Re: [Clamav-users] How are downloader viruses encountered ??
--- Tomasz Kojm <[EMAIL PROTECTED]> wrote: > On Wed, 27 Apr 2005 18:11:17 -0700 (PDT) > Joanna Roman <[EMAIL PROTECTED]> wrote: > > > Can anybody tell me how downloader viruses are > > encountered ? Is it via http browsing and adware > ?? > > via lottery > > > Trojan.Downloader.Agent-117 > > Trojan.Downloader.Agent-118 > > Trojan.Downloader.Agent-119 > > Trojan.Downloader.Agent-120 > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > Tired. > > -- >oo. Tomasz Kojm > <[EMAIL PROTECTED]> > (\/)\. > http://www.ClamAV.net/gpg/tkojm.gpg > \..._ > 0DCA5A08407D5288279DB43454822DC8985A444B >//\ /\ Thu Apr 28 03:18:44 > CEST 2005 > > ___ > http://lurker.clamav.net/list/clamav-users.html > Serious answers only. You must be tired. Take a break man ! :) Serious, how are they encountered ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: x-virus-scanned - header missing
lizard wrote: > Hi all, Howdy! > I'm a newby but trying to figure things out. I know my clamav is working (it > stops the eicar test string), Stops? What do you mean?, stops a mail message carrying it or just detects it in a file. > but it doesn't add any type of header to my emails (like X-Virus-Scanned). Headears like that are added by mail server "plugins" which may use clamav to detect the viri. Clamav includes one of those plugins for sendmail, so it doesn't work in your setup. > Is there a setting to turn this on? I've looked through the .conf file and > didn't see anything that looked like it was related to this. > > I'm running the latest clamav on Fedora core 2 / Plesk 7.5 / qmail. For QMail, look at the manual, section 8, which has a list of 3rd party software to use in addition to clamav; you'll have to choose and install a plugin for your server. The manual is in the distribution and in the Web. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] x-virus-scanned - header missing
Hi all, I'm a newby but trying to figure things out. I know my clamav is working (it stops the eicar test string), but it doesn't add any type of header to my emails (like X-Virus-Scanned). Is there a setting to turn this on? I've looked through the .conf file and didn't see anything that looked like it was related to this. I'm running the latest clamav on Fedora core 2 / Plesk 7.5 / qmail. Thanks, Jon ___ No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How are downloader viruses encountered ??
Can anybody tell me how downloader viruses are encountered ? Is it via http browsing and adware ?? Trojan.Downloader.Agent-117 Trojan.Downloader.Agent-118 Trojan.Downloader.Agent-119 Trojan.Downloader.Agent-120 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How are downloader viruses encountered ??
On Wed, 27 Apr 2005 18:11:17 -0700 (PDT) Joanna Roman <[EMAIL PROTECTED]> wrote: > Can anybody tell me how downloader viruses are > encountered ? Is it via http browsing and adware ?? via lottery > Trojan.Downloader.Agent-117 > Trojan.Downloader.Agent-118 > Trojan.Downloader.Agent-119 > Trojan.Downloader.Agent-120 > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around Tired. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Apr 28 03:18:44 CEST 2005 pgpOJjSsT4KYp.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] looking for utility that can control clamav remotely ...
