Hi, we have problems with too high CPU load (~300%)-it's the mwg-antimalware process, which is causing the load.. it's just for about 30min and then ok again. There were no updates, I couldn't find any suspicious contents in the access or virus logs. Could anyone tell me where the logfiles from antimalware engine are located? Couldn't find this in any manuals.
I have seen this when an archive containing thousands of files is being scanned.
I run this command:
while x=1; do echo `date` ; /opt/mwg/bin/mwg-antimalware -S threads | grep object ; sleep 5; x=1; done (use Control-C to cancel)
Then I look for objects that show up repeatedly. In many cases, I'll see repeated entries that look like this:
[status] working on command kExFuScanMemory with URL http://URL/filename (object name changes as MWG iterates through the objects)
Hi, how can I be sure, that the objects are responsible for the high load. I saw that after the objects were gone, load also went down, but is there a command which shows which object is responsible for which load?
you can always check with the command line tools posted before what it is actually / right now "in" the engines:
[root@mwgappl ~]# /opt/mwg/bin/mwg-antimalware -S threads
It is often a problem if the download are containing multiple zip file or thousend of files in in, .jar files. that could lead to a higher load while the whole archive will be extracted scanned.
Since 2-3 month we have this characteristics too. Mostly when we download a Java application (it should be compressed files) then we see 100%CPU at the appliance. The applications we download are since 1-2 years nearly the same packages.
Is there somthing changed at the scan engines in the last month? We use MWG (184.108.40.206.0-13253)
I generally just look for an object that keeps showing up -- at that point I may go download the object and extract it to verify my suspicions that it's causing the problem. If the object has thousands of files (no matter how large or small it is), that's usually the culprit.
Most frequently seen with compressed source code, jar files, zip files, software distributions.