Thanks for such a great program and all of the work being put into it. We're having a nasty problem with clamd 0.8x (even with 0.83 which we just installed yesterday). After running for a while, it will decide to just stop functioning and return failures or refuse connect from the MTA. Here are some specifics:
Solaris 9, gcc built, Solaris 9 stock zlib (1.1.4)
Here's a sample part of our clamd.log:
Tue Feb 15 10:16:43 2005 -> SelfCheck: Database status OK.
Tue Feb 15 10:19:53 2005 -> /var/spool/exim/scan/1D14UQ-0005c9-DG/1D14UQ-0005c9-
DG.eml: Unable to open file or directory ERROR
Tue Feb 15 10:19:53 2005 -> Client disconnected
Tue Feb 15 10:19:53 2005 -> ERROR: accept() failed
Tue Feb 15 10:19:53 2005 -> ERROR: accept() failed
Tue Feb 15 10:19:53 2005 -> ERROR: accept() failed
Tue Feb 15 10:25:18 2005 -> /var/spool/exim/scan/1D14ZC-0006sJ-9Q/1D14ZC-0006sJ-
9Q.eml: Worm.Lovgate.T FOUND
(which eventually turns into all accept() failed, though it doesn't always say this. Sometimes it just reports "Thu Feb 17 13:41:11 2005 -> No stats for Database check - forcing reload" as the last line before being autorestarted by my monitoring cronjob)
Our exim logs have shown:
2005-02-17 08:24:23 1D1kTd-0005w0-32 malware acl condition: clamd: unable to read from socket (No such file or directory)
or
2005-02-17 08:24:28 1D1ldr-0004nH-Qm malware acl condition: clamd: connection to
127.0.0.1, port 3310 failed (Bad file number)
When it is in this state, a truss of the process shows several threads apparently continuing to run but it won't accept new connections as seen above. I haven't seen any indication in the log that I've reached a threading limit, but I don't know if I should expect one.
I haven't been able to determine a specific pattern to when this happens and I can't seem to get it to repeat at will. The closest thing I've seen to a pattern is I've seen it happen several times when: a) the server has been started, b) it hasn't performed a successful SelfCheck yet. It doesn't always happen in this state (i.e. the first check doesn't always fail). I wish I could tell what the difference was between when it will work and when it will fail. I wonder if it happens to center around load, but I have no data to back that supposition up. I think I've seen this situation also happen (but I'm not sure) after a freshclam update that actually touched the database.
Here's my non default answer in our config file:
LogFile /priv/log/clamd/clamd.log
LogFileMaxSize 100M
LogTime
LogSyslog
LogFacility LOG_MAIL
LogVerbose
DatabaseDirectory /priv/daemons/packages/clamav-0.83/share/clamav
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
StreamMaxLength 20M
MaxThreads 20
# this set to 600 in the hopes I could cause the problem to surface faster, was set to default
SelfCheck 600
Debug
ScanRAR
ArchiveBlockMax
Any suggestions on where to look? Any other information I should gather for you? Should I try the current snapshot? Thanks for any help you can offer.
-- dNb
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
