ClamAV and ClamScan taking forever to complete

[ghostwolf59]

Hi,
I just installed ClamAV in its own jail (pretty much following https://www.ixsystems.com/community/resources/how-to-install-clamav-on-freenas-v11.66/
but on FreeNAS 11.3 installation.

All works, but nominating large volumes to scan takes for ever *manually kicked off one of my cron jobs scanning one of my targets *about 200GB of data stored* today and 8 hours later its still running - That don't come across as right.

I also noticed some memory issues spat back from clamscan *old box with only 8GB RAM installed

Would have thought a simple scan of data should be pretty quick as well as not too memory hungry

The script kicking off the scan executes this to perform the scan on my target *parameter based*

Code:

clamscan -i -r -l /var/log/clamav/clamscan.log "${scanlocation}"

Running the same cron and scripts runs fine on smaller targets, but pointing to a large pool containing a fair amount of data it seem to struggle

Anyone with suggestions please let me know

The complete scripts I run is this

NOTE!!! I updated these scripts to allow for concurrent processes (so if one cron sheduled to run clashes with current job, it will work for both.
Also only update the virus db once every 24 hour cycle (or when its missing)
No real need to update the virus db for every run ;)
Final tweak was to mod the script to handle folder names containing spaces when passing in the target path as a parameter *entire parameter needs to be surrounded by quotes though i,e ""


run_clamav_scan.sh:

Code:

#!/bin/sh

### Execute a shall script on the ClamAV jail, which updates the Anti-Virus definations and then runs a scan ###
## iocage = FreeNAS v11.1 and above (yes FreeNAS v11.1 supports both warden and iocage [via CLI]) ##

## Define the location where the "avscan.sh" shell script is located on the jail:
scriptlocation="/script/"

# Grab pid id from started process and sent it to tmp file so second process can pick it up

pid=$$
#echo "pid id ${pid}"

# Grab target directory parameter
scantarget=${@}


## Execute the script passing pid and target path ##
iocage exec clamav "$scriptlocation"avscan.sh "${pid}" "${scantarget}"

## email the log ##
sendmail -t < /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp

## Delete the log file ##
rm /mnt/JailSSD/iocage/jails/clamav/root/tmp/clamavemail${pid}.tmp

avscan.sh:

Code:

#!/bin/sh

### Notes ###
## Shell scripts to update the ClamAV definations, then run a scan and prepare an email template ##
## This script is called from a master script running as a cron job on the FreeNAS server ##
## Master script is: run_clamav_scan.sh  ##
##
## Instructions: ##
## 1) To use this you need to create a Jail called "ClamAV" ##
## 2) Open a Shall to the jail and then run: "pkg update" ##
## 3) The run: "pkg install clamav" ##
## 4) You can then "exit" the Jail ##
## 5) Add the windows shares you wish to scan by using the Jail Add Storage feature ##
## 5a) Add the shares to same location you use in the variable: "scanlocation" ##
## 6) Setp a cronjob on the FreeNAS server to run a shell script on the FreeNAS server: "run_clamav_scan.sh" ##
## 7) The shell script "run_clamav_scan.sh" then connects to the Jail and runs this script. ##
## 8) Once finished, the "run_clamav_scan.sh" script emails a log to the email entered in the variable: "to_email" ##
##
## https://www.clamav.net/ ##
## ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, ##
## and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command ##
## line scanner and an advanced tool for automatic database updates. ##

pid=${1}
#echo "pid argument ${pid}"

targetdir=${2}
#targetdir=${@}
#echo "targetdir ${targetdir}"

## Top directory of the files/directories you wish to scan, i.e. the "Jail Add Storage" locations ##
scanlocation="/scantarget/${targetdir}"

### Parameters ###
## email address ##
to_email="your_email@address"

NOW=$(date "+%Y%m%d")
### Only Update anti-virus definations once per day identified by date ###
## Look for existing freshcalm.log for todays date - if found, ignore updating the virus def
## If NOT found, clean up any old freshclam-*.log files stored on the system and re-created it along with fresh virus def
file="/var/log/clamav/freshclam-${NOW}.log"
if [ ! -f "$file" ]
then
    echo "$0: File '${file}' not found."
    ## Clean up old clam files and create a fresh up to date version
    f=0
    for file in /var/log/clamav/freshclam*.log
    do
        if [ -f "$file" ]
        then
            rm -f $file
            ((f++))
        fi
    done
    echo "number of files removed: $f"
    echo "creating a new freshclam"
    freshclam -l /var/log/clamav/freshclam-${NOW}.log
fi   
#freshclam -l /var/log/clamav/freshclam${pid}.log
### End ###

echo "scan starting targetting ${scanlocation}"

### Run the anti-virus scan uniquely identified by pid ###
started=$(date "+ClamAV Scan started at: %Y-%m-%d %H:%M:%S")
clamscan -i -r -l /var/log/clamav/clamscan${pid}.log "${scanlocation}"
finished=$(date "+ClamAV Scan finished at: %Y-%m-%d %H:%M:%S")
### End ###

