Re: [clamav-users] Error Message from clamd
As far as I can tell, permissions are good. However, I have learned a bit more from running ktrace on clamd. Right after it gets called by clamav-milter, it calls cli_get_filepath_from_filedesc. That module has code for Linux, MacOS, and WIN. There is no code for FreeBSD. None of the 3 existing sections are viable on FreeBSD and so I believe it returns a CL_BREAK which causes the error to be reported. However, it appears to be treated as a warning as clamd continues to read the email from milter and process it. For some reason though, it always returns OK even when I send it the EICAR test. I can live with the warning message, but I need it to detect viruses. How can I debug that? -- Doug > On Apr 1, 2023, at 03:01, newcomer01 via clamav-users > wrote: > > is the path to your mails (maybe inbox only) correct configured? > have your clamav and your maildir the same permissions? > > > Von / From: Doug Hardie <mailto:bc...@lafn.org> > An / To: Newcomer01 <mailto:newcome...@posteo.de> > Gesendet / Sent: Samstag, April 01, 2023 um 10:17 (at 10:17 AM) +0200 > Betreff / Subject: [clamav-users] Error Message from clamd >> I have started receiving the following error message on every received email: >> >> Unable to determine the filepath given the file descriptor >> >> FreeBSD 13.1, Postfix, clamav-milter, clamd >> clamav-1.0.1,1 >> >> As a result the test virus is not detected, but the email gets a >> X-Virus-Status: Clean header added. I can't find any description of this >> error anywhere. How can I figure out what the problem is? >> >> -- Doug >> >> >> >> ___ >> >> Manage your clamav-users mailing list subscription / unsubscribe: >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/Cisco-Talos/clamav-documentation >> >> https://docs.clamav.net/#mailing-lists-and-chat > > ___ > > Manage your clamav-users mailing list subscription / unsubscribe: > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/Cisco-Talos/clamav-documentation > > https://docs.clamav.net/#mailing-lists-and-chat ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Error Message from clamd
I have started receiving the following error message on every received email: Unable to determine the filepath given the file descriptor FreeBSD 13.1, Postfix, clamav-milter, clamd clamav-1.0.1,1 As a result the test virus is not detected, but the email gets a X-Virus-Status: Clean header added. I can't find any description of this error anywhere. How can I figure out what the problem is? -- Doug ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[Clamav-users] clamav 0.90 - FreeBSD 6.1
Another data point. I upgraded from 0.88.7 to 0.90. I use just clamav-milter driven from sendmail. Version 0.88.7 worked fine. Generally about every 2 to 3 weeks it will hang and I have to restart it. Its processing a couple hundred thousand email daily. Version 0.90 seemed at first to run just fine. However, after about 3 hours I started getting errors in the clamd log files. So I tried switching to libthr as indicated in the earlier posts. This seemed also to work except that I had consistent 0% idle time on the processor. I run 70 - 80% idle with version 0.88.7. I didn't let it run more than about an hour on 0.90 as mail was starting to backup. I had to switch back to 0.88.7. However, as I look through the /etc/libmap.conf file I suspect that my libthr test was not valid. I used: [clamd] libc_r.so.5 libthr.so.2 libc_r.so.6 libthr.so.2 libthr.so.2 libthr.so.2 libpthread.so.1 libthr.so.2 libpthread.so.2 libthr.so.2 I suspect the first line should have been: [clamav-milter] I am not going to subject my users to any more testing tonight. I will have to retry that test again tomorrow evening. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] odd problem w/clamd
On Jun 10, 2005, at 13:21, [EMAIL PROTECTED] wrote: At 12:54 PM 6/10/2005, you wrote: * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [20050610 22:49]: wrote: > At 10:44 AM 6/10/2005, you wrote: > > >Problems with 0.85.1 seem to be confined to FreeBSD. > >Anything interesting in /var/log/clamd.log? > > nothing interesting. records of viruses found, and the startup > logging. that's it. > > i've adjusted the number of concurrent connections inbound to the > AS/AV server, and that seems to have helped somewhat. What is that adjustment supposed to do/achieve? to try to alleviate the problem described. absent a known cause, one experiments, does one not? If your server is a busy one, you may try increasing the MaxThreads value in clamd.conf. It's worked for me. as i mentioned, clamd 0.85.1 has been working fine for me as well, up until a few days ago when this issue arose. here's my clamd.conf: MaxThreads 10 You may want to increase that. I run with 100 and that seems to have avoided problems on FreeBSE 4.6 and 5.3. