How much CPU resource takes ClamAV ?

ClamAV is resources intensive on a standard Mac OS X install, because it is configured to use clamscan rather than clamd.

Having said that, 500 mails per day is close to nothing for the kind of machine you have and it shouldn't matter whether you use clamscan or clamd. So maybe you should look at your logs and processes for other clues. clamscan alone cannot be the culprit. Also, clamscan is only invoked when checking mail, so you should only spikes, but not continously high cpu usage.

In that case I would think that you receive well over 500 mails a day.
If it bothers you, you can use clamd which is less resource intensive.
If I recall correctly there are a few threads around on how to use clamd.

(1) "mails intended for one our domains we host"
(2) "mails that going to one of our domains, but to
an non-existing inbox"
(3) "mail abusers trying to use the SMTP as a open
relay"
I sometimes feel that the virus checks are done for
each mail type, also for (2) and (3).

You are correct. On a default installation all mail will be checked.
This can be optimized, but requires command line interaction.
For example:
(2) can be avoided by using postfix style virtual aliases and following my tutorial about rejecting mail for unknow users before the content filter ( http://osx.topicdesk.com/downloads/)
(3) can be optimized by adding better smtpd clientrestrictions and smtpd recipientrestrictions (see: http://www.postfix.org/postconf.5.html)

So for example my mail queue is full of entries that
have recipients never on my server (domains/e-mail
addresses).

If these are in your queue and you are not an open relay then your server or a client have been compromised from the inside. Either by a script or code injection or whatever... Could even have happened before you "locked down" your server. If you delete your queue and it happens again, you have an "internal" problem.

However since my "open-smtp-relay" tests I performed
on various websites found on the Web lead me that my
server isn't an open SMTP relay. You may try it for
yourself - sent mails via starenterprise.com or its
IP 194.77.100.91 - it hopefully should decline 🙂

Yes, your server is not an open relay. Which still doesn't mean that a script or compromised client from inside your network can't send rogue mail.

What are your experiences ? How does ClamAV perform
?

ClamAV performs very well. On a high volume system I'd use clamd, otherwise clamscan is fine.

To give you an idea. One of my clients runs a mail server on a PowerMac G4 500MHz DP with 1GB of RAM. Not particularly fancy software. Today it processed 18'000 emails, rejected 7000 spam mails, rejected 1000 virus mails, and about 1000 unknown recipients. Once a week they send a newsletter to their subscribers, where the server averages about 3000 messages/minute. Still, the CPU is bored stiff.

As a general word of advice and no offense meant: You seem to be tackling too many things at once. Try and solve your issues step by step. Next think about your priorities and do one change after the other.

HTH,
Alex

Found this thread after suffering high CPU loads on our xserve lately. Is it normal for clamscan (sometimes multiple instances) to occupy so much of the system resources (see graphic below)?



Also, I sometimes see multiple instances of clamscan:



This just doesn't seem normal.

Pterobyte, your 'front-line' spam defense article is great. Thanks for providing that. Is there a similar method to optimize ClamAV?

Thanks all.

Xserve G4 Mac OS X (10.3.8)

Jeff,

this obviously depends on the number of messages going through your system.

However, unless you have very little mail, your graph doesn't surprise me at all. Multiple instances are common.

If you have implemented my "Frontline Defenses", you should see a substantial reduction in mails being passed on to the content filter.

If you should happen to use virtual domains as well, consider using postfix style virtual aliases.

No tutorial on ClamAV (yet). Your best bet is to use clamd instead of clamscan. Much more efficient. Since this is tricky, I'd only implement it if you can't reduce load through postfix optimization.

Alex,

Thanks for your response (and your invaluable contribution in this forum; you've saved my bacon several times). For now, I'm going to stick to clamscan as it is working.

Jeff

So where do I find out about switching from clamscan to clamd? I've installed clamav before on linux boxes and have always set up using clamd. Is the Apple Server any different?

Thanks.

So where do I find out about switching from clamscan
to clamd? I've installed clamav before on linux
boxes and have always set up using clamd. Is the
Apple Server any different?

Simeon ,

if you've done this before you shouldn't have too much trouble.
You will need to uncomment a few lines in amavisd.conf to tell amavisd to use clamd as its primary. You also will need to create a launchd item for clamd. And ideally make a copy of the clamav.conf file. Rename it to clamd.conf and adjust to your liking. Make sure clamd.conf and amavisd.conf point to the same socket.

Apple compiles clamd with an extra option, so if you have or intend to manually update ClamAV, things become a bit more complicated. If you are happy with the Apple supplied version just do what I mentioned.

Alex

P.S. This is what the launchd item should look like.
Call it org.clamav.clamd.plist for consistency.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Iterations</key>
<integer>3</integer>
<key>Label</key>
<string>org.clamav.clamd</string>
<key>LowPriorityIO</key>
<true/>
<key>Nice</key>
<integer>1</integer>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/usr/sbin/clamd</string>
<key>ProgramArguments</key>
<array>
<string>clamd</string>
<string>-D</string>
<string>-c</string>
<string>/etc/clamd.conf</string>
</array>
<key>ServiceIPC</key>
<false/>
<key>UserName</key>
<string>clamav</string>
</dict>
</plist>

Alex,

Just curious, from your perspective what is a reasonable number of messages to pass through Postfix on a daily basis (Xserve G4, 1.25Gb RAM connected via T-1)? What's the best way to get this count?

Thanks.
Jeff