[Clamav-users] slow scan, high CPU usage with clamdscan

Thu, 15 Jan 2009 02:00:09 -0800 

I'm trying to scan a 120 kB file - I think it's taking way too long.

clamdscan needs 34 seconds to scan this 120 kB file; clamscan only needs 
5 seconds more.

# clamdscan explore.exe
/tmp/explore.exe: Trojan.Agent-40281 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 34.554 sec (0 m 34 s)
explore.exe: Trojan.Agent-40281 FOUND

# clamscan explore.exe
----------- SCAN SUMMARY -----------
Known viruses: 486990
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 62.26 MB
Time: 39.074 sec (0 m 39 s)


On the other hand, scanning non-infected files is almost instantaneous.

This is using version 0.94.2; I'm pretty sure earlier versions didn't have 
such problems, although I'm not sure when it degraded so much.

Anyone else seeing this?

When I strace the clamd process, I can see it being "stuck" at repeating
these "\0\0\0\0\0\0\0\0" reads:

[pid  7569] lseek(8, 208, SEEK_SET)     = 208                                   
                                             
[pid  7569] read(8, "PE\0\0L\1\6\0CLAM\0>\3\0\352\5\0\0\340\0\7\3", 24) = 24    
                                             
[pid  7569] read(8, 
"\v\1\0028\0\236\0\0\0:\3\0\0z...@\22\0\0\0\20\0\0\0\260\0\0\0\0@\0"..., 224) = 
224                      
[pid  7569] read(8, 
".text\0\0\0\0\240\0\0\0\20\0\0\0\240\0\0\0\20\0\0\0\0\0\0\0\0\0\0"..., 240) = 
240                       
[pid  7569] lseek(8, 262144, SEEK_SET)  = 262144                                
                                             
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
[pid  7569] read(8, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 131072) 
= 131072                  
(...)

-- 
Tomasz Chmielewski
http://wpkg.org
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to