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 25, 2005, at 13:38, Stephen Gran wrote: On Tue, May 24, 2005 at 11:43:45AM -0700, Doug Hardie said: I believe I can make this occur at will (as long as there is a newer database available). However, I am running FreeBSD and don't know for sure the equivallent to strace - ktrace perhaps. Let me know what you need and I will force it to hang. Doug, Can you run another test for me? Try running the milter without --external, but with --dont-wait. It is difficult to tell from the sendmail source (it is a bit on the hairy side) but it looks like it does not stop trying to use a milter if one of the communications times out, which would explain this behavior. --dont-wait changes the behavior at reload from timeout to immediate tempfail. If this fixes the problem, then we know exactly where the issue is, and we can come up with a workaround (perhaps the workaround is just use --dont-wait, but maybe something better) A ktrace would also be great to confirm the internals, but just confirmation that this makes the problem go away would be enough, I think. You are the first person I have talked to who can reliably reproduce the problem, so unfortunately for you, you make the perfect test case :) Can do, but will have to wait till Sat. I am leaving in 10 minutes to bring home son from college. Weill be gone 2 days. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 24, 2005, at 19:41, Stephen Gran wrote: On Tue, May 24, 2005 at 07:10:25PM -0700, Doug Hardie said: On May 24, 2005, at 13:21, Stephen Gran wrote: On Tue, May 24, 2005 at 12:54:47PM -0700, Doug Hardie said: ktrace is effectively the same thing as truss so I used it. There are two files available: http://www.lafn.org/clamav/ktrace.html http://www.lafn.org/clamav/clamd.html ktrace.html is the output of ktrace - its about 14 MB clamd.html is the clamd.log file entries - very small and probably of no value It is difficult to say from the provided ktrace file what is happening, as there are no timestamps and all lines have the same pid. One thing that seems odd is that the milter appears to continue accepting and processing input after a reload event has happened. Not for the body, ut for all other milter events (header, connect, etc). That is a start at least. Is there a way to log seperately by pid or something with ktrace? I don't know it well, so I am not sure what arguments to tell you to pass it. Also, I am not sure that will even work - in a proper thread implementation, all threads share a pid (but have different lwp id's) so this may not be possible. clamav-milter is only one process. It has multiple threads but those are not visible to the kernel. I don't know how the bsd implementation of threads work, as I said. On linux, the separate threads share a pid but have different lwp id's, and are separable to the kernel and to strace. It will make things a little harder if the same is not true on bsd. The problem does not occur immediately with a database reload. It takes 10 or so minutes before it hangs/quits. I suspect that the problem occurs when there are active messages that do not complete before some timeout value. clamav-milter is waiting for everything to go quiet, but on my receive mail server that never happens. There are always 30-40 active sendmail children. As a result it never goes quiet. I suspect that clamav-milter eventually gives up and thats when the problem occurs. On my outgoing mail server which handles considerably less mail, most of the database updates do not cause a problem. On my test server which handles 3 email daily it never causes a problem. This is the generally observed pattern, so it's good to know we're chasing the same problem, at least. kdump will provide the timestamps if that would be helpful, but the entries are pretty much evenly spaced out over about a 5 minute period between when I touched the daily file and when it hung. Well, that's helpful - looking at the file at first, I had no way of telling that. What I can glean from the output you have provided is that there is a point reached where some threads begin doing a write(not accepting inputs), which I would expect from the source. But puzzlingly, some (other? No way to know without being able to separate the threads) are still accepting and processing messages after that point. I also see no mutex related calls, which I would have expected to see a lot of. Since I suspect the problem is that one htread is prematurely altering or locking a mutex, stalling the others, this makes it harder to debug the sequence of events :) This is presumably a problem of ktrace or the invocation, rather than an absence of events, though. It appears from what I can find of their respective man pages, that truss may better at this sort of thing than ktrace (it certainly seems to do a better job following forks and threads in the solaris page I see). Do you mind giving it a go? truss basically generates no output and kills the process. strace does not generate any output that identifies threads and shortly after starting generates buss errors. I don't believe clamav-milter is actually stopping new messages. After doing the touch on the database file, I continue to see maillog messages that the Milter messages have been added. This continues right up until it hangs/crashs. I don't see anything tempfailing the new messages. I suspect sendmail continues to send them and they continue to be processed. