search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
7.93k stars 1.42k forks source link

Using YARA scanning process in a container led to OOM due to the generation of a large amount of cache. #2059

Open touyudexiaomao opened 3 months ago

touyudexiaomao commented 3 months ago

Describe the bug I created a container with a maximum memory limit of 1GB. I started a process A inside the container, which uses the YARA API to scan other processes. During the YARA scanning process, a large amount of cache is generated due to intensive I/O operations. As a result, the sum of RSS (200M) and cache (900M) of all processes in the container exceeded 1GB, leading to the OOM kill of process A.

Expected behavior Can YARA be controlled through parameters to perform I/O operations in direct I/O mode?

Please complete the following information:

plusvic commented 3 months ago

If I understood correctly you are scanning other processes, not files, right?