1 of 1 people found this helpful
I have seen this when an archive containing thousands of files is being scanned.
I run this command:
while x=1; do echo `date` ; /opt/mwg/bin/mwg-antimalware -S threads | grep object ; sleep 5; x=1; done (use Control-C to cancel)
Then I look for objects that show up repeatedly. In many cases, I'll see repeated entries that look like this:
[status] working on command kExFuScanMemory with URL http://URL/filename (object name changes as MWG iterates through the objects)
great, thanks. That's what I was looking for.
Hi, how can I be sure, that the objects are responsible for the high load. I saw that after the objects were gone, load also went down, but is there a command which shows which object is responsible for which load?
you can always check with the command line tools posted before what it is actually / right now "in" the engines:
[root@mwgappl ~]# /opt/mwg/bin/mwg-antimalware -S threads
It is often a problem if the download are containing multiple zip file or thousend of files in in, .jar files. that could lead to a higher load while the whole archive will be extracted scanned.
I generally just look for an object that keeps showing up -- at that point I may go download the object and extract it to verify my suspicions that it's causing the problem. If the object has thousands of files (no matter how large or small it is), that's usually the culprit.
Most frequently seen with compressed source code, jar files, zip files, software distributions.
Since 2-3 month we have this characteristics too. Mostly when we download a Java application (it should be compressed files) then we see 100%CPU at the appliance. The applications we download are since 1-2 years nearly the same packages.
Is there somthing changed at the scan engines in the last month? We use MWG (18.104.22.168.0-13253)