On April 27, 2005 06:02 am, Joanna Roman wrote: > Hi, I am thinking of building/looking for some kind of > utility that can let me remotely control clamav tools. > (The utility is not restricted to control only clamav > but can be used to control other tools remotely in a > similar manner.) Basically the utility will be running > on the same machine as the clamd/clamscand. A client > can connect to the utility via web interface. From the > web interface, the user can start or stop, for > example, the clamd/clamdscan. > Does anyone know any existing source code that can do > such a thing ? Thanks. Webmin (http://www.webmin.com), a web-based administration tool for Unix-like systems. Even includes a ClamAV configuration module. Does everything you just listed. Works quite nicely, too. You'll most likely want to grab the Swell Technology theme (http://www.swelltech.com), as it's mucher lighter weight than the default Webmin theme, and a lot nicer than the included light-weight theme. -- Freddie Cash, CLCP CNCPNetwork Support / Helpdesk School District 73 (250) 377-4357 [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: scanning downloaded files
Libor Kunes wrote: > could you please help me orientate? I use ClamAV 0.81 on Linux server > and I am interested in how I can find out whether ClamAV scans > everything that goes to my server, particularly downloaded files and > pages from internet. I know that nowadays it scans mails. You could use a proxy. Look in the 3rd party software list, Web/ftp proxy (section 8.3 of the manual) and evaluate the available options. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] scanning downloaded files
* Libor Kunes <[EMAIL PROTECTED]> [20050427 17:43]: wrote: > Hello, > could you please help me orientate? I use ClamAV 0.81 on Linux server > and I am interested in how I can find out whether ClamAV scans > everything that goes to my server, particularly downloaded files and > pages from internet. I know that nowadays it scans mails. > Thank you for help It will depend on what other application you are using to call clamav to scan that content. You really need to understand your system. It's not very easy for someone from outside to figure this out for you unless you tel us, even abstractly, what it is that you are running. In a nutshell though, you need to look at the relevant log files. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ "But what we need to know is, do people want nasally-insertable computers?" ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] scanning downloaded files
Hello, could you please help me orientate? I use ClamAV 0.81 on Linux server and I am interested in how I can find out whether ClamAV scans everything that goes to my server, particularly downloaded files and pages from internet. I know that nowadays it scans mails. Thank you for help lik ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 'Too many open files' on a buzy clamd
On Wed, 27 Apr 2005 at 14:05:07 +0200, Arnaud Huret wrote: > > We are running a webmail service using ClamAV and get roughtly 30.000 valid > mails/day. > We run home-build SMTP servers calling clamd, emulating the client. > > The problem : > > After running +- 10 minutes, clamd.log reports a first message saying : > 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or > 2 minutes, we get another message : 'ERROR: accept() failed: Too many open > files' and, I guess, clamd does not respond any more. > Need to restart the daemon to restore the service. > [...] Not the reason, just a circumstance, but... check what 'cat /proc/sys/fs/file-max ; cat /proc/sys/fs/file-nr' says. -- Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland| And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 'Too many open files' on a buzy clamd contd ....
On Wed, 2005-04-27 at 14:55 +0200, Arnaud Huret wrote: > Dear all, > > Addendum : I forgot to mention the version : ClamAV 0.83/856/Wed Apr 27 > 09:00:37 2005 > Sorry for this second post. > > After running +- 10 minutes, clamd.log reports a first message saying : > 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or > 2 minutes, we get another message : 'ERROR: accept() failed: Too many open > files' and, I guess, clamd does not respond any more. > Need to restart the daemon to restore the service. > What are you using to feed the data to clamd? Check that your StreamMinPort and StreamMaxPort settings are conservative, e.g. StreamMinPort 1024 StreamMaxPort 4096 -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ONLINE VIRUS SCANNER
On Wednesday 27 Apr 2005 14:05, Matt Fretwell wrote: > Mr Prince Simon wrote: > > > Maybe you can share this perl script also? > > > --- [EMAIL PROTECTED] wrote: > > > Yes, can you please give me the sample of that perl > > > I do not think Nigel meant he had a script for doing this, rather that > you should write your own. Correct. Any sysadmin should find it trivial to write. > Shell|perl|php|python. Whichever scripting language you prefer. > Matt -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] looking for utility that can control clamav remotely ...
Joanna Roman wrote: > Hi, I am thinking of building/looking for some kind of > utility that can let me remotely control clamav tools. > (The utility is not restricted to control only clamav > but can be used to control other tools remotely in a > similar manner.) Basically the utility will be running > on the same machine as the clamd/clamscand. A client > can connect to the utility via web interface. From the > web interface, the user can start or stop, for > example, the clamd/clamdscan. > > Does anyone know any existing source code that can do > such a thing ? Thanks. If you are looking for a general covers everything type programme, Webmin is usually worth a shot. I have no idea what it covers, before anyone says anything, but it is extensible. Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 'Too many open files' on a buzy clamd contd ....
