Control: summary -1 Signatures broken -- Workaround: Add Vbs.Downloader.Generic-6431223-0 to /var/lib/clamav/local.ign2 and restart clamd
> Today, in my servers (at least 3 servers), starting from circa 9.00 local > time (Europe/Rome) clamav stop working, like: This is an issue in daily.cld 24256+ (released around this morning). A workaround is described here: http://lists.clamav.net/pipermail/clamav-users/2018-January/005715.html === I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and restarting clamd fixed the problem. This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem began a few minutes later clamd run out of file descriptors. I also had to clean out TemporaryDirectory before restarting. Not sure what the exact reason for problem is. There is an EOF-15 in a subsig. Perhaps this causes a performance hit on large text files as end of file must be seeked to and this is sufficient on busy system to cause demand to exceed supply. sigtool --find Vbs.Downloader.Generic-6431223-0 Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274 sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs VIRUS NAME: Vbs.Downloader.Generic-6431223-0 TDB: Engine:51-255,Target:7 LOGICAL EXPRESSION: (0|1)&2&3 * SUBSIG ID 0 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: public sub * SUBSIG ID 1 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: sub * SUBSIG ID 2 +-> OFFSET: EOF-15 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: = "re" end if * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: exe /c start === There is also a patch floating around that is supposed to fix the FD leak, but it is unclear where it is from: https://gist.github.com/manuelm/dbc94001c77c07363cdcb5b390c2cb04 Bernhard