Re: [Clamav-users] clamav-milter dies after awhile

Shawn Bakhtiar Fri, 16 Jul 2010 15:04:47 -0700

> Date: Fri, 16 Jul 2010 09:39:55 +0300
> From: edwinto...@gmail.com
> To: clamav-users@lists.clamav.net
> Subject: Re: [Clamav-users] clamav-milter dies after awhile
> 
> On Thu, 15 Jul 2010 17:35:49 -0700
> Jim Preston <jimli...@commspeed.net> wrote:
> 
> > On Jul 15, 2010, at 5:14 PM, Jim Preston wrote:
> > 
> > >
> > > On Jul 15, 2010, at 1:40 PM, Török Edwin wrote:
> > >
> > >> On Thu, 15 Jul 2010 16:22:49 -0400
> > >> Shawn Bakhtiar <shashan...@hotmail.com> wrote:
> > >>
> > >>>
> > >>>
> > >>> having a sinister problem.
> > >>>
> > >>> I have modfied a SysV script to start the clamd and than clam- 
> > >>> milter.
> > >>> when I check status I get:
> > >>>
> > >>> [r...@smtp ~]# /etc/init.d/clamav-milter status
> > >>> clamav-milter (pid 3432) is running...
> > >>> clamd (pid 3426) is running...
> > >>>
> > >>> I send an email and the header has :
> > >>>
> > >>> X-Virus-Status: Clean
> > >>> X-Virus-Scanned: clamav-milter 0.96 at smtp.inksystemsinc.com
> > >>>
> > >>>
> > >>>
> > >>> I come back a few days later and I get this:
> > >>>
> > >>> [r...@smtp ~]# /etc/init.d/clamav-milter status
> > >>> clamav-milter dead but subsys locked
> > >>> clamd (pid 5152) is running...
> > >
> > > This is very similar to what I get with my mail server. Seemed to
> > > be happening every time freshclam ran which is handled via a cron
> > > task. I could not figure out was was causing it and just went to a  
> > > workaround of having a cron task restart of the clamav-milter 2
> > > min after the freshclam task.
> > >
> > > I will be happy to try any solutions that get posted here
> > > regarding a fix for this. It is a personal test mail server so I am
> > > not terribly concerned about having
> > > the restart task.
> > >
> > > Thanks, Jim_______________________________________________
> > >
> > 
> > Edwin,
> > 
> > This may have nothing to do with Shawn's problem but ......
> > 
> > Could this be a problem with SELinux on my system?
> > /var/log/clamav-milter.log.scan:audit/audit.log:type=ANOM_ABEND  
> > msg=audit(1264972228.023:953): auid=4294967295 uid=46 gid=46  
> > subj=root:system_r:unconfined_t:s0-s0:c0.c1023 pid=25871
> > comm="clamav- milter" sig=25
> > 
> > I do get this in the audit log .......
> 
> That doesn't look like an SELinux message (they are all AVC
> something...), rather it looks like it just logs the fact that the
> milter crashed.
> 
> So yes it might be the same problem as Shawn's. Do you have core files
> enabled? Did it leave a core file behind?
> 
> You could also try to attach gdb to clamav-milter, and get a stacktrace
> when it crashes:
> # gdb /usr/sbin/clamav-milter `pidof clamav-milter`
> ...
> (gdb) continue
> .....
> SIGSEGV ....
> (gdb) thread apply bt full
> 
> Best regards,
> --Edwin
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml








I have freshclam running every hour. If freshclam was the the problem I 
would imaging it would be reproduce-able. 



Here is all lines (grep milt) in /var/log/clamav.log
Jul  4 09:56:46 smtp clamav-milter[24943]: +++ Started at Sun Jul  4 09:56:46 
2010
Jul  6 14:11:29 smtp clamav-milter[11442]: +++ Started at Tue Jul  6 14:11:29 
2010
Jul  6 20:05:04 smtp clamav-milter[11443]: Message from 
<8429142657.12...@e2ma.net> to <sjacob...@postoffice.inksystemsinc.com> 
infected by Heuristics.Phishing.Email.SpoofedDomain
Jul  8 11:04:52 smtp clamav-milter[11443]: Message from 
<fail_con...@conway.com> to <uhir...@postoffice.inksystemsinc.com> infected by 
Heuristics.Phishing.Email.SpoofedDomain
Jul 10 16:10:50 smtp clamav-milter[5157]: +++ Started at Sat Jul 10 16:10:50 
2010
Jul 15 13:03:19 smtp clamav-milter[3431]: +++ Started at Thu Jul 15 13:03:19 
2010
Jul 15 13:03:39 smtp clamav-milter[3432]: Message from <fail_con...@conway.com> 
to <uhir...@postoffice.inksystemsinc.com> infected by 
Heuristics.Phishing.Email.SpoofedDomain




here is  (/var/log/messages | grep clam) which shows some of the same stuff, 
however my SELinux is set to passive (log only) - I have had so many problems 
with SEL, like the theory, suffered in practice. 


