With the just released beta version 2.0.0b1 of the ISPProtect Malware Scanner we open a new chapter: the support of multiple CPU cores during the scan.

On servers with many files to be scanned in one run, the malware scan may well take several hours. However, servers of this size are usually equipped with multiple CPU cores. So far, ISPProtect has not been able to take advantage of this. By using ClamAV (clamscan, level 1) and PHP (heuristics and rule sets, level 2), the processing of files was limited to one CPU core.

Starting with the new generation of the scanner, we introduce another parameter for scans: --threads=x.

If a thread value of 2 or higher is entered when starting the scan, ISPProtect switches to using the ClamAV daemon (clamd) with the corresponding client (clamdscan) in level 1. These can scan multiple files in parallel. Furthermore, in Level 2 we now make use of Swoole processes, which even allow us to process multiple files in parallel in PHP.

In benchmarks, using a quad-core cloud server and --threads=4, we achieved a reduction in scan time of nearly 50% (level 1) and nearly 66% (level 2) respectively. When using more cores or scanning more files, this result can even be improved significantly. Of course, it should be noted that especially in level 2 of the scan, the used cores are (almost) 100% utilized. This should be considered if the server is already under load in normal operation. It is recommended to set the number of threads maximum to the number of CPU cores, but usually rather to half of the cores, in order not to affect normal operation.

Installation

.
If you have already installed ISPProtect, you must explicitly update to the beta version. To do this, use the command
ispp_scan --update --channel=beta

If you want to switch back to the stable version at a later time, you can do so with:
ispp_scan --update --force-yes.

If you have not yet installed ISPProtect, use the normal installation and then update to the beta version as described previously:
mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
wget https://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

Prerequisites

.
To use the new version without the --threads parameter, no other prerequisites are needed than before. If you want to use the multi-CPU support, you need the Swoole library for your PHP version and the ClamAV daemon including client.

Under Debian you can install them as follows (Debian 11, PHP 7.4):
apt-get update
apt-get install clamav-daemon clamdscan php7.4-swoole

If may be necessary to activate the module with phpenmod swoole.

We hope that this new version will help to make your servers even more secure and to enable faster intervention in case of hacked websites.

Beta version 2.0.0b1 – thread support for malware scans