Re: [Clamav-users] clamav-milter hanging
Angelo Turetta wrote: Do you have any suggestion as to what might be triggering a fatal hanging of clamav-milter on my server? This is FreeBSD 4.9-STABLE (cvsup about march 25th), with sendmail 8.12.11/8.12.11, clamav0.70 from ports (but it showed up the same with 0.67-1) When this happens, I see a lot of clamav-milter processes equally partaging 100% cpu (see attached ps output), with uptime showing a load of [n. of milter processes], and sendmail stopping processing mail due to excessive system load. I even tried lowering the -max-children from 50 to 5, but this parameter is obviously not controlling the number of processes. Recent threads and a patch of mine at http://www.jmaimon.com/clamav are addressed at trying to resolve the max-children issue. The mail log doesn't contain anything particularly vicious, the only strange thing is a lot of ' did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' (about 4 to 10 per hour) with every time different and having nothing to do with this server (which is a company mail server with very little roaming usage, and at most 1000-2000 messages per day) System log is absolutely quiet, while clamd.log (fragment atached) shows some strange behaviour. Tonight, for example, at about midnight, it seems the database was reloaded, and since then the virus-rate dropped from 10-20 per hour to 2 in 6 hours. I suppose this might be the initial event. It all seems to have begun last week when I also installed spamass-milter on the same server, but that may be coincidence, because since the same day the server became the primary MX for the domain, while previously it had an upstream mail server intercepting viruses, and so clamd was a lot more idle than now. Thanks for any hints, Angelo. Try reconfiguring with --enable-debug and recompiling, so that you might be able to debug the processes. Also try strace or similar on the hung processes. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mail::ClamAV
Have a look at the magic array cli_magic_s cli_magic at the top of libclamav/scanners.c Or look at my patch which adds the option --mbox-force http://www.jmaimon.com/clamav Glen Eustace wrote: Well, I have gotten further now, my problem seems to be that the scandesc function doesn't recognise my temporary file as a mail message. My filter places the SMTP commands in the file as well, these seem to prevent the scanner from working properly. Is there anyway I can trick the scanner, or is it time to hack code ? Either mine or ClamAV --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mail::ClamAV
On Sun, 02 May 2004 09:59:38 +1200 Glen Eustace <[EMAIL PROTECTED]> wrote: > Well, I have gotten further now, my problem seems to be that the > scandesc function doesn't recognise my temporary file as a mail > message. What is the header of the temporary file ? -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sun May 2 01:05:25 CEST 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Mail::ClamAV
Well, I have gotten further now, my problem seems to be that the scandesc function doesn't recognise my temporary file as a mail message. My filter places the SMTP commands in the file as well, these seem to prevent the scanner from working properly. Is there anyway I can trick the scanner, or is it time to hack code ? Either mine or ClamAV -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Glen and Rosanne Eustace, GodZone Internet Services, a division of AGRE Enterprises Ltd., P.O. Box 8020, Palmerston North, New Zealand 5301 Ph/Fax: +64 6 357 8168, Mob: +64 27 5 424 015, Web: www.godzone.net.nz "A Ministry specialising in providing low-cost professional Internet Services to NZ Christian Churches, Ministries and Organisations" --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Updating on SuSE?
cH4os wrote: > Which file would you recommend? clamav-0.70.tar ? Yes. The latest stable version should always be a safe bet. > Im kinda new to this, here is what I thought I should do, what did I > do wrong? > [...] > configure: error: newly created file is older than distributed files! > Check your system clock As the error message suggests: make sure your system clock is set correctly. SuSE comes with pre-built a "xntp" package, it is worth installing. -- Mit freundlichen Grüßen / Yours sincerely Dipl. Inform. Ralph Seichter HORUS-IT Ahornweg 10 D-57635 Oberirsen Tel +49 2686 987880 Fax +49 2686 987889 http://horus-it.de/ --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter hanging
Do you have any suggestion as to what might be triggering a fatal hanging of clamav-milter on my server? This is FreeBSD 4.9-STABLE (cvsup about march 25th), with sendmail 8.12.11/8.12.11, clamav0.70 from ports (but it showed up the same with 0.67-1) When this happens, I see a lot of clamav-milter processes equally partaging 100% cpu (see attached ps output), with uptime showing a load of [n. of milter processes], and sendmail stopping processing mail due to excessive system load. I even tried lowering the -max-children from 50 to 5, but this parameter is obviously not controlling the number of processes. The mail log doesn't contain anything particularly vicious, the only strange thing is a lot of ' did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' (about 4 to 10 per hour) with every time different and having nothing to do with this server (which is a company mail server with very little roaming usage, and at most 1000-2000 messages per day) System log is absolutely quiet, while clamd.log (fragment atached) shows some strange behaviour. Tonight, for example, at about midnight, it seems the database was reloaded, and since then the virus-rate dropped from 10-20 per hour to 2 in 6 hours. I suppose this might be the initial event. It all seems to have begun last week when I also installed spamass-milter on the same server, but that may be coincidence, because since the same day the server became the primary MX for the domain, while previously it had an upstream mail server intercepting viruses, and so clamd was a lot more idle than now. Thanks for any hints, Angelo. 