# ClamAV is killing my Samba [solved]

## crxchaos

I hoped it would not come to this as I tend to be a lurker but I am at a loss as to resolving the matter. And so I bare my soul unto the Gentoo clan in seek of redemption.

I have set up a PIII 450 with a shade over 400MB RAM. It is currently running as a domain controller, file server and email server for a network of three clients (2x WinXP Pro, 1x Win2K Pro). When I first configured Samba I followed the Gentoo Samba3/CUPS/ClamAV HOWTO excluding the CUPS sections since I have no use for them (printers = legacy device imho  :Wink: ).

This set up was working all well and good and my various tests with Eicar proved a great success so I went to bed for the night. A few days later the problems occured, access to the Samba shares was extremely slow. When I ran 'top' on the server it showed lots (>10) smbd processes all fighting over the CPU time. When I disable ClamAV/OAV Samba operates perfectly again (I have to 'kill -9' the rogue smbd processes).

I have been over the howto several times since, re-emerged packages and searched both Google and Gentoo but find no problem in my configuration, perhaps I simply can not see the wood for the trees!?

Here is my 'testparm', I will gladly post any other configs/info that may help somebody to help me:

```

3psilon ~ # testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[netlogon]"

Processing section "[profiles]"

Processing section "[homes]"

Processing section "[public]"

Processing section "[www]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters

[global]

        unix charset = ISO8859-1

        workgroup = CRXCHAOS

        server string = Primary Domain Controller

        interfaces = lo, eth0

        smb passwd file = /etc/samba/private/smbpasswd

        passwd program = /usr/bin/passwd %u

        passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

        unix password sync = Yes

        lanman auth = No

        client NTLMv2 auth = Yes

        client lanman auth = No

        client plaintext auth = No

        log file = /var/log/samba/log.%m

        max log size = 50

        name resolve order = wins lmhosts hosts bcast

        time server = Yes

        unix extensions = No

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        load printers = No

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

        logon script = %U.bat

        logon drive = H:

        domain logons = Yes

        os level = 65

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        vscan-clamav:config-file = /etc/samba/vscan-clamav.conf

        hosts allow = 127.0.0.1, 192.168.0.0/24

        hosts deny = 0.0.0.0/0

        csc policy = disable

        vfs objects = vscan-clamav

[netlogon]

        comment = Network Logon Service

        path = /var/lib/samba/netlogon

        browseable = No

[profiles]

        comment = User Profiles

        path = /var/lib/samba/profiles

        read only = No

        browseable = No

[homes]

        comment = Home directory for %u

        path = /home/%u

        valid users = %S

        read only = No

        inherit permissions = Yes

        browseable = No

[public]

        comment = Public Files

        path = /home/public

        valid users = @users

        write list = @users

        read only = No

        create mask = 0766

        guest ok = Yes

[www]

        comment = Web Server Files

        path = /var/www/localhost/htdocs

        valid users = @apache

        write list = @apache

        force group = apache

        read only = No

```

Last edited by crxchaos on Mon Sep 29, 2008 3:53 pm; edited 2 times in total

----------

## crxchaos

For the benefit of anyone quietly sharing this problem I now have an update. I have just been watching a little program about Mozart and the snippets of his music they subjected me to have clearly worked wonders as my system is working once again  :Cool: 

Here's what I did:

```

emerge -C clamav

USE="-mysql -xml -xml2 oav libclamav" emerge samba

USE="-crypt" emerge clamav

```

I can only assume a random use flag in earlier compilations was causing the problem.

/me pats self on back for reaching another personal gentoo milestone

----------

## tnt

Does it now work good?

----------

## tnt

Huh... ClamAV killed my Athlon64 3000+ samba server, too. At this moment, my share is about 500GB.

It's just no good for big shares, although I've selected not to scan file's biger than 10MB.

Here's my CPU usage... RRDs even managed to skip update because of ClamAV:

http://www.aaen.edu.yu/~tnt/forums/titan.cpu0-day.png

Here's my average load (5min):

http://www.aaen.edu.yu/~tnt/forums/titan.load-day.png

And this is RAM and swap usage:

http://www.aaen.edu.yu/~tnt/forums/titan.mem-day.png

http://www.aaen.edu.yu/~tnt/forums/titan.swap-day.png

I guess ClamAV is only useable for mail or maybe proxy-trafic scaning... At least while it has not database to store mtimes of objects it already scaned and not to scan it all over again if mtime is the same.

