Hi all Thanks for responding and looking into this.
The original test machine has 4GB of RAM. For the sake of testing I rolled out a new machine with 8GB of RAM. The new test machine has the exact same clamav configuration (the one I included in my original post) as the original machine. Unfortunately the increase in memory wasn't the solution; again machine lockups when /etc or /usr are included. I forgot to mention that I'm testing with version 0.103.5 (included with RHEL8 EPEL). I've also tested with the latest stable version 0.104.2 from the ClamAV site but I get the same results. It seems plausible, what Maarten suggests, that there is some kind of (dead)lock going on. Cheers, Roland -----Oorspronkelijk bericht----- Van: clamav-users <clamav-users-boun...@lists.clamav.net> Namens G.W. Haywood via clamav-users Verzonden: woensdag 13 april 2022 14:16 Aan: Oorschot, R. van (IVO Rechtspraak) via clamav-users <clamav-users@lists.clamav.net> CC: G.W. Haywood <cla...@jubileegroup.co.uk> Onderwerp: Re: [clamav-users] On access scanning causes system lockup with certain directories Hi there, On Wed, 13 Apr 2022, Oorschot, R. van (IVO Rechtspraak) via clamav-users wrote: > I'm setting up a test environment with ClamAV and on access scanning and came > across some problems. > > When I add the directories /etc and /usr to the OnAccessIncludePath list, the > machine totally locks up. > ... > Has somebody got an idea what could be the cause of these lockups? You haven't talked about RAM. Be aware that if you're using on-access protection, the minimum amount of memory that you will need will be at least a gigabyte more (to run clamd) than you'd need without it. Even if nothing is flagged as malicious, think about how many seconds it might take to scan a typical library file against some ten million potential threats, and, if the box is busy, how many times per second numerous library files might need to be read during normal operation of more or less anything which is running on it. > This is the ClamAV scan.conf: > ... > OnAccessPrevention yes > ... If you use OnAccessPrevention, and you scan system libraries, then if a false positive happens to flag a perfectly clean library file which happens to be needed by the system then you can expect the machine to lock up unless you have taken steps to prevent that. For example you could exclude a bunch of user IDs from the access prevention, but of course then ClamAV might not give the protection you're looking for. And indeed it might not give it anyway. The constructions of your regexes seem to be a litle inconsistent but I don't imagine that it's relevant to this issue. -- 73, Ged. _______________________________________________ clamav-users mailing list mailto:clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ________________________________ Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