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 24, 2005, at 19:30, Damian Menscher wrote: On Tue, 24 May 2005, Doug Hardie wrote: On May 24, 2005, at 13:21, Stephen Gran wrote: On Tue, May 24, 2005 at 12:54:47PM -0700, Doug Hardie said: http://www.lafn.org/clamav/ktrace.html http://www.lafn.org/clamav/clamd.html clamav-milter is only one process. It has multiple threads but those are not visible to the kernel. The problem does not occur immediately with a database reload. It takes 10 or so minutes before it hangs/quits. I suspect that the problem occurs when there are active messages that do not complete before some timeout value. clamav-milter is waiting for everything to go quiet, but on my receive mail server that never happens. There are always 30-40 active sendmail children. As a result it never goes quiet. I suspect that clamav-milter eventually gives up and thats when the problem occurs. On my outgoing mail server which handles considerably less mail, most of the database updates do not cause a problem. On my test server which handles 3 email daily it never causes a problem. Just to bring you (and anyone else joining us) up to speed, here's a description of how it's supposed to work: When there's a database update, the milter wants everything to be quiet. So it stops accepting new connections. It then waits for the currently-running children to finish. Once n_children drops to 0, it reloads the database and resumes accepting connections. At least, that's the theory. In practice, n_children isn't ever hitting 0, so it stays in the !accepting state forever. For example, in the ktrace you posted, n_children dropped from 7 down to 2. The fact that it never reached 0 is the entire problem. Of course, nobody knows *why* it isn't reaching 0. It might be from a hung scanner thread, or from a pthreads race condition, or even a locking issue. The hope was that getting an strace of each thread of a hung milter would provide information on which of those causes was at fault, and perhaps enable us to actually locate the bug. I frequently see sendmail children alive for over 30 minutes and sometimes considerably longer. Some connections are very slow at transferring data. I would guess its just not waiting long enough. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 24, 2005, at 13:21, Stephen Gran wrote: On Tue, May 24, 2005 at 12:54:47PM -0700, Doug Hardie said: ktrace is effectively the same thing as truss so I used it. There are two files available: http://www.lafn.org/clamav/ktrace.html http://www.lafn.org/clamav/clamd.html ktrace.html is the output of ktrace - its about 14 MB clamd.html is the clamd.log file entries - very small and probably of no value It is difficult to say from the provided ktrace file what is happening, as there are no timestamps and all lines have the same pid. One thing that seems odd is that the milter appears to continue accepting and processing input after a reload event has happened. Not for the body, ut for all other milter events (header, connect, etc). That is a start at least. Is there a way to log seperately by pid or something with ktrace? I don't know it well, so I am not sure what arguments to tell you to pass it. Also, I am not sure that will even work - in a proper thread implementation, all threads share a pid (but have different lwp id's) so this may not be possible. clamav-milter is only one process. It has multiple threads but those are not visible to the kernel. The problem does not occur immediately with a database reload. It takes 10 or so minutes before it hangs/quits. I suspect that the problem occurs when there are active messages that do not complete before some timeout value. clamav-milter is waiting for everything to go quiet, but on my receive mail server that never happens. There are always 30-40 active sendmail children. As a result it never goes quiet. I suspect that clamav-milter eventually gives up and thats when the problem occurs. On my outgoing mail server which handles considerably less mail, most of the database updates do not cause a problem. On my test server which handles 3 email daily it never causes a problem. kdump will provide the timestamps if that would be helpful, but the entries are pretty much evenly spaced out over about a 5 minute period between when I touched the daily file and when it hung. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 24, 2005, at 11:53, Stephen Gran wrote: On Tue, May 24, 2005 at 11:43:45AM -0700, Doug Hardie said: I believe I can make this occur at will (as long as there is a newer database available). However, I am running FreeBSD and don't know for sure the equivallent to strace - ktrace perhaps. Let me know what you need and I will force it to hang. truss, maybe? You can force the milter to think there is an update available by touch'ing the database file. So, a full trace of a running milter process from start up until it hangs would be great, if you can do so. I believe there are options to truss similar to those to strace to make it follow forks and child processes and so forth - enabling those are vital for this. It's likely to be big, so putting it online somewhere for perusal may be preferable to sending to the list if you can. If not, can you send it to me off-list, and I'll put it up somewhere? ktrace is effectively the same thing as truss so I used it. There are two files available: http://www.lafn.org/clamav/ktrace.html http://www.lafn.org/clamav/clamd.html ktrace.html is the output of ktrace - its about 14 MB clamd.html is the clamd.log file entries - very small and probably of no value ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav-milter dies after working ok for some hours
On May 24, 2005, at 08:56, Damian Menscher wrote: On Tue, 24 May 2005, N Fung wrote: --- N Fung <[EMAIL PROTECTED]> wrote: --- "Christopher X. Candreva" <[EMAIL PROTECTED]> wrote: Try with clamd and use the --external option to clamav-milter. Would the 'internal' mode be working again soon? Thanks. It was broken in 0.84, and will not work until someone finds the bug. If you have time and skills in multithreaded programming, I strongly encourage you to look through the source code. There are several of us who have not "jumped ship" to the -- external mode, and are instead trying to understand what is causing the --internal mode to hang on occasion. We'd appreciate help, though, as this has proven to be a very difficult bug to squash. In particular, we need someone to capture an strace during a hang. That will hopefully give a hint of exactly where it is hanging. Compiling a list of hardware/software configurations that have/have not seen this bug would also be helpful. For example, upgrading to a 2.6 kernel might be a "solution", based on the reports I've seen. I believe I can make this occur at will (as long as there is a newer database available). However, I am running FreeBSD and don't know for sure the equivallent to strace - ktrace perhaps. Let me know what you need and I will force it to hang. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: clamav-milter quits (Doug Hardie)
On May 20, 2005, at 19:02, Stephen Gran wrote: On Fri, May 20, 2005 at 08:49:32PM -0500, Damian Menscher said: On Fri, 20 May 2005, Doug Hardie wrote: On May 20, 2005, at 02:32, Trog wrote: The accept call is done within Sendmail, I believe. That would make sense except that the error message clams to be from clamav-milter and the PID matches that of clamav-milter. Actually Trog was right: the error message is generated by mi_listener() in sendmail's .../libmilter/listener.c. It's rather silly of sendmail to log as if it's the milter, but there you have it. Well, actually that would make it make it clamav-milter - it links libmilter, and so uses all that code, right? I mean, it is sendmail code, but it's the binary clamav-milter that makes the error, if you see what I mean. Its definitely clamav-milter which calls libmilter which does the mi_listener right up front. Unfortunately there is no indication of which argument to accept is causing the problem. Looking around the info on the web indicates the most common usage of ERANGE is when a buffer is too small which would indicate a problem with the sockaddr. I believe now that this problem is occuring within about 10 minutes after a database reload. However, I am not seeing the same log messages that have been previously reported with this situation and on a test server that handles about 3 email daily there is no problem. So, I am guessing that this problem only occurs if there is some current activity at the time a database update occurs. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter quits
On May 21, 2005, at 02:23, Nigel Horne wrote: On Friday 20 May 2005 14:44, Craig Green wrote: clamav 0.85.1 on two servers. Both quit right about midnight. I found the following log entries on one of them: Are you using FreeBSD? We've had the milter quit on a couple of FreeBSD servers here--on 0.85, anyway. We thought it was upon DB updates, but weren't certain. Switching to --external seems to have helped, anyway. We now run . 85.1, but we're still using --external so I don't know if the problem still exists. That's your problem. You've removed the quotes from your original post in this followup (note to others - please don't do this, when there are a lot of support emails you need help to put them all together - relying on my memory isn't a good idea ;-) ) so I can't remember the exact text and do the googling for you, but I do know that a bit of googling will point you into the direction of a freebsd patch. Craig. Now I am a bit confused too. I can't tell if the patch you are referring to is in response to Craig or me. In any case, I have tried to locate this patch looking for various combinations of clamav, clamav-milter, freebsd, 0.85.1 and a few others I don't recall. The closest I have come is to a long discussion of a memory leak but I don't find any resolution or patch associated with that. What is the patch to? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: clamav-milter quits (Doug Hardie)
