clamd CPu is at 100%

Report bugs and workarounds
Post Reply
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

clamd CPu is at 100%

Post by curibe »

Hello,

I hit an issue where CLAMD is hitting 100%. i have no idea why CLAMD is doing this. is there a way to look at clamd logs?

please let me know.
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

guys looks like im getting this error in the /var/logs/maillogs/


Jul 24 11:50:06 COSMTPAP01P MailScanner[3200]: Virus and Content Scanning: Starting
Jul 24 11:50:06 COSMTPAP01P MailScanner[3200]: Clamd::ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: .
Jul 24 11:50:07 COSMTPAP01P MailScanner[3200]: Virus Scanning: Clamd found 1 infections
Jul 24 11:50:07 COSMTPAP01P MailScanner[3200]: Virus Scanning: No virus scanners worked, so message batch was abandoned and retried!

I believe this is what is causing my CPU to go up.

Please HELP.
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

not sure if this related. I have 30+ processes containing the following:

etc/spamassassin/imageCerberus/imageCerberusEXE --textdetector /etc/spamassassin/imageCerberus/WholeWord.xml --load /etc/spamassassin/imageCerberus/data --classifyF /tmp/sa_imageCerberus_tmpImg.2500.png

what is this?
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

attached is a screenshot of the error when i reboot the server.
Attachments
clamd.png
clamd.png (431.23 KiB) Viewed 8734 times
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

any update on this?
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

in processes i see like Image Cerberus taking all the CPU. why is this happening? Screenshot is attached.
Attachments
2017-07-24_21-25-25.png
2017-07-24_21-25-25.png (336.57 KiB) Viewed 8724 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: clamd CPu is at 100%

Post by pdwalker »

It sounds like you have some funny messages in your mail queue that are causing the scanners to go a bit nuts.

Is there a way you could forward one of those messages to me so I can check it on my own system?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: clamd CPu is at 100%

Post by pdwalker »

curibe wrote: 24 Jul 2017 17:35 attached is a screenshot of the error when i reboot the server.
Those errors are harmless and can safely be ignored.
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

i just got these emails.

Service clamd down and restarted ( 1 attempts in past day, max attempts is 3 )

Please examine your EFA logs on <Server Name> and resources to determine cause of failure

Is there such thing as EFA Logs?

Let me know.
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

i notice that /imageCerberusEXE is taking all my CPU. What is /imageCerberusEXE? i just use EFA as an internal SMTP relay. Can i just disable it?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: clamd CPu is at 100%

Post by pdwalker »

imageCerberusEXE is a program designed to "read" graphic images to determine if they are spam, as some spammers use gifs/pngs/jpegs to send spam messages to defeat spam detection software, so it is useful.

Turning it off may allow more spam to come in. I guess that editing /etc/mail/spamassassin/ImageCerberusPLG.cf and commenting out the following line with a "#" character will do the trick:

Code: Select all

loadplugin ImageCerberusPLG /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/ImageCerberusPLG.pm 
Unfortunately, in your case, you've seem to have gotten a "special" message that blows up clamd and imageCerberus, so disabling imageCerberus will not stop your problem with ClamD. Or maybe it will if the imageCerberusEXE executable is not running.

Try it and let us know the results. It'll be interesting to find out what is in the message that is causing things to break.
curibe
Posts: 74
Joined: 26 Feb 2014 22:38

Re: clamd CPu is at 100%

Post by curibe »

pdwalker wrote: 26 Jul 2017 11:13 imageCerberusEXE is a program designed to "read" graphic images to determine if they are spam, as some spammers use gifs/pngs/jpegs to send spam messages to defeat spam detection software, so it is useful.

Turning it off may allow more spam to come in. I guess that editing /etc/mail/spamassassin/ImageCerberusPLG.cf and commenting out the following line with a "#" character will do the trick:

Code: Select all

loadplugin ImageCerberusPLG /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/ImageCerberusPLG.pm 
Unfortunately, in your case, you've seem to have gotten a "special" message that blows up clamd and imageCerberus, so disabling imageCerberus will not stop your problem with ClamD. Or maybe it will if the imageCerberusEXE executable is not running.

Try it and let us know the results. It'll be interesting to find out what is in the message that is causing things to break.
I wish i would now how to check what message is doing this. but there is nothing stuck in the queue and CPU is at 100%. :(
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: clamd CPu is at 100%

Post by pdwalker »

kill those imageCerberusEXE processes and see if the problem comes back.
Post Reply