MalwareDetection load optimization

If your server’s load is high while the MalwareDetection module is enabled, follow this troubleshooting guide to resolve the issue.

Find out what causes the issue.

Inotifywait process

We need to check if the load is increased by the Inotifywait process or the MalwareDetection process itself.
To do that, use the htop or top command.
Changing the Inotify process should resolve the load issue if it increases the load.
A step-by-step guide on that is available here.

Initial malware scan

The load might be higher than it is usually if you run the first full malware scan as the module indexes the file system. You can check this from the Anti-Malware menu point or by issuing the following command in the terminal: bitninjacli --module=MalwareDetection --list-scans |grep scan_key

If the initial scan causes issues with the service, we suggest canceling it and continuing when the server’s traffic is lower.
Cancel the scan from the Anti-Malware menu or the terminal with the following command:
bitninjacli --module=MalwareDetection --cancel
You can also try the following settings and retry.

None of the above

As a first step, we recommend decreasing the number of files pulled by the module:

You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.

1. Open the Configuration menu on your BitNinja dashboard.
2. Select the setting level on the left side. (server-level, server group-level, account-level)
3. Select the Malware Detection module.
   
   
4. Scroll down and select the “Advanced settings” menu at the bottom.
   
5. Change the number of files checked concurrently.
   
6. Click on the Save button at the top of the page.
   

   

   
   

From the terminal:

If the corresponding variable is not present in the /etc/bitninja/MalwareDetection/config.ini the file, then add it manually under the [core] the section in the config file.

1. Open the /etc/bitninja/MalwareDetection/config.ini file with nano:
   nano /etc/bitninja/MalwareDetection/config.ini
2. Then add the variable file_path_pull_limit = 4
3. Decrease the value to lower the module’s impact on the server’s load.
4. Exit and save the changes
5. Reload the module with the bitninjacli --module=malwaredetection --reload command.
6. Synchronize the settings with the dashboard: bitninjacli --syncconfigs

If this does not solve the issue or you would have at least a 2.38.4 version of BitNinja or newer, then you have the option to increase scan_niceness variable in the config of the module.

The scan_niceness can be changed in the /etc/bitninja/MalwareDetection/config.ini file.

From the dashboard:

You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.

1. Open the Configuration menu on your BitNinja dashboard.
2. Select the setting level on the left side. (server-level, server group-level, account-level)
3. Select the Malware Detection module.
   
   
4. Scroll down and select the “Advanced settings” menu at the bottom.
   
5. Change the Scan niceness parameter. We recommend setting this parameter between 0 and 0.1.
   The default value is: 0.002
   
6. Click on the Save button at the top of the page.

   

   
   

From the terminal:

1. Open the /etc/bitninja/MalwareDetection/config.ini file with nano:
   nano /etc/bitninja/MalwareDetection/config.ini
2. Then find the variable
   
3. Increase the value to lower the module’s impact on the server’s load.
4. Remove the semicolon (;) from the beginning of the line.
5. Exit and save the changes
6. Synchronize the settings with the dashboard: bitninjacli --syncconfigs
7. Restart BitNinja with the service bitninja restart command.