On May 20, 2005, at 02:32, Trog wrote: On Fri, 2005-05-20 at 10:22 +0100, G.W. Haywood wrote: Hi there, On Fri, 20 May 2005 Doug Hardie wrote: clamav 0.85.1 on two servers. Both quit right about midnight. I found the following log entries on one of them: ... I don't find an accept() anwhere in clamav-milter. It's a system call. Check out 'man accept' (on a Unix-like system:). I think he knows that. The accept call is done within Sendmail, I believe. That would make sense except that the error message clams to be from clamav-milter and the PID matches that of clamav-milter. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter quits
Yes - FreeBSD 5.3 On May 20, 2005, at 01:31, Nigel Horne wrote: On Friday 20 May 2005 09:24, Doug Hardie wrote: clamav 0.85.1 on two servers. Both quit right about midnight. I found the following log entries on one of them: May 19 23:40:07 zoon clamav-milter[75664]: ClamAv: accept() returned invalid socket (Result too large), try again May 19 23:40:43 zoon last message repeated 8 times May 19 23:42:53 zoon last message repeated 34 times May 19 23:43:43 zoon last message repeated 4 times May 19 23:43:58 zoon clamav-milter[75664]: ClamAv: accept() returned invalid socket (Result too large), abort May 19 23:44:14 zoon clamav-milter[75664]: Stopping ClamAV version 0.85.1, clamav-milter version 0.85 Are you using FreeBSD? ___ http://lurker.clamav.net/list/clamav-users.html !DSPAM:428da02b61961041317470! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter quits
clamav 0.85.1 on two servers. Both quit right about midnight. I found the following log entries on one of them: May 19 23:40:07 zoon clamav-milter[75664]: ClamAv: accept() returned invalid socket (Result too large), try again May 19 23:40:43 zoon last message repeated 8 times May 19 23:42:53 zoon last message repeated 34 times May 19 23:43:43 zoon last message repeated 4 times May 19 23:43:58 zoon clamav-milter[75664]: ClamAv: accept() returned invalid socket (Result too large), abort May 19 23:44:14 zoon clamav-milter[75664]: Stopping ClamAV version 0.85.1, clamav-milter version 0.85 I don't find an accept() anwhere in clamav-milter. It is not using clamd. the only message I find in the code is the last one. The "Result too large" appears to be a error message of ERANGE but can't tell what call was involved. ERANGE is not listed as one of the accept() errors. The only thing I can think of is that on this server, it generates potentially several hundred short emails in a couple minutes shortly after midnight. Perhaps they are overloading it? The other server has no such similar load. Its a quite lightly used mail server. Didn't find any messages for it anywhere. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Force email scanning
I am using sendmail with clamav-milter to scan email. Normally clamav-milter does not scan messages from the LAN or the machine unless you direct it to do so via the flags. I would like to be able to put something into a message such that it would be scanned even though it would othwerwise not be scanned - in esseciance an override of the non-scanning options for that specific message. I can make this happen by using -o but then all the locally generated mail is scanned which is not really necessary. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter logging
On May 17, 2005, at 17:24, Doug Hardie wrote: I have been running clamav 0.82.1 for some time without any known problems. However, I finally have the time to upgrade and brought down the FreeBSD port for 0.85.1 and installed it. Everything seems to work properly except for clamav-milter logging. I had been running clamav-milter connecting to clamdscan and have now switched to clamav-milter doing it all. When using clamd there would be only one entry in clamd.log for each virus detected. Now, I am seeing 3 entries for each virus: May 17 16:31:51 zool clamav-milter[46052]: Starting ClamAV version 0.85.1, clamav-milter version 0.85 May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpC046057: /tmp/ clamav-080ef64658702e7c/msg.QPKiDh: ClamAV-Test-Signature Intercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpE046057: /tmp/ clamav-080ef64658702e7c/msg.E9oA85: ClamAV-Test-Signature Intercepted virus from <> to <[EMAIL PROTECTED]> May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpG046057: /tmp/ clamav-080ef64658702e7c/msg.wqGWOM: ClamAV-Test-Signature Intercepted virus from <> to <[EMAIL PROTECTED]> Why is this occuring and is there a way to get it back to only one entry? I grep through clamd.log daily for "Intercepted virus" to generate notifications to users of the viruses intercepted. ___ I just noticed the last entry is to postmaster. I don't understand why that would occur. clamav-milter is running with: -qfC I have the f in there because its a test machine that doesn't normally handle mail so I need it to check all mail. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter logging
