[Clamav-users] clamav-milter 0.95.1 reject message
I use "OnInfected Reject" in my clamav-milter.conf and it seems the new behavior is to reject with an error of "5.7.1 Command rejected" instead of the matching signature name. In the event of a false positive, it is extremely handy to have the signature logged both in the error to the sender and in the local logs. Is there a config option I missed, or is it a feature that can be requested? Jason A. Bertoch Network Administrator ja...@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 reject message
Jason Bertoch wrote: > I use "OnInfected Reject" in my clamav-milter.conf and it seems the new > behavior is to reject with an error of "5.7.1 Command rejected" instead of > the matching signature name. In the event of a false positive, it is > extremely handy to have the signature logged both in the error to the sender > and in the local logs. Is there a config option I missed, or is it a > feature that can be requested? > > Check the configuration file, it is clearly stated as an option. #RejectMsg What may not be too clear is the required format... James signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95.1 reject message
> -Original Message- > From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- > boun...@lists.clamav.net] On Behalf Of James Kosin > Sent: Monday, April 13, 2009 10:09 AM > To: ClamAV users ML > Subject: Re: [Clamav-users] clamav-milter 0.95.1 reject message > > > Check the configuration file, it is clearly stated as an option. > > #RejectMsg > > What may not be too clear is the required format... > I see that now, thanks. I used the built-in script to create clamav-milter.conf. Apparently, it doesn't include all possible options for later review. Jason A. Bertoch Network Administrator ja...@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] major memory leak in 0.95(.1)
Török Edwin wrote: > On 2009-04-10 18:04, Jay Deiman wrote: >> I have noticed a serious problem with the latest stable branch of >> clamav, at least on FreeBSD. There seems to be a large scale memory >> leak. Starting with 0.92, I have been running a 10 machine clamd >> cluster, 9 of which running FreeBSD 6.2 RELEASE and one running 7.0 >> RELEASE. With the exception of a couple of hiccups in the past, they >> have been running pretty flawlessly, serving about 30 mail machines >> running clamav-milter. >> >> With the advent of the vulnerabilities in pre 0.95 releases, I upgraded >> to 0.95 a week ago. With the latest round of vulns., I upgraded to >> 0.95.1 yesterday. With both revisions, I'm seeing a constant escalation >> of memory usage to the point of killing the clamd process because it >> runs into the MAXDSIZ we have set of 1.5GBs of memory. Restarting the >> process just restarts the "fail counter" once again. >> > > Does it get killed by a signal, or does it exit due to 'ExitOnOOM yes' > in clamd.conf? > malloc should return NULL when out of memory, and ClamAV should be able > to handle it without crashing, if not its a bug. Sorry, I should have been more specific. It doesn't actually crash. Here are the log messages I end up getting: = Apr 8 21:53:41 mpls-clamav-04 clamd[44009]: fds_add failed Apr 8 21:53:41 mpls-clamav-04 clamd[44009]: add_fd: Memory allocation failed for command buffer = At first glance, I thought I was running out of file descriptors, which was not the case. I looked at memory usage after that and noticed that I was sitting at 1.5GBs, my configured OS hard limit. > > >> In contrast, I never had any problems with 0.94.2, or the entire 0.94 >> branch for that matter. The memory usage for those versions would sit >> consistently between 100MB and 300MB of resident memory usage depending >> on load. I haven't seen anything from anyone else on the mailing list >> about this, so I'm not sure if this is something related specific to >> FreeBSD or, if it's the massive load we put on this cluster (these 10 >> machines together process approximately 65 million emails per day) that >> allows us to see this clearly, but it is quite clear to us. >> >> If there is any more info I can supply, I will do my best to do so. >> > > Usually I would say run it under valgrind, but with such a massive load > that isn't practical. > Try to get a stacktrace when clamd crashes, see "Backtrace of clamd" on > clamav.net/bugs for instructions. > > Also there is some info here on how to trace leaks on FreeBSD: > http://keramida.wordpress.com/2008/10/15/extracting-useful-info-from-freebsd-malloc-tracing/ > Unfortunately that trace only gives you the timestamp when the memory > was allocated, and not source lines. > However if you turn on LogClean and LogTime in clamd, you may be able to > match the leaks to files that were scanned at the time. > > Then you can try scanning only those files, and see if you can reproduce > the leak. Cool, there's an addition to ktrace I didn't know about. I will set this up on one of the hosts and see what I can figure out. Hopefully I will be able to report back with some good information later on today. Thanks, Jay Deiman -- Jay Deiman \033:wq! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] major memory leak in 0.95(.1)