You may either need to increase the max number of open file descriptors or limit your smtp concurrent connections. For increasing file descriptors see : http://www.cs.wisc.edu/condor/condorg/linux_scalability.html as far as smtp goes, it depends on what sw you are using. -Keith Arnaud Huret wrote: Dear all, Addendum : I forgot to mention the version : ClamAV 0.83/856/Wed Apr 27 09:00:37 2005 Sorry for this second post. Arnaud We are running a webmail service using ClamAV and get roughtly 30.000 valid mails/day. We run home-build SMTP servers calling clamd, emulating the client. The problem : After running +- 10 minutes, clamd.log reports a first message saying : 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or 2 minutes, we get another message : 'ERROR: accept() failed: Too many open files' and, I guess, clamd does not respond any more. Need to restart the daemon to restore the service. I tried the following tunning : 1. Increase the number of threads from 10 to 30 for reducing the queue: no changes, still errors. 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still errors. Other info : Clamd runs as non-root user. Launch script is : /etc/init.d/clamav_daemon start (not modified from orginal). ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz Intel chassis. SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, ...) Mitigating factors (;-) Running the same config on a more powerfull box does not generate the prob (2*3GH + multithreading) clamd.conf : #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ArchiveMaxRecursion 10 ArchiveMaxFiles 1500 ArchiveMaxFileSize 30M ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted ArchiveBlockMax ReadTimeout 300 #Modified by AH 27/04/2005. Was : 10 MaxThreads 30 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanMail ScanArchive ScanHTML ScanOLE2 ScanPE TCPSocket 3310 DetectBrokenExecutables #added by AH 27/04/2005 StreamMaxLength 20M Example of an error report : cruella:/var/log# tail -f /var/log/clamav/clamav.log Wed Apr 27 13:38:17 2005 -> Archive support enabled. Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. Wed Apr 27 13:38:17 2005 -> Mail files support enabled. Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. Wed Apr 27 13:38:17 2005 -> HTML support enabled. Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. ... Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files Has anyone faced the same issue before ? Is there a known way to fix this problem ? Any advice ? Any help would be greatly appreciated. Thanks, Arnaud Huret ContactOffice ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] looking for utility that can control clamav remotely ...
On Wed, 2005-04-27 at 06:02 -0700, Joanna Roman wrote: > Hi, I am thinking of building/looking for some kind of > utility that can let me remotely control clamav tools. [...] > A client > can connect to the utility via web interface. From the > web interface, the user can start or stop, for > example, the clamd/clamdscan. > > Does anyone know any existing source code that can do > such a thing ? Thanks. Webmin http://www.webmin.com/ > -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ONLINE VIRUS SCANNER
Mr Prince Simon wrote: > Maybe you can share this perl script also? > --- [EMAIL PROTECTED] wrote: > > Yes, can you please give me the sample of that perl I do not think Nigel meant he had a script for doing this, rather that you should write your own. Shell|perl|php|python. Whichever scripting language you prefer. Matt ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] looking for utility that can control clamav remotely ...
Hi, I am thinking of building/looking for some kind of utility that can let me remotely control clamav tools. (The utility is not restricted to control only clamav but can be used to control other tools remotely in a similar manner.) Basically the utility will be running on the same machine as the clamd/clamscand. A client can connect to the utility via web interface. From the web interface, the user can start or stop, for example, the clamd/clamdscan. Does anyone know any existing source code that can do such a thing ? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] 'Too many open files' on a buzy clamd contd ....
