Issue Dr.Web problem and server hung

[JuanCar]

Server operating system version

Centos 7

Plesk version and microupdate number

Obsidian 18.0.48

Hello
I see that my mail log grows a lot in last two days. and I see lot of drweb related data (drwe to postmaster and so)
When I see process list I see a lot of process of sendmail from drweb and postmaster.
The overall CPU usage grows up to 99% and then the server fails: server hung.
When server is restarted, after one or two hours the problem appears again.
So my server is offline most of time.
Any idea?

 

[JuanCar]

The lines I see in ps are like these one, and there is a lot of them
qmailq 32726 0.0 0.0 72712 3664 ? S 18:30 0:00 bin/qmail-queue
qmailq 32727 0.0 0.0 14868 1236 ? S 18:57 0:00 /usr/local/psa/handlers/hooks/drweb none [email protected] [email protected]
qmailq 32731 0.0 0.0 14868 1244 ? S 18:30 0:00 /usr/local/psa/handlers/hooks/drweb none [email protected] [email protected]
qmailq 32738 0.0 0.0 14868 1240 ? S 18:30 0:00 /usr/local/psa/handlers/hooks/drweb none [email protected]
[email protected]
root 32739 0.0 0.0 72652 3148 ? S 18:30 0:00 /usr/sbin/sendmail -fDrWEB-DAEMON -- postmaster
qmailq 32740 0.0 0.0 14868 1236 ? S 18:57 0:00 /usr/local/psa/handlers/hooks/drweb none [email protected] [email protected]
qmaild 32745 0.0 0.0 72652 1216 ? S 18:57 0:00 /usr/sbin/sendmail -fDrWEB-DAEMON -- postmaster
qmaild 32746 0.0 0.0 4312 576 ? S 18:57 0:00 bin/qmail-inject -a -f DrWEB-DAEMON -- postmaster
qmailq 32747 0.0 0.0 72716 3668 ? S 18:57 0:00 bin/qmail-queue

In mail log appears a lot of line about sendmail mail from drweb to postmaster and the mail queue became full with these messages.
I'm desperate ... and my hosting technical support .... doesn't find any fix

 

[JuanCar]

It seems the problem is fixed after I uninstalled DrWeb (Prallels Premium Antivirus).
Now I'm looking around and I've found in /var/drweb/spool a lot of files with the content I write below :
I see two things that I cannot understand
1. it says that
A message with the following attributes was not delivered ...
But the message is from [email protected] to [email protected]
Why must be cheched if it goes from drweb to postmaster?
2. The filter fails to pass object to the DrWEB daemon

As result I've see a lot of activity from drweb, a high CPU load and a server hung
I've uninstalled DrWeb and the server is ok, cpu is ok ...

--Content of files in var/drweb/spool/
Date: 30 Sep 2023 12:31:18 +0200
Message-ID: <[email protected]>
From: "DrWeb-DAEMON" <[email protected]>
To: "System Administrator" <[email protected]>
Subject: The antivirus software failure
Content-Type: multipart/mixed;
boundary="001-DrWeb-MailFilter-Notification"
MIME-Version: 1.0
Precedence: junk
X-Antivirus-Ticket: DrWeb notification.
X-PPP-Message-ID:
<[email protected]>
X-PPP-Vhost: localhost.localdomain

--001-DrWeb-MailFilter-Notification
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit

Dear Postmaster,

A message with the following attributes was not delivered because it contains an object which cannot be checked by antivirus.

Sender = [email protected]
Recipients = [email protected]
Subject = The antivirus software failure
Message-ID = <[email protected]>

--- Antivirus report ---
Detailed report:
The filter fails to pass object to the DrWEB daemon

--- Antivirus report ---

The original message was stored in archive record named:
file was not created

--001-DrWeb-MailFilter-Notification
Content-Type: text/rfc822-headers
Content-Transfer-Encoding: 7bit

Date: 30 Sep 2023 12:29:17 +0200
Message-ID: <[email protected]>
From: "DrWeb-DAEMON" <[email protected]>
To: "System Administrator" <[email protected]>
Subject: The antivirus software failure
Content-Type: multipart/mixed;
boundary="001-DrWeb-MailFilter-Notification"
MIME-Version: 1.0
Precedence: junk
X-Antivirus-Ticket: DrWeb notification.
X-PPP-Message-ID:
<[email protected]>
X-PPP-Vhost: localhost.localdomain


--001-DrWeb-MailFilter-Notification--