 :Sad: 

----------

## jonnevers

 *tnt wrote:*   

> 
> 
> I guess ClamAV is only useable for mail or maybe proxy-trafic scaning... At least while it has not database to store mtimes of objects it already scaned and not to scan it all over again if mtime is the same.
> 
> 

 

I wouldn't say "clamav" is useless because you scan a 500GB directory with it. Something like that simply takes time and then add to it that it is a remote mount. I ran into the same situation but I found it more reasonable to umount the samba shares before clamav was set to kick off. yes it is an extra step. But I don't think there is another way to exclude a particuliar directory from clamav... 

I also found that my remote shares, which have a lot of file that came from some old windows machines would be full of viruses and malware and would fill up clamav's output.

Then again there is the argument that I have been running clamav for about 2 years now, everyday it updates its virii db at 2am and everyday at 3am it starts off a full scan. I've never found a single virus..

----------

## tnt

Share is local mount (partitions of 4 SATA drives) and it is spread among many directories. 

I thought that only directory that will be scaned on the fly is the one is accessed by user at that moment.

And, again, there's many, many movies (files of 700MB) that shouldn't be scaned as I set 10MB file size limit...

 :Sad: 

----------

## tnt

 *tnt wrote:*   

> 
> 
> And, again, there's many, many movies (files of 700MB) that shouldn't be scaned as I set 10MB file size limit...
> 
> 

 

I was wrong - file size limit is set for archives and not for files. So, ClamAV scans every .avi file of 700MB !

Is there any directive to set ClamAV not to scan any file larger than 10MB (or any other size)?

 :Rolling Eyes: 

----------

## crxchaos

 *tnt wrote:*   

> Does it now work good?

 

It did after I posted my 'fix' above. However, just about a week ago I had to bring the server down so I took the opportunity to compile the latest kernel and upgrade most of the major packages on it (samba, postfix, clamav, etc).

After recompiling samba and clamav I had the exact same problem as I described in the OP. I haven't had much time to fix it yet so I have just disabled the vscan module in my smb.conf for the time being.

 *tnt wrote:*   

> It's just no good for big shares, although I've selected not to scan file's biger than 10MB.

 

The way it is configured to scan works perfectly on my lowly P3 450MHz. Originally, I set it up only to scan when writing to the share but I since discovered it could cope with scanning upto 10mb files on read and write access. So that's the way I had it operating.

 *tnt wrote:*   

> Is there any directive to set ClamAV not to scan any file larger than 10MB (or any other size)?

 

Yes, in /etc/samba/vscan-oav.conf with the line

```
max file size = 10485760
```

But this is all assuming you are using the samba-vscan bits which I get the funny feeling you might not be?

----------

## crxchaos

For the sake of documenting this quirk I have fixed it once again by doing the unmerge/emerge noted above. I can only assume there is something quirky about my USE flag settings. Either that or the samba-vscan module will only compile correctly if clamav is not installed  :Confused: 

I'll pop back again later and post the output of:

```
equery uses samba

equery uses clamav
```

...for my own benefit, if no one elses, when I come to upgrade in future  :Wink: 

Edit: Added working Samba and ClamAV USE flags

Samba installed with:

```

- acl

- cups

- doc

- kerberos

- ldap

- mysql

+ pam

- postgres

- python

- quotas

+ readline

- winbind

- xml

- xml2

+ libclamav

+ oav

- selinux

```

ClamAV installed with:

```

- crypt

- milter

- selinux

- debug

```

----------

## Midnight Dream

I believe it to be MySQL, as I did not have an issue with this until just yesterday, when I installed my Apache-PHP-Mysql combo.  I also noted that both of your solutions included the -mysql flag, which leads my conclusion to go farther in the same thinking.

----------

## crxchaos

Well spotted, Midnight Dream.

I might test this out later by enabling the mysql flag to see what happens (depends how bored I get, tbh.).

The good thing that came out of this for me was it taught me to be very mindful of the USE flags. I now check everything I compile and have started making liberal use of the '/etc/portage/package.use' file.

Gentoo teaches me with a stick, not a carrot  :Evil or Very Mad: 

----------

