Re: [Clamav-users] Re: Chronic MD5 Verification Errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jan 17, 2007 at 10:54:53AM -0500, Edward Dam wrote: >Tue Jan 16 22:40:09 2007 -> SelfCheck: Database status OK. Reloading >anyway. >Tue Jan 16 22:40:09 2007 -> Reading databases from /var/clamav >Tue Jan 16 22:40:09 2007 -> >/var/spool/qmailscan/tmp/LINUXSERV11690052074934404/orig-LINUXSERV11690052074934404: >HTML.Phishing.Bank-627 FOUND >Tue Jan 16 22:40:10 2007 -> ERROR: reload db failed: MD5 verification error You wouldn't by any chance happen to have quotas enabled for this partition and are bumping up against some kind of limit for the user that clamav is running as... - -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.17-5mdv 4 users, load average: 0.30, 0.07, 0.02 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFrp7JY2VBGxIDMLwRAs/IAJ49q90wDwWPlMUE9mmNDDgmhQRPSgCfRUp+ N1iV2wTMsXVVZck8b9oG4yQ= =GvSU -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter error question
Dennis Peterson wrote: Some new problems below: Nigel Horne wrote: Dennis Peterson wrote: I've decided to explore clamav-milter. The objective is to have a single server where all clamAV process run. Think of it as a virtual AV appliance (Because that is what it is). The lab environment is a mail server (Solaris 9, Sparc) running sendmail and another server (Solaris 10, X86) that runs clamd and the milter used to extract the attachments and submit them to ClamAV. I have substituted clamav-milter for this function by adding clmilter to sendmail.cf on the mail server. I built and have a running copy of milter-clamav and tried the following command line to start it: /usr/local/sbin/clamav-milter --external --server=127.0.0.1 \ --quiet --blacklist=60 --postmaster-only --local \ -outgoing inet:3311 I'm missing something, obviously. Perhaps this is not a valid architecture? dp Solution to first problem: tcpwrappers. Thanks again, Nigel. Second problem: adding the -I IPaddress option causes a core dump. Fixed in CVS, thanks for the report. Third problem: The --blacklist=60 does not work as I expected. I thought it would track the client connecting to the MTA but in fact it is tracking the IP of my MTA which is bad. I'm wondering again about the validity of the architecture. It is true that the --blacklist option will blacklist the IP address connecting to clamav-milter, rather than the IP connecting to sendmail, so in this scenario it wouldn't be a useful option to enable. I'll have a look and see it is possible to change that. Otherwise it's working fine. dp -Nigel ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
* On 16/01/07 23:13 +, Stephen Gran wrote: | On Tue, Jan 16, 2007 at 08:58:39PM +0300, Odhiambo Washington said: | > Is anyone using Exim with exiscan in this forum? That is where the | > subject is heading, as I can see. | > | > Peterson, what do you use? | | Not exim, if I recall correctly. | | I do, if it helps any. I suspect you may have /defer_ok tacked on to an | acl that use the malware directive. I also suspect you'll find failed | unpacks in exim's scan subdirectory, and/or in clamav's temporary | directory. Not quite! I don't have /defer_ok at all, especially because I run my clamd under daemontools. I am still hunting for clues, for sure. My ClamAv is installed from the ports... Best regards, Odhiambo Washington Systems Admin, Wananchi Online Ltd. Voted ISP of the Year 2006 Computer Society of Kenya Annual Awards 30Th Nov., 2006 Panari Hotel, Nairobi DISCLAIMER: See http://www.wananchi.com/bms/terms.php --+- Odhiambo WASHINGTON. WANANCHI ONLINE LTD (Nairobi, KE) http://www.wananchi.com/email/ . 1ere Etage, Laptrust Plaza, Loita St., Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI --+- An anxious heart weighs a man down, but a kind word cheers him up. Proverbs 12:25 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
On 1/17/07, Stephen Gran <[EMAIL PROTECTED]> wrote:
On Wed, Jan 17, 2007 at 08:49:14AM -0500, Edward Dam said:
> On 1/2/07, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >On 20/12/06 16:49, Edward Dam wrote:
> >> On 12/13/06, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >>>
> >>> #if 0 /* original */
> >>> logg("SelfCheck: Database status OK.\n");
> >>> return NULL;
> >>> #else /* temporary test */
> >>> logg("SelfCheck: Database status OK. Reloading
anyway.\n");
> >>> return root;
> >>> #endif
> >>>
> >>> This will force the self-check to reload the database files even if
> >>> nothing has changed. Then if you get MD5 errors randomly after this
> >>> message in the logs, you'll know it has nothing to do with
freshclam,
> >>> and more to do with random disk read/write errors.
> >>
> >> I've done this code change, and the mail system just died.
> >> Here's the relevant clip from the clamd log:
> >>
> >> Wed Dec 20 09:53:33 2006 -> SelfCheck: Database status OK. Reloading
anyway.
> >> Wed Dec 20 09:53:33 2006 -> Reading databases from /var/clamav
> >> Wed Dec 20 09:53:33 2006 -> ERROR: reload db failed: MD5 verification
error
> >
> >Sorry for the tardiness of this reply! Those logs appear to be
> >generated as a result of clamd's scheduled self-check, as no changes to
> >the timestamps of the database files were detected (that would result
in
> >"SelfCheck: Database modification detected. Forcing reload.").
> >
> >However, there is a small possibility that freshclam could be updating
> >the database files during clamd's scheduled self-check in such a way
> >that clamd does not notice that the timestamps have changed, but due to
> >the code change is reloading the (possibly modified) database files
> >anyway. To rule out this possibility, it would be necessary to look at
> >the freshclam logs to see when it last notified clamd about the updated
> >files.
Unlikely - freshclam writes to a temp file, and verifies that before
doing anything to the main file. The OP can verify by correlating
timestamps of freshclam download attempts with the last crash on Dec
20th, however.
So, OP - can you supply logfiles for both clamd and freshclam around the
times of the crash? It really looks to me like freshclam is verifying
the md5 signature, and immediately after, clamd is failing to do so.
Very, very odd.
--
--
| Stephen Gran | Nothing is so often irretrievably
|
| [EMAIL PROTECTED] | missed as a daily opportunity. --
|
| http://www.lobefin.net/~steve |
Ebner-Eschenbach|
--
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFrkMxSYIMHOpZA44RAunsAJoDTo2iflIc8n2oUyhFDPpe1PlCGgCeMZ9H
Js05ijZa+8YNb0PaThug0Y0=
=tFfx
-END PGP SIGNATURE-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
As requested, here are log snippets from the latest crash.
Freshclam.log:
Here it gets a successful update and notifies clam:
Jan 16 17:01:00 LINUXSERV CROND[17998]: (root) CMD (run-parts
/etc/cron.hourly)
--
freshclam daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i686)
ClamAV update process started at Tue Jan 16 18:36:34 2007
main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder:
tkojm)
daily.cvd updated (version: 2459, sigs: 3178, f-level: 9, builder: sven)
Database updated (87129 signatures) from db.ca.clamav.net (IP:
209.139.239.158)
Clamd successfully notified about the update.
... cut to the section where it dies:
--
Jan 17 07:01:00 LINUXSERV CROND[11334]: (root) CMD (run-parts
/etc/cron.hourly)
--
ClamAV update process started at Wed Jan 17 07:30:32 2007
main.cvd updated (version: 42, sigs: 83951, f-level: 10, builder: tkojm)
daily.cvd updated (version: 2459, sigs: 3178, f-level: 9, builder: sven)
Database updated (87129 signatures) from db.ca.clamav.net (IP:
209.172.34.149)
ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310
So you see that clam was down at 7:30am.
Here's the relevant snippet from clamd.log
Jan 16 22:01:00 LINUXSERV CROND[4087]: (root) CMD (run-parts
/etc/cron.hourly)
Tue Jan 16 22:40:09 2007 ->
/var/spool/qmailscan/tmp/LINUXSERV11690052074934404/1169005209.4406-
0.LINUXSERV: HTML.Phishing.Bank-627 FOUND
Tue Jan 16 22:40:09 2007 -> SelfCheck: Database status OK. Reloading
anyway.
Tue Jan 16 22:40:09 2007 -> Reading databases from /var/clamav
Tue Jan 16 22:40:09 2007 ->
/var/spool/qmailscan/tmp/LINUXSERV11690052074934404/orig-LINUXSERV11690052074934404:
HTML.Phishing.Bank-627 FOUND
Tue Jan 16 22:40:10 2007 -> ERROR: reload db failed: MD5 verification error
S
Re: [Clamav-users] clamav-milter error question
Some new problems below: Nigel Horne wrote: Dennis Peterson wrote: I've decided to explore clamav-milter. The objective is to have a single server where all clamAV process run. Think of it as a virtual AV appliance (Because that is what it is). The lab environment is a mail server (Solaris 9, Sparc) running sendmail and another server (Solaris 10, X86) that runs clamd and the milter used to extract the attachments and submit them to ClamAV. I have substituted clamav-milter for this function by adding clmilter to sendmail.cf on the mail server. I built and have a running copy of milter-clamav and tried the following command line to start it: /usr/local/sbin/clamav-milter --external --server=127.0.0.1 \ --quiet --blacklist=60 --postmaster-only --local \ -outgoing inet:3311 I'm missing something, obviously. Perhaps this is not a valid architecture? dp Solution to first problem: tcpwrappers. Thanks again, Nigel. Second problem: adding the -I IPaddress option causes a core dump. Third problem: The --blacklist=60 does not work as I expected. I thought it would track the client connecting to the MTA but in fact it is tracking the IP of my MTA which is bad. I'm wondering again about the validity of the architecture. Otherwise it's working fine. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
On Wed, 17 Jan 2007 08:49:14 -0500 "Edward Dam" <[EMAIL PROTECTED]> wrote: > Thanks everyone, for the replies and help. > > At this point, I am doing the only thing I can - removing clamav from the > system, and using a mail security hardware device in front of the mail > server. > > ClamAV is the *ONLY* thing repeatedly dying on this heavily used server. > This server is a MySQL server, Samba Server, DHCP server, and Intranet web > server. EVERYTHING else works fine, all the time. ClamAV dies almost daily, > hanging the whole email system. > > I've now replaced RAM, CPUs and RAID controller in the system - no change in > the problem. It's clear to me clamAV isn't getting along with something, > somewhere.. but the only error I have to go by is > > " reload db failed: MD5 verification error " > > > ...and the cause remains a mystery.. but I don't have the time or budget to > go the "process of elimination" route, as the powers that be are at a point Hello Ed, since the problem looks really weird I can offer you help and if you could grant me with a user level access to the problematic machine I'd be very keen to do some debugging. Regards, -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 17 16:37:12 CET 2007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
On Wed, Jan 17, 2007 at 08:49:14AM -0500, Edward Dam said:
> On 1/2/07, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >On 20/12/06 16:49, Edward Dam wrote:
> >> On 12/13/06, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >>>
> >>> #if 0 /* original */
> >>> logg("SelfCheck: Database status OK.\n");
> >>> return NULL;
> >>> #else /* temporary test */
> >>> logg("SelfCheck: Database status OK. Reloading anyway.\n");
> >>> return root;
> >>> #endif
> >>>
> >>> This will force the self-check to reload the database files even if
> >>> nothing has changed. Then if you get MD5 errors randomly after this
> >>> message in the logs, you'll know it has nothing to do with freshclam,
> >>> and more to do with random disk read/write errors.
> >>
> >> I've done this code change, and the mail system just died.
> >> Here's the relevant clip from the clamd log:
> >>
> >> Wed Dec 20 09:53:33 2006 -> SelfCheck: Database status OK. Reloading
> >> anyway.
> >> Wed Dec 20 09:53:33 2006 -> Reading databases from /var/clamav
> >> Wed Dec 20 09:53:33 2006 -> ERROR: reload db failed: MD5 verification error
> >
> >Sorry for the tardiness of this reply! Those logs appear to be
> >generated as a result of clamd's scheduled self-check, as no changes to
> >the timestamps of the database files were detected (that would result in
> >"SelfCheck: Database modification detected. Forcing reload.").
> >
> >However, there is a small possibility that freshclam could be updating
> >the database files during clamd's scheduled self-check in such a way
> >that clamd does not notice that the timestamps have changed, but due to
> >the code change is reloading the (possibly modified) database files
> >anyway. To rule out this possibility, it would be necessary to look at
> >the freshclam logs to see when it last notified clamd about the updated
> >files.
Unlikely - freshclam writes to a temp file, and verifies that before
doing anything to the main file. The OP can verify by correlating
timestamps of freshclam download attempts with the last crash on Dec
20th, however.
So, OP - can you supply logfiles for both clamd and freshclam around the
times of the crash? It really looks to me like freshclam is verifying
the md5 signature, and immediately after, clamd is failing to do so.
Very, very odd.
--
--
| Stephen Gran | Nothing is so often irretrievably |
| [EMAIL PROTECTED] | missed as a daily opportunity. -- |
| http://www.lobefin.net/~steve | Ebner-Eschenbach|
--
signature.asc
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Should I submit...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jan 17, 2007 at 03:34:01AM +0100, Sander Holthaus wrote: >a very basic perl script which opens a listening socket and a shell? I >found it after a hacker tried to gain entry. The script is nothing >special (far from, 612 bytes) but I doubt people are actually using it >for any legitimate means. BitDefender does recognize the file, but not >any other AV. We use similar procedures to do process monitoring, I don't think you can really do this type of scanning for perl scripts. But maybe the sig writers can find something unique that points to virus writers (until they start copying code from the man pages). - -- Regards... Todd Chris: grep 500 sendmail.mc undefine(`FAIL_MAIL_OVER_500_MILES')dnl Chris: just in case ... Linux kernel 2.6.17-5mdv 3 users, load average: 0.06, 0.05, 0.00 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFrkDdY2VBGxIDMLwRAo/MAJ9bHYYehmRB+n6+58FfDj3ZBhF/vACfUDvJ NwRds9ryTD30Ojzmy+K6IIg= =Ggzn -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
On 1/17/07, Todd Lyons <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jan 17, 2007 at 08:49:14AM -0500, Edward Dam wrote: >Thanks again for all your help. Maybe once clamAV matures, it will be a >better fit for my needs, but until then I need to remove it, as it's the >cause of my headaches. I would disagree on the "it's not mature" inference. We use it on a load balanced system with each mail server handling 60K messages per day (CentOS 4.4) and have never had clamd die. There are another 200K or so a day that get rejected due to various RBL's but clamav/spamassassin never see those because it's blocked at HELO time. Occassionally spamass-milter wants to get hung in a weird state, but clamd and clamav-milter are rock solid (we're a sendmail shop by the way). However, since it is on a pretty busy machine, if moving your virus scanning off that busy machine fixes your problem, then you are doing the right thing for your needs. Congrats on not having to use Exchange! - -- Regards... Todd Exponential problems need logarithmic solutions. --Eddy Dreger Linux kernel 2.6.17-5mdv 3 users, load average: 0.01, 0.05, 0.00 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFrj72Y2VBGxIDMLwRAi5DAJ9x8HA1OZ35hlLIa53dBnBxGjgAkwCfbaUw ntG/IZPWv6Z94ryJpF27XNA= =Cgk+ -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html I do apologize about the "mature" statement - I am just very frustrated on this issue. What I was referring to was the pre "1.0" state of clamav - hence not "mature" or "final"... it wasn't my intention to make it sound derogative towards the product or developers. My apologies once again. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Jan 17, 2007 at 08:49:14AM -0500, Edward Dam wrote: >Thanks again for all your help. Maybe once clamAV matures, it will be a >better fit for my needs, but until then I need to remove it, as it's the >cause of my headaches. I would disagree on the "it's not mature" inference. We use it on a load balanced system with each mail server handling 60K messages per day (CentOS 4.4) and have never had clamd die. There are another 200K or so a day that get rejected due to various RBL's but clamav/spamassassin never see those because it's blocked at HELO time. Occassionally spamass-milter wants to get hung in a weird state, but clamd and clamav-milter are rock solid (we're a sendmail shop by the way). However, since it is on a pretty busy machine, if moving your virus scanning off that busy machine fixes your problem, then you are doing the right thing for your needs. Congrats on not having to use Exchange! - -- Regards... Todd Exponential problems need logarithmic solutions. --Eddy Dreger Linux kernel 2.6.17-5mdv 3 users, load average: 0.01, 0.05, 0.00 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFrj72Y2VBGxIDMLwRAi5DAJ9x8HA1OZ35hlLIa53dBnBxGjgAkwCfbaUw ntG/IZPWv6Z94ryJpF27XNA= =Cgk+ -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter error question
Nigel Horne wrote: Dennis Peterson wrote: I've decided to explore clamav-milter. The objective is to have a single server where all clamAV process run. Think of it as a virtual AV appliance (Because that is what it is). The lab environment is a mail server (Solaris 9, Sparc) running sendmail and another server (Solaris 10, X86) that runs clamd and the milter used to extract the attachments and submit them to ClamAV. I have substituted clamav-milter for this function by adding clmilter to sendmail.cf on the mail server. I built and have a running copy of milter-clamav and tried the following command line to start it: /usr/local/sbin/clamav-milter --external --server=127.0.0.1 \ --quiet --blacklist=60 --postmaster-only --local \ -outgoing inet:3311 The mail server can connect to port 3311 on the AV server fine but the following error shows up in the clamav log: Jan 16 12:39:11 omak clamav-milter[13345]: [ID 472601 local6.warning] Access Denied for sparky[192.168.1.55] The av server is omak, and the mail server is sparky. Check your TCP wrappers setting (/etc/hosts.deny and /etc/hosts.allow on Linux, not sure where it is on Solaris). That was it. I'd forgotten the last tests done on this system was for the denyhosts script to thwart ssh crackers. The system ordinarily does not have tcpwrappers enabled just to prevent this very kind of surprise. Thanks, Nigel. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Should I submit...
On Wed, 17 Jan 2007, Sander Holthaus wrote: > a very basic perl script which opens a listening socket and a shell? I > found it after a hacker tried to gain entry. The script is nothing > special (far from, 612 bytes) but I doubt people are actually using it > for any legitimate means. BitDefender does recognize the file, but not > any other AV. I would say yes. If nothing else, let the maintainers have it and make the decision. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Chronic MD5 Verification Errors
On 1/2/07, Ian Abbott <[EMAIL PROTECTED]> wrote:
On 20/12/06 16:49, Edward Dam wrote:
> On 12/13/06, Ian Abbott <[EMAIL PROTECTED]> wrote:
>>
>> On 13/12/06 14:28, Edward Dam wrote:
>> > Hi Ian,
>> >
>> > Thanks for the help.
>> >
>> > I've only got the main.cvd and daily.cvd databases in use right now,
>> > until I
>> > get this sorted out - so it's not a 3rd party db or script issue.
>> >
>> > Here's basically what happens.
>> >
>> > Freshclam downloads the updates, then notifes clamd to re-read the
>> > databases. Then my log looks like this:
>> >
>> > Wed Dec 13 06:05:04 2006 -> SelfCheck: Database status OK.
>> >
>> > Wed Dec 13 06:28:57 2006 -> Reading databases from /var/clamav
>> >
>> > Wed Dec 13 06:28:57 2006 -> ERROR: reload db failed: MD5 verification
>> error
>> >
>> >
>> > At this point mail is dead, and I have to delete the CVD files in
>> > /var/clamav and re-run freshclam to get new ones, then manually start
>> > clamav. All is well, until it happens again.
>> >
>> > The frustrating part is that it's so intermittent. It doesn't happen
>> every
>> > time. It doesn't happen at a regular interval. It's completely
random,
>> with
>> > the exception that it will probably once a day - or once every 2nd
day
>> on
>> > the very high end.
>>
>> What normally happens during the self-check is that the database
>> directory entries are read, but the files in the database directory are
>> not reloaded unless the directory entries have changed. This means
that
>> the "SelfCheck: Database status OK." message does not mean the database
>> files were read okay, rather they weren't read at all.
>>
>> May I suggest a minor code change for diagnostic purposes? In
>> clamd/server-th.c, look for the lines:
>>
>> logg("SelfCheck: Database status OK.\n");
>> return NULL;
>>
>> and change them to:
>>
>> #if 0 /* original */
>> logg("SelfCheck: Database status OK.\n");
>> return NULL;
>> #else /* temporary test */
>> logg("SelfCheck: Database status OK. Reloading
anyway.\n");
>> return root;
>> #endif
>>
>> This will force the self-check to reload the database files even if
>> nothing has changed. Then if you get MD5 errors randomly after this
>> message in the logs, you'll know it has nothing to do with freshclam,
>> and more to do with random disk read/write errors.
>
>
> I've done this code change, and the mail system just died.
>
> Here's the relevant clip from the clamd log:
>
> Wed Dec 20 09:53:33 2006 -> SelfCheck: Database status OK. Reloading
> anyway.
> Wed Dec 20 09:53:33 2006 -> Reading databases from /var/clamav
> Wed Dec 20 09:53:33 2006 -> ERROR: reload db failed: MD5 verification
error
Sorry for the tardiness of this reply! Those logs appear to be
generated as a result of clamd's scheduled self-check, as no changes to
the timestamps of the database files were detected (that would result in
"SelfCheck: Database modification detected. Forcing reload.").
However, there is a small possibility that freshclam could be updating
the database files during clamd's scheduled self-check in such a way
that clamd does not notice that the timestamps have changed, but due to
the code change is reloading the (possibly modified) database files
anyway. To rule out this possibility, it would be necessary to look at
the freshclam logs to see when it last notified clamd about the updated
files.
If we assume for the moment that freshclam was not updating the database
files during clamd's scheduled self-check (which can be verified by
checking the clamd and freshclam logs), then it appears that the
database files have become corrupted but their timestamps have not
changed. Either the new database files downloaded by freshclam are
being corrupted while they are being physically written to the disk, or
something else is clobbering them afterwards. (Yes I know freshclam
checks the downloaded database files before using them, but as it has
just written the files, it might be the data back from a cache
maintained by the OS, rather than from the physical disk. In this case,
the corruption would not show up until the cache entries have been
flushed by the OS.)
--
-=( Ian Abbott @ MEV Ltd.E-mail: <[EMAIL PROTECTED]>)=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Thanks everyone, for the replies and help.
At this point, I am doing the only thing I can - removing clamav from the
system, and using a mail security hardware device in front of the mail
server.
ClamAV is the *ONLY* thing repeatedly dying on this heavily used server.
This server is a MySQL server, Samba Server, DHCP server, and Intranet web
server. EVERYTHING else works fine, all the time. ClamAV dies almost daily,
hanging the whole email system.
I've now replaced RAM, CPUs a
[Clamav-users] Why no Include and Exclude options with clamd?
Hi all, I suspect cross-posting is not allowed so if this is the wrong list, let me know and I'll send it to clamav-devel instead. I write a GUI for ClamAV and am changing things so it uses clamd/ clamdscan rather than clamscan but can't get clamd to use the -- include and --exclude patterns. If I add them as switches to clamdscan I get an error back saying: WARNING: Ignoring option --exclude: please edit clamd.conf instead I've tried editing clamd.conf but can see no option for include/ exclude other than clamuko which can't be used. Simply adding "exclude RegExPattern" to clamd.conf doesn't work either as I then get the following error from clamd: ERROR: Parse error at line 6: Unknown option exclude. ERROR: Can't parse the configuration file. Can someone please tell me what I'm doing wrongly, or if indeed the option even exists; the output from clamdscan would seem to suggest it does exist but I can't see how to use it. Many thanks Mark ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] proxy frox + clamav
Hi I am using proxy FTP frox with clamav (wum-clamav-0.88.3-21) on linux. The problem is that clamav can't scan file with a size more to 2 giga. So Is there a directive to say to clamav don't scan file with a size bigger than 2 giga ? Thanks Mickael _ Personnalisez votre Messenger avec Live.com http://www.windowslive.fr/livecom/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter error question
Dennis Peterson wrote: I've decided to explore clamav-milter. The objective is to have a single server where all clamAV process run. Think of it as a virtual AV appliance (Because that is what it is). The lab environment is a mail server (Solaris 9, Sparc) running sendmail and another server (Solaris 10, X86) that runs clamd and the milter used to extract the attachments and submit them to ClamAV. I have substituted clamav-milter for this function by adding clmilter to sendmail.cf on the mail server. I built and have a running copy of milter-clamav and tried the following command line to start it: /usr/local/sbin/clamav-milter --external --server=127.0.0.1 \ --quiet --blacklist=60 --postmaster-only --local \ -outgoing inet:3311 The mail server can connect to port 3311 on the AV server fine but the following error shows up in the clamav log: Jan 16 12:39:11 omak clamav-milter[13345]: [ID 472601 local6.warning] Access Denied for sparky[192.168.1.55] The av server is omak, and the mail server is sparky. Check your TCP wrappers setting (/etc/hosts.deny and /etc/hosts.allow on Linux, not sure where it is on Solaris). I'm missing something, obviously. Perhaps this is not a valid architecture? dp -Nigel -- Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Tutor, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
