MalwareDetection load optimization

Estimated reading time: 2 min

If your server’s load is high while the MalwareDetection module is enabled, follow this troubleshooting guide to resolve the issue.

Find out what causes the issue.

Inotifywait process

We need to check if the load is increased by the Inotifywait process or the MalwareDetection process itself.
To do that, use the htop or top command.
Changing the Inotify process should resolve the load issue if it increases the load.
A step-by-step guide on that is available here.

Inotifywait process in htop

Initial malware scan

The load might be higher than it is usually if you run the first full malware scan as the module indexes the file system. You can check this from the Anti-Malware menu point or by issuing the following command in the terminal: bitninjacli --module=MalwareDetection --list-scans |grep scan_key

Active malware scan in progress
No active malware scan

If the initial scan causes issues with the service, we suggest canceling it and continuing when the server’s traffic is lower.
Cancel the scan from the Anti-Malware menu or the terminal with the following command:
bitninjacli --module=MalwareDetection --cancel
You can also try the following settings and retry.

The following scans after the file system is indexed will be much more load friendly, and they will be much faster as well.

None of the above

As a first step, we recommend decreasing the number of files pulled by the module:

You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.

  1. Open the Configuration menu on your BitNinja dashboard.
  2. Select the setting level on the left side. (server-level, server group-level, account-level)
  3. Select the Malware Detection module.

  4. Scroll down and select the “Advanced settings” menu at the bottom.
  5. Change the number of files checked concurrently.
  6. Click on the Save button at the top of the page.

The default value is 0, which means the number of files checked at the same time is determined by the agent automatically.

From the terminal:

If the corresponding variable is not present in the /etc/bitninja/MalwareDetection/config.ini the file, then add it manually under the [core] the section in the config file.

  1. Open the /etc/bitninja/MalwareDetection/config.ini file with nano:
    nano /etc/bitninja/MalwareDetection/config.ini
  2. Then add the variable file_path_pull_limit = 4
  3. Decrease the value to lower the module’s impact on the server’s load.
  4. Exit and save the changes
  5. Reload the module with the bitninjacli --module=malwaredetection --reload command.
  6. Synchronize the settings with the dashboard: bitninjacli --syncconfigs
We recommend setting the value to half the number of available CPU cores in the server.

If this does not solve the issue or you would have at least a 2.38.4 version of BitNinja or newer, then you have the option to increase scan_niceness variable in the config of the module.

The higher the value, the less impact the module has on the server’s load. It will also be slower.
Its range is from 0-1.

The scan_niceness can be changed in the /etc/bitninja/MalwareDetection/config.ini file.

From the dashboard:

You can do this from the BitNinja dashboard from the Configuration menu. You can apply the changes explained below on a per-server basis or a server group’s level, or you can apply it to your whole account.

  1. Open the Configuration menu on your BitNinja dashboard.
  2. Select the setting level on the left side. (server-level, server group-level, account-level)
  3. Select the Malware Detection module.

  4. Scroll down and select the “Advanced settings” menu at the bottom.
  5. Change the Scan niceness parameter. We recommend setting this parameter between 0 and 0.1.
    The default value is: 0.002
  6. Click on the Save button at the top of the page.

From the terminal:

  1. Open the /etc/bitninja/MalwareDetection/config.ini file with nano:
    nano /etc/bitninja/MalwareDetection/config.ini
  2. Then find the variable
  3. Increase the value to lower the module’s impact on the server’s load.
  4. Remove the semicolon (;) from the beginning of the line.
  5. Exit and save the changes
  6. Synchronize the settings with the dashboard: bitninjacli --syncconfigs
  7. Restart BitNinja with the service bitninja restart command.
Was this article helpful?
It was not helpful
Views: 587