4

So we have a java-tomcat setup running. During an upload onto the platform of a large file (eg, 31mb pdf) the Sophos savscand server process (both of them - there are always 2 running, this is standard apparently) on our RHEL5.5 system bogs down the entire system and consumes 700%+ cpu load.

Until the savscand processes are killed the system is on cpu overdrive.

EEAA
  • 109,904
John Ingles
  • 129
  • I had the EXACT same problem. Large file being uploaded to our App causing cpu load on all cores. Even Rackspace enterprise support couldn't figure that one out. We figured it was something with the uploaded folder being exported as NFS causing Sophos to go haywire. Not the best solution but we ended up having that folder being omitted from scanning . – Tom Geee Feb 26 '13 at 16:28

2 Answers2

3

I realize this is an old question, but just last week had a similar problem with savscand after an update was performed by Rackspace on a server running Centos 6.7. When downloading XML files to the server from another server, and more so while reading the XML, savscand would spike the CPU. One particular regular daily update that previously only took 30 minutes to an hour to process was now taking over 24 hours to process. After a week of this, all the data was a couple days out of date with those XML files being processed around the clock. I couldn't parallel the imports since the order of import was critical, so I hacked up a dirty little screen daemon temporarily to get things moving. I'm not sure how effective the scan can be with the priority reduced like this, but it sure increased the performance of importing the XML files. There is probably a lot cleaner, safer way to do this, but its been working for me while we prepare to migrate to a different server:

screen

while true; do pgrep -f "savscand" | xargs -I %  ps h -o pid,pcpu -p %|grep -oP "[ ]*[0-9]+(?=[ ]+([4-9][0-9]|[1-9][0-9][0-9]).)"|xargs -r -I {} sh -c 'pgrep -f '"'savscand'"' | xargs -I %  ps h -o pid,pcpu,ni -p %|grep {};renice +1 {};echo demoted {};date;'; sleep 20;done

If you aren't familiar with screen, press Ctrl+A then press D to detach and let this run in the background indefinitely. screen -r will get you back in to interrupt it later.

benzolio
  • 31
  • 2
1

Without more information you are going to need to open a support request with Sophos. Red Hat support might be able to point out some possible causes, but my hunch is after they review the SOSReport they will be pointing to Sophos. Given the information you gave, my hunch is there is a race condition occurring somewhere.

Red Tux
  • 2,084