Jay Deiman wrote: > Török Edwin wrote: [snip] >> Does it get killed by a signal, or does it exit due to 'ExitOnOOM yes' >> in clamd.conf? >> malloc should return NULL when out of memory, and ClamAV should be able >> to handle it without crashing, if not its a bug. > > Sorry, I should have been more specific. It doesn't actually crash. > Here are the log messages I end up getting: > > = > Apr 8 21:53:41 mpls-clamav-04 clamd[44009]: fds_add failed > Apr 8 21:53:41 mpls-clamav-04 clamd[44009]: add_fd: Memory allocation > failed for command buffer > = > > At first glance, I thought I was running out of file descriptors, which > was not the case. I looked at memory usage after that and noticed that > I was sitting at 1.5GBs, my configured OS hard limit. > >> [snip] >> Usually I would say run it under valgrind, but with such a massive load >> that isn't practical. >> Try to get a stacktrace when clamd crashes, see "Backtrace of clamd" on >> clamav.net/bugs for instructions. >> >> Also there is some info here on how to trace leaks on FreeBSD: >> http://keramida.wordpress.com/2008/10/15/extracting-useful-info-from-freebsd-malloc-tracing/ >> Unfortunately that trace only gives you the timestamp when the memory >> was allocated, and not source lines. >> However if you turn on LogClean and LogTime in clamd, you may be able to >> match the leaks to files that were scanned at the time. >> >> Then you can try scanning only those files, and see if you can reproduce >> the leak. > > Cool, there's an addition to ktrace I didn't know about. I will set > this up on one of the hosts and see what I can figure out. Hopefully I > will be able to report back with some good information later on today. Well, *I* couldn't find much of any use in the ktrace output. However, if someone else would like to take a look at the trace file, I've made it available at: http://janus.splitstreams.com/clamav-ktrace.out.bz2 It is about 91MB compressed. -- Jay Deiman \033:wq! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] major memory leak in 0.95(.1)
On Mon, Apr 13, 2009 at 19:26, Jay Deiman wrote: > Jay Deiman wrote: >> Török Edwin wrote: [snip] >>> Also there is some info here on how to trace leaks on FreeBSD: >>> http://keramida.wordpress.com/2008/10/15/extracting-useful-info-from-freebsd-malloc-tracing/ >>> Unfortunately that trace only gives you the timestamp when the memory >>> was allocated, and not source lines. >>> However if you turn on LogClean and LogTime in clamd, you may be able to >>> match the leaks to files that were scanned at the time. >>> >>> Then you can try scanning only those files, and see if you can reproduce >>> the leak. >> >> Cool, there's an addition to ktrace I didn't know about. I will set >> this up on one of the hosts and see what I can figure out. Hopefully I >> will be able to report back with some good information later on today. > > Well, *I* couldn't find much of any use in the ktrace output. However, > if someone else would like to take a look at the trace file, I've made > it available at: > > http://janus.splitstreams.com/clamav-ktrace.out.bz2 > > It is about 91MB compressed. Can you run this command, and make the output available at the same location? (as described in that article linked above): $ kdump -T -f ktrace.out | ./alloctrace.py P.S. the alloctrace.py script is available at http://keramida.wordpress.com/2008/10/15/extracting-useful-info-from-freebsd-malloc-tracing/ Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] major memory leak in 0.95(.1)
Török Edvin wrote: [snip] >> Well, *I* couldn't find much of any use in the ktrace output. However, >> if someone else would like to take a look at the trace file, I've made >> it available at: >> >> http://janus.splitstreams.com/clamav-ktrace.out.bz2 >> >> It is about 91MB compressed. > > Can you run this command, and make the output available at the same > location? (as described in that article linked above): > $ kdump -T -f ktrace.out | ./alloctrace.py > > P.S. the alloctrace.py script is available at > http://keramida.wordpress.com/2008/10/15/extracting-useful-info-from-freebsd-malloc-tracing/ I ran alloctrace.py before posting the trace file. It gave me zilch for output. I did take a look at the dump and I found no calls within it to malloc(), which I thought was odd (and part of the reason that I posted the trace file). I have posted the full text output of the kdump as well to make things easy on those not using FreeBSD. That is at: http://janus.splitstreams.com/clamav-kdump.txt.bz2 -- Jay Deiman \033:wq! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml