service – ubuntu 18.04: clamav running, tomcat dying

Ubuntu 18.04. 2 GB RAM + 512 MB swap.

When running clamav, it consumes more than 800MB of memory as it loads all the signatures into memory. For this reason, I have configured it to operate everyday at 3 am instead of continuing.

Until now, tomcat and clamav got along very well. At 3 am yesterday evening, the tomcat service was closed when clamav started operating.

(4643256.375812) OOM killed process 8145 (clamscan) total-vm:1149268kB, anon-rss:969476kB, file-rss:4kB
(7667218.452649) OOM killed process 8865 (java) total-vm:4568248kB, anon-rss:1067312kB, file-rss:0kB

Mar 26 03:00:31 user systemd(1): tomcat.service: Main process exited, code=killed, status=9/KILL
Mar 26 03:00:31 user systemd(1): tomcat.service: Failed with result 'signal'.
Mar 26 03:17:08 user systemd(1): Reloading The Apache HTTP Server.
Mar 26 03:17:08 user systemd(1): Reloaded The Apache HTTP Server.

I know the upgrade is an immediate answer, but until then, my questions are:

  1. Is there a way to run clamav without consuming 800 + mb?

  2. Is there a way to automatically restart Tomcat if something like this happens again?

  3. Did Java really take 4,568,248 KB = 4.5 GB or is something missing?

ClamAV, Exim and antivirus analysis

Which antivirus system do most administrators use for email on their servers these days? Or do you even use an anti-virus system on your mail system?

Most of our servers are cPanel. And since a very long time, we use clamAV integrated with Exim for the search of viruses on these servers.

However, ClamAV has become a real memory machine, occupying almost 1 GB of memory by itself. Any definitions it has to load can slow down the restart of clamd. And I do not know how effective it is. While browsing the logs of two of our servers, clamd blocked last week 55 messages, due to viruses / malware, including 40 phishing messages, which I wonder if SpamAssassin would have been intercepted anyway.

This makes me wonder … what is the current prevalence of viruses in e-mail attachments? Most of the problems in email today are probably phishing-related, blurring the line between viruses / malware and spam.

Is there a better and more effective antivirus solution for Exim? Maybe too many things creak, and that's why the number of my journals is so low. Although I do not receive any complaints from our clients.

1GB of memory is really not enough to hurt things on a dedicated server. But for smaller VPS where memory is more important, 1 GB can represent a considerable part of the total memory allocated. And does Clamd really do anything?

Has anyone ever thought about this?

ClamAV found this Malware | Talk Web Hosting

Quote Originally posted by goldeneaglesteam
See the article

Hi, ClamAV found this Malware, I am sure that "Prevent" person "from sending mail [?]"Option is ON.

No idea how you think

Prevent "person" from sending mail

is linked.

This is more than likely a false positive. Clam found text in a log file.
Also, you use Linux, not Windows.

clamAV found 1154 malicious software | Talk Web Hosting

Hi, I moved to my new VPS (WHM / CPANEL) from 1 month old because of the old VPS was infected. I made all the safety recommendations.
all passwords are very strong, nobody has administrator access to a website, only me. root access disabled. CSF is activated ..

there is no new action we have done.
yesterday clamAV found no malware. today, he found 1154 infected files.

this example of the infected files:

HTML code:

/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Funny/fonts/afterlogic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
LibClamAV Warning: Unsupported message format `global '- if you think this file contains a virus, send it on www.clamav.net
LibClamAV Warning: Unsupported message format `global '- if you think this file contains a virus, send it on www.clamav.net
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Funny/fonts/afterlogic.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/OpenWater/fonts/afterlogic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/OpenWater/fonts/afterlogic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/OpenWater/fonts/afterlogic.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Blue/fonts/afterlogic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Blue/fonts/afterlogic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Blue/fonts/afterlogic.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/White/fonts/afterlogic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/White/fonts/afterlogic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/White/fonts/afterlogic.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Default/fonts/afterlogic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Default/fonts/afterlogic.eot: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/virtfs/multiskycp/var/tmp/al_webmail/webmail/skins/Default/fonts/afterlogic.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/themes/oneline-lite/css/font-awesome/webfonts/fa-solid-900.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/themes/oneline-lite/font/Montserrat-Light.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/themes/oneline-lite/font/Roboto-Italic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/themes/oneline-lite/font/Montserrat-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/themes/oneline-lite/font/Roboto-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/plugins/wordfence/fonts/roboto-KFOlCnqEu92Fr1MmSU5fChc-AMP6lbBP.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/plugins/wordfence/fonts/roboto-KFOkCnqEu92Fr1Mu51xGIzQXKMnyrYk.woff: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/plugins/lead-form-builder/font-awesome/fonts/FontAwesome.otf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/plugins/lead-form-builder/fonts/OpenSans-Italic.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
/home/multiskycp/public_html/wp-content/plugins/lead-form-builder/fonts/OpenSans-Bold.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND

----------- SUMMARY OF THE ANALYSIS -----------
Known viruses: 6138795
Engine version: 0.101.2
Digitized Directories: 252274
Scanned files: 1997949
Infected files: 1154
Scanned data: 74449.94 MB
Data read: 192573.90 MB (ratio 0.39: 1)
Time: 29746,067 sec (495m46s)

what I can do? please help

Send an email when ClamAV detects a threat with the help of systemd

Most of the guides for ClamAV deal with integration with syslog and it is possible to configure syslog to send a message on some logs. But, my system works systemd, without assets syslog.service. How to configure ClamAV to send a message about a threat detection in this configuration?