit you. They are both free and available for both businesses and individuals.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Thanks for that GuitarBob. I appreciate that full time development with the signatures doesn't happen.

I noticed that if I just pick one file to scan via the task tray, it literally takes about a minute just to load the virus DB before it scans. I think this is the problem actually... Not sure why it takes so long to load a 300kb db file. Another thing I just noticed is that I had exclude *.dat files specified in the app - my bad for sure with that one....

One last thing I also noticed was the e-mail notification when in the app to test never has worked from the beginning. It just spins there now and is reported as not responding.

Thanks so much for sticking with me on this... Again, I think the issue is the db load time.

Robert
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
The Cam AV code used by ClamWin has always taken a long time to load the virus signature database, but it seems to have gotten much longer lately (I noticed this a few weeks ago on my scans). There is no permanent database cache--the signatures need to be loaded before each scan--even when only 1 file is scanned. When the original code was written, there were not really many viruses compared to now, so speed wasn't a problem then, and it has not been changed!

The daily database has also gotten larger than the main database, so Clam AV needs to compact its database to increase scanning efficiency. They used to do it several times a year, but I think it hasn't been done in a year now at least.

I may be able to offer a few suggestions that might help things speed up scans a bit. If you are not using any custom extensions to scan, set up 20 to 30 extensions commonly used by malware to scan. That number seems to work best for me. Below is the configuration for extensions to scan that I use in my ClamWin.conf file:

includepatterns = *.bat|CLAMWIN_SEP|*.cmd|CLAMWIN_SEP|*.cpl|CLAMWIN_SEP|*.dll|CLAMWIN_SEP|*.doc|CLAMWIN_SEP|*.docx|CLAMWIN_SEP|*.exe|CLAMWIN_SEP|*.inf|CLAMWIN_SEP|*.js|CLAMWIN_SEP|*.lnk|CLAMWIN_SEP|*.ocx|CLAMWIN_SEP|*.pdf|CLAMWIN_SEP|*.pif|CLAMWIN_SEP|*.ps1|CLAMWIN_SEP|*.swf|CLAMWIN_SEP|*.sys|CLAMWIN_SEP|*.tmp|CLAMWIN_SEP|*.vbs|CLAMWIN_SEP|*.xls|CLAMWIN_SEP|*.xlsx|CLAMWIN_SEP|*.zip

You will not see many viruses in .dat files. In fact, note that .dat is one of the extensions to exclude from scanning that ClamWin uses as a default.

I also do not scan my entire computer during scheduled scans. Most Windows 10 viruses will be found in the %AppData, System32, and SysWOW64 folders, or the equivalent in older versions of Windows.

I hope this helps. Let us know how it goes.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Thanks again.

So instead of the default exclude pattern line:
excludepatterns = *.dbx|CLAMWIN_SEP|*.tbb|CLAMWIN_SEP|*.pst|CLAMWIN_SEP|*.dat|CLAMWIN_SEP|*.log|CLAMWIN_SEP|*.evt|CLAMWIN_SEP|*.nsf|CLAMWIN_SEP|*.ntf|CLAMWIN_SEP|*.chm

I should remove that, and instead add your suggestion includepattern? - this is what I just did...

Looking further at the conf file, I added my particulars for e-mail notification, however if I open the clamtray app, I don't see the new filters or my specified e-mail notification entries.
I would have thought this would read in the conf file. When is the conf file read then?

Robert
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
I'm not sure when the config file is read. I assume that it would either be prior to a scan or perhaps upon startup.

Look at the config file and see if it has the changes you made. If it doesn't, then exit ClamWin, make the changes, save the config file, and then restart the computer. I've had to do this on occasion with some security software.

Sometimes I wish I were a programmer instead of an ex-sigmaker! I might be of more help.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Believe it or not, after a reboot the clamtray app does not contain the data in the conf file. Now I'm totally confused... Sad I wish this can be confirmed by a developer.... Too bad that this is creating the problems now. It used to work very well for so long.

Are you sure Fortinet's Forticlient still provides this free? I looked and can't see anything on this. I desperately need a decent command-line scanner which has some logging...

In the meantime, I've had to configure Defender to do file scans, but now I'm not even sure if it works. Clamwin was eating too much cpu and I was getting DB issues with my email server.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4540
Location: USA
Reply with quote
Yes, Fortinet's Forticlient is still free. You can get it at https://forticlient.com/downloads on the web. I have Windows 10, but I get the version for Windows 7--the very first download. I don't like to mess with Microsoft's online store. This version works fine for me.

The problems you have, combined with ClamWin not detecting EICAR makes me wonder if you have some malware that stops ClamWin. See if you can get into Safe Mode and do a scan while there with Windows Defender and ClamWin. Windows Defender is really a good scanner--even if the tests of AV Comparatives all result in a large amount of false positives, with which I have never had any problem when using it.

Forticlient will do a brief scan before it installs. To configure it, you have to Unlock--select the last option and you can then configure things via the little wheel at the top. I use the antivirus screen as my default screen. Forticlient is very underrated, and its web scanner is the best that I know of--and it is free. It has some unadvertised behavior blocking, and Fortinet tracks a very large number of malware files via its hardware/user base.

If you need some extra protection, two of the free malware tools I use are Kaspersky's TDSSKiller and Eset's Online Scanner. I run them from a USB because neither one needs to be installed. Eset's full scan takes a long time, so I usually use the Quick Scan, but it has found some obscure malware for me several times.

Regards,
View user's profileSend private message
langenet


Joined: 03 Sep 2010
Posts: 19
Reply with quote
Thanks again GuitarBob. You have been most helpful.

Perhaps I might not have been the most clear with my use of Clamwin. The software has been used for a very long time running e-mail scans on my DeskNow e-mail server. This is hosted on a Windows 2016 Server with the latest MS patches applied. The server is never used to browse the internet either. The problem with Clamwin is that it literally takes over a minute just to load the signature database. Once loaded it scans fine. Using the clamtray application, I can direct CW to a specific file and then watch it wait to load the signature database. This causes the CPU to peek at about 35% per core. Since the server is running my home automation software as well as a PostgresSQL database, this has major impact since it does this for a long time. The server also is equiped with MS Defender which works fine. In fact, I had to setup my mail server to use the command line API of Defender. The downside of Defender is logging - something I liked about Clamwin.

Scan times of Clamwin are about 73 seconds per e-mail ( or file for that matter) now but haven't been like this all along. I will recover some of the older logs just to review to be sure.
EDIT: Scan times in Feb 2019 were 18 seconds..
Typically, about 5 seconds per scan was usual. Others on here have also complained about the signature load and scan time. I still have a test EICAR file with a virus that clamwin does pick up, so I know it works.

As the server runs Win2k16, I also wonder if the clamwin.conf is in fact used. Any changes I manually made in it, aren't reflected when I bring up the Clamwin app. The use of a .conf file is typical of a UNIX environment, but not sure about a Windows host.

I even deleted all the clamwin db files and reloaded from scratch. The filesize of files are smaller, but it doesn't seem to help. Clamwin has't been updated for a long time - perhaps it's time for a review...

So you're using V6 of the forticlient then? Signatures can be updated daily? Does it provide logging?

Thanks so much for your help...
View user's profileSend private message
High CPU when scanning email
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic