[Clamav-users] clamav-milter: stale files in quarantine directory and open file descriptors

2006-03-18 Thread Panagiotis Christias 
Hello,

we are observing the following behaviour with our clamd/clamav-milter setup:

there some messages that exceed the StreamMaxLength remaining in the
quarantine directory with filenames like msg.AuxBaE. Clamav-milter
keeps around 17 open filedescriptors for each such file. These file
descriptors are not released and over the time reach high numbers,
around several thousands (~5000 or more). Eventually clamav-milter
stops responding and gets restarted by the watchdog script
(clmilter_watch).

We have three mail gateways running the same setup and they have the
same problem. All of them are running ClamAV version 0.88,
clamav-milter version 0.87 on FreeBSD 5.3/5.4.

Clamav-milter run as: clamav-milter -enNqd -m 150 -U /var/tmp/clamav

Our clamd.conf contain:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime
LogSyslog
LogFacility LOG_MAIL
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp/clamav-tmp
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd
FixStaleSocket
TCPAddr 127.0.0.1
MaxConnectionQueueLength 50
StreamMaxLength 1M
MaxThreads 100
User clamav
AllowSupplementaryGroups
ScanPE
DetectBrokenExecutables
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 1M
ArchiveMaxCompressionRatio 1500

Here is a sample of the quarantine directory followed by the output of
lsof (I'm sorry about the formatting):

% ls -lt /var/tmp/clamav | head
total 5246994
-rw---  1 clamav  wheel  1049604 Mar 18 19:46 msg.AuxBaE
drwx--  2 clamav  wheel 5120 Mar 18 19:45 060318
-rw---  1 clamav  wheel  105 Mar 18 19:43 msg.JxxvNF
-rw---  1 clamav  wheel  1050797 Mar 18 19:31 msg.VHSVPJ
-rw---  1 clamav  wheel  1050743 Mar 18 19:26 msg.Wbbvdw
-rw---  1 clamav  wheel  1049604 Mar 18 19:25 msg.EwAggU
-rw---  1 clamav  wheel  105 Mar 18 19:22 msg.jieLN6
-rw---  1 clamav  wheel  1049500 Mar 18 18:54 msg.vHmpcn
-rw---  1 clamav  wheel  1049496 Mar 18 18:41 msg.v02yjx

% /usr/local/sbin/lsof -n -w -c clamav-milter | egrep msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE
clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
/var/tmp/clamav/msg.AuxBaE

I can provide you with some of /var/tmp/clamav/msg.* files for debugging.

Regards,
Panagiotis
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] .ppt files take a long time to scan

2006-03-18 Thread des 
On 3/16/06, Christopher X. Candreva <[EMAIL PROTECTED]> wrote:
> I'm running into issues where (so far as I can tell) .ppt files can take a
> long time to scan. As an exmaple, I have a 2.8 meg 5 slide .ppt file that
> takes 90 seconds to scan on an otherwise-quiet 1.5ghz Athlon.
>
> For camparison, a random 3 meg .pdf file scanned in under a second.
>
> Is this normal, expected, a known issue, or should I be looking for a
> mistake I've made ?

Known issue. :( I posted on it last year with no particular
resolution. As well as Office formats it appears to afflict large XML
files too. e.g.

http://lurker.clamav.net/message/20051217.152437.bcf5.en.html
http://lurker.clamav.net/message/20050922.133756.641817a2.en.html

"Your disk is slow" or "don't scan large files" is a common response.
If you can provide a sample file to Trog to help find out what the
real issue is that would be great.

--
des -- http://frommars.org/
___
http://lurker.clamav.net/list/clamav-users.html