I have been running clamav 0.82.1 for some time without any known problems. However, I finally have the time to upgrade and brought down the FreeBSD port for 0.85.1 and installed it. Everything seems to work properly except for clamav-milter logging. I had been running clamav-milter connecting to clamdscan and have now switched to clamav-milter doing it all. When using clamd there would be only one entry in clamd.log for each virus detected. Now, I am seeing 3 entries for each virus: May 17 16:31:51 zool clamav-milter[46052]: Starting ClamAV version 0.85.1, clamav-milter version 0.85 May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpC046057: /tmp/ clamav-080ef64658702e7c/msg.QPKiDh: ClamAV-Test-Signature Intercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpE046057: /tmp/ clamav-080ef64658702e7c/msg.E9oA85: ClamAV-Test-Signature Intercepted virus from <> to <[EMAIL PROTECTED]> May 17 16:32:31 zool clamav-milter[46052]: j4HNWUpG046057: /tmp/ clamav-080ef64658702e7c/msg.wqGWOM: ClamAV-Test-Signature Intercepted virus from <> to <[EMAIL PROTECTED]> Why is this occuring and is there a way to get it back to only one entry? I grep through clamd.log daily for "Intercepted virus" to generate notifications to users of the viruses intercepted. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus Volumes
We have a number of those in operation, but they haven't really chnged since introducing clamav On Apr 13, 2005, at 09:12, Christopher X. Candreva wrote: On Wed, 13 Apr 2005, Doug Hardie wrote: I have been running clamav for quite some time now. For most of that time I was receiving between 1500 and 2000 viruses per day. However, lately the number is down to about 200 per day. I don't have any users complaining about receiving viruses so I don't think there is a problem with clamav. Is the virus volume really decreasing? Are you doing any other firewalling/blocking ? Blocking dynamic IP ranges and IP's without reverse DNS put quite a dent in the number of viruses we found at the scanner level. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html !DSPAM:425d450d288644851115176! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Virus Volumes
I have been running clamav for quite some time now. For most of that time I was receiving between 1500 and 2000 viruses per day. However, lately the number is down to about 200 per day. I don't have any users complaining about receiving viruses so I don't think there is a problem with clamav. Is the virus volume really decreasing? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd exiting on signal 4 (FreeBSD)
On Nov 18, 2004, at 05:11, Robert Blayzor wrote: I've been running clamd 0.80 for the past several weeks without any problems. Suddenly in the last two days two different machines had clamd die and exit on signal 4. (SIGILL) I tried looking for a core file but could not find one and the FreeBSD_4.x kernel did not say it dumped a core file. Other setuid/gid programs seem to drop core fine and we seem to have the proper sysctl settings setup to do so. I thought this was an isolated incident when the first server died yesterday, but this morning we had a totally different server do the same thing. Is clamd trapping SIGILL? Late update: Appears that clamd was stripped of debugging symbols so probably no core files from that. So is anyone else seeing clamd (0.80) exit on SIGILL ? I have been running 0.80 on FreeBSD 4.6 (2 systems) for about a month and have not seen that problem. It has been remarkedly stable. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishingandother social engineering attacks
On Nov 15, 2004, at 04:37, Julian Mehnle wrote: Trog [EMAIL PROTECTED] wrote: I am, unfortunately, familiar with SpamCop (and all the other similar 'tools'). As a listed contact for over 16million Internet IP addresses I receive notices from such 'tools' all the time, and I've *never* had one that is accurate yet. They are incredibly dumb pieces of software that achieve nothing other than annoying innocent sys admins and giving their mis-guided users a warm feeling. Please stop using them [1]. Sorry, your rant is too vague to convince me. I have heard a lot of fuzzy criticism regarding SpamCop but nothing really concrete. I administer an ISP and I receive numerous "complaints" about spammers via SpamCop. During the last 6 years only one has actually proved to point to a problem. One of my users had a virus and didn't know it. They parse the headers in the text of the message and presume they are valid. That is the problem. Those headers are almost always bogus. Only one of these "messages" actually traversed my ISP. They just end up pestering me. Basically I ignore them unless there is something that looks fishy. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: TCP and UDP ports used by clamd
