Dear all, Addendum : I forgot to mention the version : ClamAV 0.83/856/Wed Apr 27 09:00:37 2005 Sorry for this second post.
Arnaud We are running a webmail service using ClamAV and get roughtly 30.000 valid mails/day. We run home-build SMTP servers calling clamd, emulating the client. The problem : After running +- 10 minutes, clamd.log reports a first message saying : 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or 2 minutes, we get another message : 'ERROR: accept() failed: Too many open files' and, I guess, clamd does not respond any more. Need to restart the daemon to restore the service. I tried the following tunning : 1. Increase the number of threads from 10 to 30 for reducing the queue: no changes, still errors. 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still errors. Other info : Clamd runs as non-root user. Launch script is : /etc/init.d/clamav_daemon start (not modified from orginal). ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz Intel chassis. SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, ...) Mitigating factors (;-) Running the same config on a more powerfull box does not generate the prob (2*3GH + multithreading) clamd.conf : #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ArchiveMaxRecursion 10 ArchiveMaxFiles 1500 ArchiveMaxFileSize 30M ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted ArchiveBlockMax ReadTimeout 300 #Modified by AH 27/04/2005. Was : 10 MaxThreads 30 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanMail ScanArchive ScanHTML ScanOLE2 ScanPE TCPSocket 3310 DetectBrokenExecutables #added by AH 27/04/2005 StreamMaxLength 20M Example of an error report : cruella:/var/log# tail -f /var/log/clamav/clamav.log Wed Apr 27 13:38:17 2005 -> Archive support enabled. Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. Wed Apr 27 13:38:17 2005 -> Mail files support enabled. Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. Wed Apr 27 13:38:17 2005 -> HTML support enabled. Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. ... Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files .... Has anyone faced the same issue before ? Is there a known way to fix this problem ? Any advice ? Any help would be greatly appreciated. Thanks, Arnaud Huret ContactOffice _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
