ClamAV causes high CPU/dsk IO usage

[Lusitaniae]

After installing ClamAV in one my EC2 servers (t2.micro) ClamAV will consume all EBS bust capacity and severely throttle my server.

Is it an idea we could add something to limit clamav resource consumption?

Example System Slice from https://www.scylladb.com/2019/09/25/isolating-workloads-with-systemd-slices/:

Description=Slice used to run companion programs to Scylla. Memory, CPU and IO restricted
Before=slices.target

[Slice]
MemoryAccounting=true
IOAccounting=true
CPUAccounting=true

CPUWeight=10
IOWeight=10

MemoryHigh=4%
MemoryLimit=5%
CPUShares=10
BlockIOWeight=10

[stale[bot]]

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

[dale-c-anderson]

@Lusitaniae Putting a throttle on something that's meant to protect your system might not be the best plan. If clamav is using up your burst credit limit, then I'd say the problem is the burst credit limit, not clamav's behaviour.

If you're using gp2 (as most people do), your burst credit limit is tied directly to volume size, and it's surprisingly easy to exhaust that credit on a small volume. For example, a mysql import of a large DB, even a 100 GB volume, can burn through most of your burst credit in a matter of minutes. So adding clamav to the mix is just going to aggravate the issue.

There's exhaustive explanations for how EBS GP2 burst credits work here and here.

TLDR 1, bigger gp2 volumes give you more I/O before you get throttled, TLDR 2, The new Gp3 type volume pretty much eliminates this issue all together in most cases.

[stale[bot]]

This issue is no longer marked for closure.

[Lusitaniae]

I'm well aware of how EBS works, but I'm new to deploying Clamav to servers.

Thanks for the GP3 tip, I missed it before.

These are quite fairly low usage servers, with fairly low amounts of data (e.g. bastion host, only basic OS install), I don't see why I should scale them up just for ClamAV (which is not the server's primary function, should be a a daemon taking a small portion of server resources)

Anyway, It's just a suggestion, I will close if it doesn't make sense

[dale-c-anderson]

@Lusitaniae I just went and looked at clam's requirements, and the docs say the machine should have >= 2GB mem, which is awfully heavy. Does your bastion have that much? Or do you have a swap enabled? Maybe its burning through the system's memory before it proceeds to then sink its teeth into the disk?

[Lusitaniae]

Should've done that myself hah

Thanks for looking it up, probably it was swapping as you suggested