On Nov 1, 2004, at 09:53, René Berber wrote: Nico, Now my question: why is clamd listening on a TCP port (only one port but the This is fine, ClamD has to listen on a port otherwise no program would be able to communicate with it. The port should be identical with the one listed in the clamd.pid file in case you're using it. I'm not sure about this. The port is not usable, I did use telnet on it and it connects but does not respond to anything (ping, version) and then disconnects... at the same time clamd log shows an error "select() error..." On the other hand, if clamd _needed_ a TCP port it should be one we could configure (my configuration has the TCP port commented out, only the socket is defined), to avoid the exact problem I had with Tripplite's program complaining that the port it uses was not free. port number varies) and also on 1,467 UDP ports? I was just about asking the same question. Over time ClamD (not FreshClam) opens (and leaves open) more and more UDP connections. Environment is Cygwin, latest Cygwin1.dll snapshot version & latest (dev) versions of gcc and modules. It helps to know I'm not the only one seeing this odd behavior; this could be a bug inside Cygwin if nobody else has seen this in other operating systems. I'll check and see if that's the problem. FreeBSD 4.6 with clamav-.80 running for over a week. Clamd normally only has 2 sockets open: one for the input from clamav-milter and the other to syslog. However, every now and then it has 5 sockets open. 2 of them are tcp and the port is quite large. One is open to the world and the other connected to localhost. They only last less than a second. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
On Oct 25, 2004, at 23:05, Odhiambo Washington wrote: I would suggest that you DisableDefaultScanOptions in clamd.conf and tune values according to your system. My servers do slightly more than 800 smtp transfers per hour and I found out that working with the DisableDefaultScanOptions commented out brought my server to its knees. And my server is almost like yours, except it's Pentium III Xeon 500MHz. At any given moment, my SMTP service has average 300 child processes so I used that value for MaxConnectionQueueLength. I am not sure that is quite what it should be, but works for me is the key thing ;) Those numbers seem unusual to me. I am handling over 2800 emails per hour. I don't recall ever seeing more than about 50 sendmail child processes active (except after an extended down period but even then it doesn't seem to get much above 150). CPU: Pentium III/Pentium III Xeon/Celeron (701.59-MHz 686-class CPU) Single processor, FreeBSD 4.6, clamav 0.80. CPU utilization sits between 80 and 95% idle. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter kill
On Oct 24, 2004, at 06:30, Joe Maimon wrote: i guess it would be simpler for a lot of users if'kill `cat /var/run/clamav/clamav-milter.pid` would get honoured. On FreeBSD 4 that works fine. However, because sendmail-milter is integrated with sendmail, it has a fair amount of cleanup that is required for each active sendmail connection. I have seen that take a couple minutes to complete before it shutsdown. It depends on the mail load at that time. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamd hang in rc4
On Oct 12, 2004, at 10:56, [EMAIL PROTECTED] wrote: On Tue, 12 Oct 2004, Scott Rothgaber wrote: Doug Hardie wrote: have encountered quite a few situations in the last month where clamav just stopped working properly and had to be manually restarted. I had the same problem with spamass-milter a while back. What you need is a "watchdog" script, something like this... We had a problem similar to this this week, however, the problem wasn't due to a dead/core'd process. clamdscan actually hung for one reason or another and clamd had to be shot down with a -9. This took place just after the upgrade to .80rc4 and I attributed it to (possibly) having a rc3 clamd running with a rc4 clamdscan. Perhaps I did not adequately shut down rc3 before the update. Either way, I assume that clamdscan shouldn't hang if clamd is dead. I noticed that mail was backed up because the amavis delivery agent (ADA?) hung when it relayed to amavisd. Eventually the problem was found to be clamdscan hanging and restarting clamd (after a -9) seemed to work. Is anyone else experiencing similar problems? The problems I had were all with version .75 and earlier. The .80rcs have worked very well for me. I had a timeout problem every morning at about 6 am for about 5 minutes until I increased the clamd timeout value. No timeouts this morning. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter configuration options
