#341 Memory Leak (handles) compressed archives

open
alch
Scanner (176)
5
2015-02-10
2006-07-12
mogwhy
No

There appears to be a memory leak when checking
compressed archives.

More specificly a Win32 "handle" leak; the handle type
is "Mutant" (as listed by TaskInfo).

I noted this after my first scan of "D" Drive; I had in
excess of 240,000 handles (240 thousand);

Here is the summary for the first scan:
Known viruses: 61224
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Time: 2.969 sec (0 m 2 s)


Scan started: Wed Jul 12 09:41:44 2006

D:/Backup/2006071001 - scripts.zip:
Eicar-Test-Signature FOUND
D:/Downloads/Dev/ffdshow/ffdshow-rev2546-SSE2.exe:
Trojan.Downloader.Zlob-473 FOUND
D:/projects/mp/test/input/test-virustestfile.3gp:
Eicar-Test-Signature FOUND

-- summary --
Known viruses: 61229
Engine version: 0.88.3
Scanned directories: 8746
Scanned files: 70317
Infected files: 3
Data scanned: 31168.66 MB
Time: 13561.234 sec (226 m 1 s)

And here is some additional detail regarding a scan of
"C" drive:

Here is some detail for one same process run:
CMD = "C:\Program
Files\ClamWin\bin\clamscan.exe" --tempdir
"c:/docume~1/dean/locals~1/temp" --max-ratio=0
--recursive --no-mail --infected --max-files=500
--max-space=10240 --max-recursion=5 --show-progress
--stdout --database="C:/Documents and Settings/All
Users/.clamwin/db"
--log="c:/docume~1/dean/locals~1/temp/tmpitdiam" "C:/"
--exclude="C:/WINDOWS/system32/config/default"
--exclude="C:/WINDOWS/system32/config/SAM"
--exclude="C:/WINDOWS/system32/config/SECURITY"
--exclude="C:/WINDOWS/system32/config/software"
--exclude="C:/WINDOWS/system32/config/software.alt"
--exclude="C:/WINDOWS/system32/config/system"
--exclude="C:/WINDOWS/system32/config/system.alt"
--exclude="[^/].dbx$" --exclude="[^/].tbb$"
--exclude="[^/].pst$" --exclude="[^/].dat$"
--exclude="[^/].log$" --exclude="[^/].evt$"
--exclude="[^/].nsf$" --exclude="[^/].ntf$"
--exclude="[^/]*.chm$"
Curr Dir = C:\Program Files\ClamWin\bin\ Path = C:\Program
Files\ClamWin\bin\clamscan.exe
PID/Parent PID = 3672 / 5464
Started by = C:\Program
Files\ClamWin\bin\ClamWin.exe

After running ~9 mins:
Virtual KB Curr = 40,248 Peak = 45,968
Working Set KB Curr = 16,776 Peak = 36,592
Page File KB Curr = 15,516 Peak = 35,328
System Pool KB Paged = 156 Nonpaged = 1
Private KB = 15,516
Handles Count = 17,398
Faults Count = 2,359,328
Windows = 1
Reads = 547,946 Read KB = 1,978,644
Writes = 157,794 Write KB = 388,117
Other IOs = 4,008,209 Other KB = 177,639

After running 10mins 40 seconds:
Virtual KB Curr = 40,248 Peak = 76,604
Working Set KB Curr = 16,784 Peak = 53,096
Page File KB Curr = 15,516 Peak = 51,952
System Pool KB Paged = 184 Nonpaged = 1
Private KB = 15,516
Handles Count = 21,289
Faults Count = 2,393,958
Windows = 1
Reads = 611,974 Read KB = 2,206,114
Writes = 184,325 Write KB = 539,744
Other IOs = 5,950,349 Other KB = 263,380