Dear all, Addendum : I forgot to mention the version : ClamAV 0.83/856/Wed Apr 27 09:00:37 2005 Sorry for this second post. Arnaud We are running a webmail service using ClamAV and get roughtly 30.000 valid mails/day. We run home-build SMTP servers calling clamd, emulating the client. The problem : After running +- 10 minutes, clamd.log reports a first message saying : 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or 2 minutes, we get another message : 'ERROR: accept() failed: Too many open files' and, I guess, clamd does not respond any more. Need to restart the daemon to restore the service. I tried the following tunning : 1. Increase the number of threads from 10 to 30 for reducing the queue: no changes, still errors. 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still errors. Other info : Clamd runs as non-root user. Launch script is : /etc/init.d/clamav_daemon start (not modified from orginal). ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz Intel chassis. SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, ...) Mitigating factors (;-) Running the same config on a more powerfull box does not generate the prob (2*3GH + multithreading) clamd.conf : #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ArchiveMaxRecursion 10 ArchiveMaxFiles 1500 ArchiveMaxFileSize 30M ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted ArchiveBlockMax ReadTimeout 300 #Modified by AH 27/04/2005. Was : 10 MaxThreads 30 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanMail ScanArchive ScanHTML ScanOLE2 ScanPE TCPSocket 3310 DetectBrokenExecutables #added by AH 27/04/2005 StreamMaxLength 20M Example of an error report : cruella:/var/log# tail -f /var/log/clamav/clamav.log Wed Apr 27 13:38:17 2005 -> Archive support enabled. Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. Wed Apr 27 13:38:17 2005 -> Mail files support enabled. Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. Wed Apr 27 13:38:17 2005 -> HTML support enabled. Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. ... Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files Has anyone faced the same issue before ? Is there a known way to fix this problem ? Any advice ? Any help would be greatly appreciated. Thanks, Arnaud Huret ContactOffice ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 'Too many open files' on a buzy clamd
Arnaud Huret schrieb: > Dear all, > > We are running a webmail service using ClamAV and get roughtly 30.000 valid > mails/day. > We run home-build SMTP servers calling clamd, emulating the client. > > The problem : > > After running +- 10 minutes, clamd.log reports a first message saying : > 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or > 2 minutes, we get another message : 'ERROR: accept() failed: Too many open > files' and, I guess, clamd does not respond any more. > Need to restart the daemon to restore the service. > > I tried the following tunning : > > 1. Increase the number of threads from 10 to 30 for reducing the queue: no > changes, still errors. > 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still > errors. > > > Other info : > > Clamd runs as non-root user. > Launch script is : /etc/init.d/clamav_daemon start (not modified from > orginal). > ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz > Intel chassis. > SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, > ...) > > > Mitigating factors (;-) > > Running the same config on a more powerfull box does not generate the prob > (2*3GH + multithreading) > > clamd.conf : > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #LocalSocket /var/run/clamav/clamd.ctl > FixStaleSocket > User clamav > AllowSupplementaryGroups > ArchiveMaxRecursion 10 > ArchiveMaxFiles 1500 > ArchiveMaxFileSize 30M > ArchiveMaxCompressionRatio 300 > ArchiveBlockEncrypted > ArchiveBlockMax > ReadTimeout 300 > > #Modified by AH 27/04/2005. Was : 10 > MaxThreads 30 > > MaxConnectionQueueLength 15 > LogFile /var/log/clamav/clamav.log > LogTime > LogFileMaxSize 0 > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > ScanMail > ScanArchive > ScanHTML > ScanOLE2 > ScanPE > TCPSocket 3310 > DetectBrokenExecutables > > #added by AH 27/04/2005 > StreamMaxLength 20M > > > Example of an error report : > > cruella:/var/log# tail -f /var/log/clamav/clamav.log > Wed Apr 27 13:38:17 2005 -> Archive support enabled. > Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. > Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. > Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. > Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. > Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. > Wed Apr 27 13:38:17 2005 -> Mail