Is ClamXAV causing my M1 Mac to reboot?

ClamXAV is an often forgotten anti-virus solution for Mac users. Simple to use and with a small footprint, it’s pretty unobtrusive. And, for these reasons, it’s my own AV of choice. Oh, and it’s a British company too.

The Issues I Experienced

When I switched to an M1 MacBook Pro, ClamXAV continued to work just fine. Well, until I installed Microsoft OneDrive and then started getting regular Purple Screens of Death (where the screen flashes purple before rebooting). Looking at the crash details (when your Mac crashes it gives you the option to report it – if you do, you can view the contents of the information being sent), I saw this…

panic(cpu 4 caller 0xfffffe00184dd618): “uipc_send connected but no connection?”

A search of the internet revealed other people seeing the same and it being an issue with ClamXAV. In my particular case, it appears something specific about it scanning OneDrive was causing the problem. I uninstalled ClamXAV and the problem went away. After some weighing up, I decided to keep ClamXAV, updated to the beta version which people were finding helped with the situation, and just used the online version of OneDrive.

Now, a few weeks later, it’s started rebooting again. I have no idea why, but it’s the same error and I don’t have OneDrive installed. Indeed, just before it started again, I hadn’t installed anything new at all. The only thing that appears to be consistent this time is that it’s always when the laptop is running on battery.

So, I’ve uninstalled ClamXAV and the reboots have stopped. I have also seen occasional, and similar, reboots on my daughter’s Mac Mini M1, which also uses ClamXAV.

What do ClamXAV say?

We reached out to the makers of ClamXAV, Canimaan Software, and they told us the following…

When the macOS kernel panics, a panic report is generated which displays recently loaded kernel extensions (kexts) and the name of the panicked task – i.e. the task from which the kernel received a syscall at the time of the panic. In the cases that have been reported to us, the panicked task is listed as “clamd”, which is the process responsible for Sentry – our background monitor. 

The kernel is crucial to the running of any operating system, as it handles process management, hardware interfacing, file systems etc. As such, it operates at a level far lower than regular applications (such as ClamXAV) and is purposefully isolated from the user and third-party application code. The only way that developers of regular applications can interact with the kernel is through the use of kernel extensions (kexts). ClamXAV does not make use of kexts, so therefore cannot be directly responsible for causing a kernel panic – as dictated by operating system design fundamentals. Due to heavy reliance on the kernel by macOS (or any operating system), one of the main jobs of the kernel is to not panic – as this unexpected panic will likely cause the whole system to crash and reboot. 

As we are no experts in kernel design or, specifically, Apple’s implementation of an operating system kernel, we cannot explain why an operation made by our clamd process is now causing a panic. We never received reports of this on Intel Macs and the code is the same. This is something that we have contacted Apple about and they are actively exploring a fix. We are working with them to gather information about the environments in which this occurs and we hope they will provide us with a solution soon.

For the reasons described above, we believe that this can only be an issue with Apple’s code and not our own, as we don’t ship any code that runs at the kernel level. We would like to reassure customers that we are in close contact with Apple for the purposes of diagnosing and fixing this issue and we would encourage anyone that experiences it to reach out to us at support@clamxav.com. 

They also want to point out that this was only affecting a small minority of customers.

What can you do for now?

1. If you’re experiencing these issues then, first off, please get in touch with their support team.
2. There is an option within the advanced settings to use Beta versions of the software. It may be wise to try this, as you could get any potential fixes quicker.
3. Turn off ClamXAV Sentry. This is the on-demand scanning component of ClamXAV, and is the solution that the developers are recommending right now. For full details about this, see the section below.
4. In extreme cases, you could consider uninstalling ClamXAV.

What you do will possibly come down to the regularity of these reboots, how important the stability of your computer is and how important it is that you retain on-demand scanning.

If you do any of the first 3 options, I’d recommend keeping an eye on their changelog to see when potential fixes for this are pushed out.

How do I turn off ClamXAV Sentry?

1. Open up ClamXAV
2. Click on Preferences in the top-right of the window
3. Now click on the Advanced tab
4. Untick “Enable Sentry background monitor”. I also unticked “Scan inserted disks”, as I believe this is what was running when I had my previous issues with OneDrive.

This, though, creates an issue in that you now have no on-demand scanning taking place. Ensure you have daily scheduled scans set-up of your Home folder or, at the very least, the Downloads folder. Canimaan also recommend scheduling a daily Quick Scan.

Note: your Mac must be on and awake for any scheduled events to take place.

Uninstalling ClamXAV

Just to be clear, this is an absolute last-ditch solution and is not what Canimaan Software recommends.

There are 2 ways to do this…

1. Head into Finder -> Applications and drag ClamXAV to the trash. After a few seconds you’ll see a message asking if you would also like to uninstall the scanning engine.
2. If the scanning engine prompt doesn’t happen or it doesn’t appear to have worked, you can download the uninstaller and run it manually. The uninstaller will remove the scanning engine, preferences, and any schedules you’ve got set up.

READ NEXT: Will the Blue Yeti microphone work on an M1 Mac?