yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Using YARA scanning process in a container led to OOM due to the generation of a large amount of cache.

Open touyudexiaomao opened this issue 1 year ago • 1 comments

Describe the bug I created a container with a maximum memory limit of 1GB. I started a process A inside the container, which uses the YARA API to scan other processes. During the YARA scanning process, a large amount of cache is generated due to intensive I/O operations. As a result, the sum of RSS (200M) and cache (900M) of all processes in the container exceeded 1GB, leading to the OOM kill of process A.

Expected behavior Can YARA be controlled through parameters to perform I/O operations in direct I/O mode?

Please complete the following information:

  • OS: centos 3.10.0-957.el7.x86_64
  • YARA version: 4.3.2

touyudexiaomao avatar Mar 27 '24 11:03 touyudexiaomao

If I understood correctly you are scanning other processes, not files, right?

plusvic avatar Apr 02 '24 14:04 plusvic