files support enabled. > Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. > Wed Apr 27 13:38:17 2005 -> HTML support enabled. > Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. > Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND > Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND > Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND > Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND > Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND > Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND > Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND > Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. > Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. > Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. > > ... > Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files > Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files > > > > > Has anyone faced the same issue before ? > Is there a known way to fix this problem ? > Any advice ? > > > Any help would be greatly appreciated. > Thanks, > > Arnaud Huret > ContactOffice Hi, I've never seen this before, even on busy servers. Which clamav version is this? And where did you get the .deb file (if any) from? If this happens again you could do an "lsof -p `cat /var/run/clamav/clamd.pid`", this might give some hints if there is some file descriptor leak. Thomas ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] 'Too many open files' on a buzy clamd
Dear all, We are running a webmail service using ClamAV and get roughtly 30.000 valid mails/day. We run home-build SMTP servers calling clamd, emulating the client. The problem : After running +- 10 minutes, clamd.log reports a first message saying : 'ERROR: ScanStream: accept timeout' quickly followed other ones. After 1 or 2 minutes, we get another message : 'ERROR: accept() failed: Too many open files' and, I guess, clamd does not respond any more. Need to restart the daemon to restore the service. I tried the following tunning : 1. Increase the number of threads from 10 to 30 for reducing the queue: no changes, still errors. 2. Increase the number of MaxConnectionQueueLength to 30: no changes, still errors. Other info : Clamd runs as non-root user. Launch script is : /etc/init.d/clamav_daemon start (not modified from orginal). ClamAV is currently running and a Debian Woody with 1.5 GB mem on a 2*1Ghz Intel chassis. SpamAssassin is also running on this box. Version 3.0.2 standard (Razor, DCC, ...) Mitigating factors (;-) Running the same config on a more powerfull box does not generate the prob (2*3GH + multithreading) clamd.conf : #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ArchiveMaxRecursion 10 ArchiveMaxFiles 1500 ArchiveMaxFileSize 30M ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted ArchiveBlockMax ReadTimeout 300 #Modified by AH 27/04/2005. Was : 10 MaxThreads 30 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanMail ScanArchive ScanHTML ScanOLE2 ScanPE TCPSocket 3310 DetectBrokenExecutables #added by AH 27/04/2005 StreamMaxLength 20M Example of an error report : cruella:/var/log# tail -f /var/log/clamav/clamav.log Wed Apr 27 13:38:17 2005 -> Archive support enabled. Wed Apr 27 13:38:17 2005 -> Archive: RAR support disabled. Wed Apr 27 13:38:17 2005 -> Archive: Blocking encrypted archives. Wed Apr 27 13:38:17 2005 -> Archive: Blocking archives that exceed limits. Wed Apr 27 13:38:17 2005 -> Portable Executable support enabled. Wed Apr 27 13:38:17 2005 -> Detection of broken executables enabled. Wed Apr 27 13:38:17 2005 -> Mail files support enabled. Wed Apr 27 13:38:17 2005 -> OLE2 support enabled. Wed Apr 27 13:38:17 2005 -> HTML support enabled. Wed Apr 27 13:38:17 2005 -> Self checking every 3600 seconds. Wed Apr 27 13:41:21 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:42:42 2005 -> stream: Worm.Bagle.Gen-zippwd FOUND Wed Apr 27 13:45:09 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:45:29 2005 -> stream: Worm.SomeFool.Q FOUND Wed Apr 27 13:45:35 2005 -> stream: Worm.Mytob.A FOUND Wed Apr 27 13:46:00 2005 -> stream: Exploit.HTML.IFrame FOUND Wed Apr 27 13:47:11 2005 -> stream: Worm.SomeFool.P FOUND Wed Apr 27 13:48:06 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. Wed Apr 27 13:48:08 2005 -> ERROR: ScanStream: accept timeout. ... Wed Apr 27 13:56:06 2005 -> ERROR: accept() failed: Too many open files Wed Apr 27 13:56:08 2005 -> ERROR: accept() failed: Too many open files Has anyone faced the same issue before ? Is there a known way to fix this problem ? Any advice ? Any help would be greatly appreciated. Thanks, Arnaud Huret ContactOffice ___ http://lurker.clamav.net/list/clamav-users.html
