Page 1 of 1
clamd CPu is at 100%
Posted: 24 Jul 2017 15:25
by curibe
Hello,
I hit an issue where CLAMD is hitting 100%. i have no idea why CLAMD is doing this. is there a way to look at clamd logs?
please let me know.
Re: clamd CPu is at 100%
Posted: 24 Jul 2017 15:52
by curibe
guys looks like im getting this error in the /var/logs/maillogs/
Jul 24 11:50:06 COSMTPAP01P MailScanner[3200]: Virus and Content Scanning: Starting
Jul 24 11:50:06 COSMTPAP01P MailScanner[3200]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jul 24 11:50:07 COSMTPAP01P MailScanner[3200]: Virus Scanning: Clamd found 1 infections
Jul 24 11:50:07 COSMTPAP01P MailScanner[3200]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!
I believe this is what is causing my CPU to go up.
Please HELP.
Re: clamd CPu is at 100%
Posted: 24 Jul 2017 16:16
by curibe
not sure if this related. I have 30+ processes containing the following:
etc/spamassassin/imageCerberus/imageCerberusEXE --textdetector /etc/spamassassin/imageCerberus/WholeWord.xml --load /etc/spamassassin/imageCerberus/data --classifyF /tmp/sa_imageCerberus_tmpImg.2500.png
what is this?
Re: clamd CPu is at 100%
Posted: 24 Jul 2017 17:35
by curibe
attached is a screenshot of the error when i reboot the server.
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 01:12
by curibe
any update on this?
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 01:27
by curibe
in processes i see like Image Cerberus taking all the CPU. why is this happening? Screenshot is attached.
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 05:11
by pdwalker
It sounds like you have some funny messages in your mail queue that are causing the scanners to go a bit nuts.
Is there a way you could forward one of those messages to me so I can check it on my own system?
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 05:11
by pdwalker
curibe wrote: ↑24 Jul 2017 17:35
attached is a screenshot of the error when i reboot the server.
Those errors are harmless and can safely be ignored.
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 14:41
by curibe
i just got these emails.
Service clamd down and restarted ( 1 attempts in past day, max attempts is 3 )
Please examine your EFA logs on <Server Name> and resources to determine cause of failure
Is there such thing as EFA Logs?
Let me know.
Re: clamd CPu is at 100%
Posted: 25 Jul 2017 15:46
by curibe
i notice that /imageCerberusEXE is taking all my CPU. What is /imageCerberusEXE? i just use EFA as an internal SMTP relay. Can i just disable it?
Re: clamd CPu is at 100%
Posted: 26 Jul 2017 11:13
by pdwalker
image
CerberusEXE is a program designed to "read" graphic images to determine if they are spam, as some spammers use gifs/pngs/jpegs to send spam messages to defeat spam detection software, so it is useful.
Turning it off may allow more spam to come in. I guess that editing /etc/mail/spamassassin/ImageCerberusPLG.cf and commenting out the following line with a "#" character will do the trick:
Code: Select all
loadplugin ImageCerberusPLG /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/ImageCerberusPLG.pm
Unfortunately, in your case, you've seem to have gotten a "special" message that blows up clamd and imageCerberus, so disabling imageCerberus will not stop your problem with ClamD. Or maybe it will if the imageCerberusEXE executable is not running.
Try it and let us know the results. It'll be interesting to find out what is in the message that is causing things to break.
Re: clamd CPu is at 100%
Posted: 26 Jul 2017 13:16
by curibe
pdwalker wrote: ↑26 Jul 2017 11:13
image
CerberusEXE is a program designed to "read" graphic images to determine if they are spam, as some spammers use gifs/pngs/jpegs to send spam messages to defeat spam detection software, so it is useful.
Turning it off may allow more spam to come in. I guess that editing /etc/mail/spamassassin/ImageCerberusPLG.cf and commenting out the following line with a "#" character will do the trick:
Code: Select all
loadplugin ImageCerberusPLG /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/ImageCerberusPLG.pm
Unfortunately, in your case, you've seem to have gotten a "special" message that blows up clamd and imageCerberus, so disabling imageCerberus will not stop your problem with ClamD. Or maybe it will if the imageCerberusEXE executable is not running.
Try it and let us know the results. It'll be interesting to find out what is in the message that is causing things to break.
I wish i would now how to check what message is doing this. but there is nothing stuck in the queue and CPU is at 100%.
Re: clamd CPu is at 100%
Posted: 26 Jul 2017 14:57
by pdwalker
kill those imageCerberusEXE processes and see if the problem comes back.