After running 11mins 30 seconds:
Virtual KB Curr = 40,248 Peak = 76,604
Working Set KB Curr = 16,736 Peak = 53,096
Page File KB Curr = 15,460 Peak = 51,952
System Pool KB Paged = 204 Nonpaged = 1
Private KB = 15,460
Handles Count = 23,694
Faults Count = 2,504,894
Windows = 1
Reads = 736,373 Read KB = 2,433,471
Writes = 201,343 Write KB = 607,053
Other IOs = 6,854,314 Other KB = 304,311

After running 14mins 50 seconds:
Virtual KB Curr = 609,676 Peak = 609,680
Working Set KB Curr = 525,628 Peak = 525,628
Page File KB Curr = 585,896 Peak = 588,428
System Pool KB Paged = 1,316 Nonpaged = 1
Private KB = 585,896
Handles Count = 23,712
Faults Count = 3,092,442
Windows = 1
Reads = 746,803 Read KB = 3,468,700
Writes = 265,574 Write KB = 1,108,189
Other IOs = 6,882,126 Other KB = 305,708

This appears to occur when ever files within
compressed archives are checked; including (zip, jar
and cab files.

This scan was actually done with version 0.88.3 even
though the engine version specified in the above
summary states 0.88.2; on the next scan immediately
after it reported 0.88.3.

Discussion

  • mogwhy

    mogwhy - 2006-07-12

    Logged In: YES
    user_id=1335080

    After 46 mins 40 seconds:
    Virtual KB Curr = 42,300 Peak = 609,680
    Working Set KB Curr = 18,916 Peak = 529,316
    Page File KB Curr = 19,100 Peak = 588,428
    System Pool KB Paged = 780 Nonpaged = 1
    Private KB = 19,100
    Handles Count = 97,438
    Faults Count = 13,138,660
    Windows = 1
    Reads = 2,395,248 Read KB = 10,655,703
    Writes = 1,090,422 Write KB = 4,187,820
    Other IOs = 27,700,095 Other KB = 1,224,624

     
  • mogwhy

    mogwhy - 2006-07-12

    Logged In: YES
    user_id=1335080

    After 46 mins 40 seconds:
    Virtual KB Curr = 42,300 Peak = 609,680
    Working Set KB Curr = 18,916 Peak = 529,316
    Page File KB Curr = 19,100 Peak = 588,428
    System Pool KB Paged = 780 Nonpaged = 1
    Private KB = 19,100
    Handles Count = 97,438
    Faults Count = 13,138,660
    Windows = 1
    Reads = 2,395,248 Read KB = 10,655,703
    Writes = 1,090,422 Write KB = 4,187,820
    Other IOs = 27,700,095 Other KB = 1,224,624

     
  • mogwhy

    mogwhy - 2006-07-12

    Logged In: YES
    user_id=1335080

    [Sorry about the double post above]

    Just a note for all you whom have reported that when ClamWin
    is running (scanning) it slows down your machine; this could
    be the problem.

    Excessive use of Win32 handles can cause the machine to slow
    to a craw!

     
  • Gianluigi Tiesi

    Gianluigi Tiesi - 2006-07-16

    Logged In: YES
    user_id=38409

    the handle leakage most likely refers to mutex objects,
    native clamav uses pthread that are wrapped to native win32
    CreateMutex. The code is used in multithreaded stuff.
    The problem is that no file on the clamav code calls the
    pthread_mutex_destroy so there are no CloseHandle on mutex
    objectes. I really don't want to hunt all original clamav
    code to add all missing destroy mutex calls :P

     
  • Gianluigi Tiesi

    Gianluigi Tiesi - 2006-07-16

    Logged In: YES
    user_id=38409

    I suggest to put it to won't fix or postponed

     
  • mogwhy

    mogwhy - 2006-07-17

    Logged In: YES
    user_id=1335080

    I see this as being a rather critical problem...

    If scanning a dataset of a large number of compressed
    archives then you will have a problem with machine resources!

    Today more and more files are compressed on the average
    system hard disk; including zip, gzip, jar, cab and the
    adverage users CHM (help) files.
    (Don't forget 7z, TAR, BZIP2, RAR)

     

Log in to post a comment.