.......



Jul 13 04:01:02 smtp freshclam[19049]: ClamAV update process started at Tue Jul 
13 04:01:02 2010
Jul 13 04:01:02 smtp freshclam[19049]: main.cvd is up to date (version: 52, 
sigs: 704727, f-level: 44, builder: sven)
Jul 13 04:01:02 smtp freshclam[19049]: daily.cld is up to date (version: 11359, 
sigs: 102693, f-level: 53, builder: ccordes)
Jul 13 04:01:02 smtp freshclam[19049]: bytecode.cld is up to date (version: 31, 
sigs: 7, f-level: 53, builder: nervous)
Jul 13 04:05:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 04:14:29 smtp kernel: type=1400 audit(1279019669.096:110): avc:  denied  
{ getattr } for  pid=19613 comm="sendmail" 
path="/var/run/clamd/clamav-milter.socket" dev=dm-0 ino=2850822 
scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Jul 13 04:14:29 smtp kernel: type=1400 audit(1279019669.096:111): avc:  denied  
{ write } for  pid=19613 comm="sendmail" name="clamav-milter.socket" dev=dm-0 
ino=2850822 scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Jul 13 04:15:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 04:25:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 04:35:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 04:45:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 04:55:39 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 05:01:01 smtp freshclam[19841]: ClamAV update process started at Tue Jul 
13 05:01:01 2010
Jul 13 05:01:01 smtp freshclam[19841]: main.cvd is up to date (version: 52, 
sigs: 704727, f-level: 44, builder: sven)
Jul 13 05:01:01 smtp freshclam[19841]: Trying host database.clamav.net 
(213.165.80.159)...
Jul 13 05:01:01 smtp freshclam[19841]: Downloading daily-11360.cdiff [100%]
Jul 13 05:01:02 smtp freshclam[19841]: daily.cld updated (version: 11360, sigs: 
102698, f-level: 53, builder: ccordes)
Jul 13 05:01:02 smtp freshclam[19841]: bytecode.cld is up to date (version: 31, 
sigs: 7, f-level: 53, builder: nervous)
Jul 13 05:01:02 smtp freshclam[19841]: Database updated (807432 signatures) 
from database.clamav.net (IP: 213.165.80.159)
Jul 13 05:05:39 smtp clamd[5152]: SelfCheck: Database modification detected. 
Forcing reload.
Jul 13 05:05:39 smtp clamd[5152]: Reading databases from /usr/local/share/clamav
Jul 13 05:05:44 smtp clamd[5152]: Database correctly reloaded (806719 
signatures)
Jul 13 05:15:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 05:25:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 05:35:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 05:45:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 05:53:55 smtp kernel: type=1400 audit(1279025635.953:113): avc:  denied  
{ getattr } for  pid=20024 comm="sendmail" 
path="/var/run/clamd/clamav-milter.socket" dev=dm-0 ino=2850822 
scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Jul 13 05:53:55 smtp kernel: type=1400 audit(1279025635.953:114): avc:  denied  
{ write } for  pid=20024 comm="sendmail" name="clamav-milter.socket" dev=dm-0 
ino=2850822 scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Jul 13 05:55:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 06:01:01 smtp freshclam[20056]: ClamAV update process started at Tue Jul 
13 06:01:01 2010
Jul 13 06:01:01 smtp freshclam[20056]: main.cvd is up to date (version: 52, 
sigs: 704727, f-level: 44, builder: sven)
Jul 13 06:01:01 smtp freshclam[20056]: daily.cld is up to date (version: 11360, 
sigs: 102698, f-level: 53, builder: ccordes)
Jul 13 06:01:01 smtp freshclam[20056]: bytecode.cld is up to date (version: 31, 
sigs: 7, f-level: 53, builder: nervous)
Jul 13 06:05:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 06:15:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 06:25:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 06:35:44 smtp clamd[5152]: SelfCheck: Database status OK.
Jul 13 06:45:44 smtp clamd[5152]: SelfCheck: Database status OK.


.....





I do notice that sometime freshclam takes a long time, with verbose output in 
anacron (mail from logwatch). I have not yet made the connection. But I will 
keep an eye out to see if the issues are related.

It was suggested I do hourly... is that to often perhaps?














                                          
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-milter dies after awhile

Reply via email to