### prepare the email - pid makes the file unique ###
## Set email headers ##
(
    echo "To: ${to_email}"
    echo "Subject: ${started}"
    echo "MIME-Version: 1.0"
#    echo "Content-Type: text/html" ## does not work with 11.3 for now
    echo -e "\\r\\n"
) >> /tmp/clamavemail${pid}.tmp

## Set email body ##
(
    echo "<pre style=\"font-size:14px\">"
    echo ""
    echo "scantarget ${scanlocation}"
    echo ""
    echo "${started}"
    echo ""
    echo "${finished}"
    echo ""
    echo "--------------------------------------"
    echo "ClamAV Scan Summary pid ${pid}"
    echo "--------------------------------------"
    tail -n 8 /var/log/clamav/clamscan${pid}.log
    echo ""
    echo ""
    echo "--------------------------------------"
    echo "freshclam log file"
    echo "--------------------------------------"
    tail -n +2 /var/log/clamav/freshclam-${NOW}.log
    echo ""
    echo ""
    echo "--------------------------------------"
    echo "clamav log file"
    echo "--------------------------------------"
    tail -n +4 /var/log/clamav/clamscan${pid}.log | sed -e :a -e '$d;N;2,10ba' -e 'P;D'
    echo "</pre>"
) >> /tmp/clamavemail${pid}.tmp

### Tidy Up ###
## Delete the freshclam log in preparation of a new log ##
#rm /var/log/clamav/freshclam-${NOW}.log ## Not required since file is created once per day i.e no need to refresh clam virus def for every run

## Delete the clamscan log in preparation of a new log ##
rm /var/log/clamav/clamscan${pid}.log
### End ###

parameter controlled scheduled cron task:

Code:

/mnt/JailSSD/apps/clamav/run_clamav_scan.sh "Software/some folder name"

FreeNAS running processes:

 

[KevDog]

I'm curious if you ever solved this problem. I found the same problem as you. I was running clamav in a jail. It literally would take several days to scan the system and the CPU use was crazy. I eventually just deactivated the jail -- I couldn't take it any longer.

 

[Patrick M. Hausen]

First I would try enabling clamd and replacing clamscan with clamdscan.

 

[ghostwolf59]

I'm curious if you ever solved this problem. I found the same problem as you. I was running clamav in a jail. It literally would take several days to scan the system and the CPU use was crazy. I eventually just deactivated the jail -- I couldn't take it any longer.

Nop - Run this when no one is using the system and even though it spits the dummy now and then it seem to work *but thats when splitting up scans across drives and folders - so a few scheduled processes as a result.

 

[Patrick M. Hausen]

Anyone using ClamAV still interested in a solution? Then please enable clamd and replace clamscan in your scripts with clamdscan. That should improve execution time and CPu load significantly.

 

[ghostwolf59]

Anyone using ClamAV still interested in a solution? Then please enable clamd and replace clamscan in your scripts with clamdscan. That should improve execution time and CPu load significantly.

Havent tested clamd and clamdscan, but didnt like what I read here

Confusion between clamscan and clamdscan

If i am running clamscan -v under clamav-0.99.1 package, it is showing ----------- SCAN SUMMARY ----------- Known viruses: 4297948 Engine version: 0.99.1 Scanned directories: 1 Scanned files: 39

askubuntu.com

 

[Patrick M. Hausen]

1 second instead of 8 seconds? Sounds good to me ;) The rest is a configuration issue, probably. I never used the command line scanners, honestly, but run clamd for email, and according to my experience and the docs one should really use that.

 

[ghostwolf59]

1 second instead of 8 seconds? Sounds good to me ;) The rest is a configuration issue, probably. I never used the command line scanners, honestly, but run clamd for email, and according to my experience and the docs one should really use that.

Agree, but what I was picking up on is that clamdscan fail to pick up and report threats - which makes it rather useless - Check the link where identical scans between clamscan and clamdscan is compared - that level of differences does not make me comfortable

 

[Patrick M. Hausen]

In that particular case - I read the linked discussion - the details and probably the reason for the difference are in clamd's logs. clamdscan hands the real scanning to clamd, so it cannot log e.g. AV database version and all the other info like clamscan. clamd simply returns "infected" or not. All details are logged by clamd.

 

[ghostwolf59]

In that particular case - I read the linked discussion - the details and probably the reason for the difference are in clamd's logs. clamdscan hands the real scanning to clamd, so it cannot log e.g. AV database version and all the other info like clamscan. clamd simply returns "infected" or not. All details are logged by clamd.

So what you effectively suggest is to run clamdscan and if(!) it picks up an infection, then(!) run clamscan - hmm....

Also, not sure I fully agree with your statements - when I read up on clamd and its scan, it accepts all clamscan flags, but ignores most - It also wont pick up a fresh db over known viruses as clam do.
Again, just a reflection on what I read on the Linux site explaining the two and also no personal experience of running it - but link points to a few potential issues and if I only receive a log *at best* informing me about an infection, then I would be forced to run another scan using a different process - dont sit right with me

 

[Patrick M. Hausen]

The ignored flags have to go into your clamd config, because the actual scanning is done by clamd. Likewise you need to run a freshclam cronjob to update the database - which clamd will pick up just fine. You will have to dig into the clamd documentation.