25763 ?? Ss 0:01.92 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26787 ?? R134:31.79 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26794 ?? R133:26.22 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26798 ?? R132:56.27 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26908 ?? R119:25.82 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26927 ?? R117:25.31 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 26976 ?? R115:13.21 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 27213 ?? R 99:53.27 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 28779 ?? R 21:13.64 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 28875 ?? R 16:27.23 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p 29325 ?? R 1:16.21 /usr/local/sbin/clamav-milter --local --outgoing -d -N --max-children=5 --postmaster=aturetta+virus --p clamd-fragment.log Description: Binary data
Re: [Clamav-users] Patching clamd to log to stderr (for use with multilog)
On Saturday 01 May 2004 10:20 am, Antony Stone wrote: > On Saturday 01 May 2004 10:06 am, Dale Gallagher wrote: > > > > I'd appreciate a permission listing of those /dev entries > > on the Slack boxes that have it working. Thanks. > > I'm not using clamd, however I run Slackware 9.1 (kernel 2.4.25), so in > case it helps, here are my ownerships/permissions on the relevant device > files: > > $ ls -al /dev/fd > lrwxrwxrwx1 root root 13 Apr 10 12:55 /dev/fd -> > /proc/self/fd/ > > $ ls -al /proc/self/fd > total 0 > dr-x--2 punter users 0 May 1 10:14 ./ > dr-xr-xr-x3 punter users 0 May 1 10:14 ../ > lrwx--1 punter users 64 May 1 10:14 0 -> /dev/ttyp0 > lrwx--1 punter users 64 May 1 10:14 1 -> /dev/ttyp0 > lrwx--1 punter users 64 May 1 10:14 2 -> /dev/ttyp0 > lr-x--1 punter users 64 May 1 10:14 3 -> > /proc/13784/fd/ > > $ls -al /dev/ttyp0 > crwx-w1 punter tty3, 0 May 1 10:14 /dev/ttyp0 I guess I should also have included: $ ls -al /dev/stderr lrwxrwxrwx1 root root4 Apr 10 12:55 /dev/stderr -> fd/2 Regards, Antony. -- "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defence Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Patching clamd to log to stderr (for use with multilog)
On Saturday 01 May 2004 10:06 am, Dale Gallagher wrote: > Hi > > > you can use /dev/fd/2? > > /proc/self/fd/2 > > None of the suggestions incl. the above work > > Running Slack 9.1 boxes with Kernels 2.4.25 and others with > 2.6.4 > > Errors reported are consistent: > > ERROR: Can't open /dev/fd/2 in append mode. > ERROR: Problem with internal logger. >Please check the permissions on the /dev/fd/2 file. > > $ ls -la /dev/fd/2 > lrwx-- foo users . /dev/fd/2 -> /dev/pts/5 > > No change, even if I change the permissions on these device > files. Looks like I'm going to have to stick to the patch - > absolutely no problems, works like a charm. Also used on a > Debian Linux box (Linux 2.4.18 I think). > > Strange that others have no problems > > I'd appreciate a permission listing of those /dev entries > on the Slack boxes that have it working. Thanks. I'm not using clamd, however I run Slackware 9.1 (kernel 2.4.25), so in case it helps, here are my ownerships/permissions on the relevant device files: $ ls -al /dev/fd lrwxrwxrwx1 root root 13 Apr 10 12:55 /dev/fd -> /proc/self/fd/ $ ls -al /proc/self/fd total 0 dr-x--2 punter users 0 May 1 10:14 ./ dr-xr-xr-x3 punter users 0 May 1 10:14 ../ lrwx--1 punter users 64 May 1 10:14 0 -> /dev/ttyp0 lrwx--1 punter users 64 May 1 10:14 1 -> /dev/ttyp0 lrwx--1 punter users 64 May 1 10:14 2 -> /dev/ttyp0 lr-x--1 punter users 64 May 1 10:14 3 -> /proc/13784/fd/ $ls -al /dev/ttyp0 crwx-w1 punter tty3, 0 May 1 10:14 /dev/ttyp0 (This is with me logged in as username punter). If I do "echo stdout >/dev/fd/1; echo stderr >/dev/fd/2" it works as expected. Regards, Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Patching clamd to log to stderr (for use with multilog)
Hi > you can use /dev/fd/2? > /proc/self/fd/2 None of the suggestions incl. the above work Running Slack 9.1 boxes with Kernels 2.4.25 and others with 2.6.4 Errors reported are consistent: ERROR: Can't open /dev/fd/2 in append mode. ERROR: Problem with internal logger. Please check the permissions on the /dev/fd/2 file. $ ls -la /dev/fd/2 lrwx-- foo users . /dev/fd/2 -> /dev/pts/5 No change, even if I change the permissions on these device files. Looks like I'm going to have to stick to the patch - absolutely no problems, works like a charm. Also used on a Debian Linux box (Linux 2.4.18 I think). Strange that others have no problems I'd appreciate a permission listing of those /dev entries on the Slack boxes that have it working. Thanks. cheers Dale --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