Looks like 1.1.3 but difficult to tell for sure. Its part of the base system. For the last few weeks, clamav-milter has been totally stable. On Oct 12, 2004, at 06:04, Nigel Horne wrote: Doug Hardie wrote: have encountered quite a few situations in the last month where clamav just stopped working properly and had to be manually restarted. It is likely that you have a buggy zlib. What version do you have? -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter configuration options
No. FreeBSD On Oct 12, 2004, at 01:25, Nigel Horne wrote: On Monday 11 Oct 2004 23:22, Doug Hardie wrote: I would like to see clamav-milter have a configuration file. Either clamd.conf or a separate one would be fine. The list of parameters I use is too long for a command line. Are you using Red Hat Linux? If so already do that by modifying /etc/sysconfig/clamav-milter -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter configuration options
On Oct 11, 2004, at 18:43, Scott Rothgaber wrote: Doug Hardie wrote: > The list of parameters I use is too long for a command line. Oh, come on! What's so bad about... /usr/local/sbin/clamav-milter -l -i /var/run/clamav/clmilter.pid -F /usr/local/etc/sig.txt /var/run/clamav/clmilter.sock ;-) Take a quick look at the source. It's already on the developers' TODO list. Thanks. I can wait. Having long lines for initiation are not good. I have encountered quite a few situations in the last month where clamav just stopped working properly and had to be manually restarted. If I am not at a terminal then I have to tell someone over the phone what to type to start it. No way am I going to remember all that correctly or have it entered correctly. Configuration files make things very clean and avoid problems. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter parameters
I would like to see clamav-milter be able to read its parameters from a file (clamd.conf or a separate file would be fine). The command line I am using is just too long to manage easily. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter configuration options
I would like to see clamav-milter have a configuration file. Either clamd.conf or a separate one would be fine. The list of parameters I use is too long for a command line. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] bug in clamav-milter PID file handling
On Sep 24, 2004, at 16:30, <[EMAIL PROTECTED]> wrote: Doug Hardie wrote: On Sep 24, 2004, at 13:48, <[EMAIL PROTECTED]> wrote: Matthew.van.Eerde wrote: There seems to be a problem with clamav-milter's --pidfile option. I retract this. The --pidfile option is fine. Line 1408 of clamav-milter.c has fprintf(fd, "%d\n", (int)getpid()); which will put a \n at the end of the pid value in the pid file. Yes but I retract my opinion that this is a problem. kill `cat clamav-milter.pid` wasn't working, and I wrongly blamed this on the newline. It turned out after experiment that kill $PID wasn't working either. But killall clamav-milter worked so I'm going with that. The \n should not be in that print statement. I use the pid file for checking to be sure servers are still running and that requires that the code be modified for that particular situation. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] bug in clamav-milter PID file handling
On Sep 24, 2004, at 13:48, <[EMAIL PROTECTED]> wrote: Matthew.van.Eerde wrote: There seems to be a problem with clamav-milter's --pidfile option. I retract this. The --pidfile option is fine. Line 1408 of clamav-milter.c has fprintf(fd, "%d\n", (int)getpid()); which will put a \n at the end of the pid value in the pid file. ClamAV 0.80rc2/503/Thu Sep 23 12:32:44 2004 clamav-milter version 0.80 on zoon.lafn.org --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] announcing ClamAV 0.80rc
I have looked all over the clamav.net web pages and I can't find it. Where is it? --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Distribution
Those certainly could be it, but it is unusual compared with the other viruses we see daily. I wonder if there is more to this one than has been foun yet. On Sep 8, 2004, at 12:40, Timo Schöler wrote: Thus spake Doug Hardie sometime Today... On Sep 8, 2004, at 12:16, Timo Schöler wrote: Doug Hardie wrote: I have a cron job that scans the clamd.log file every day and counts the specific virusus found. While the numbers tend to vary a bit from day to day the relative ratios between the various viruses found tend to stay the same - except for Worm.Zafi.B. One day it will find 1100 of them and the next day 8. It is never consistent. I am not seeing any significant number of viruses slipping through. It seems to be some sort of distribution issue with that virus itself. The others all seemed to come on strong at first and then die down to residual annoyances. But not this one. It keeps coming back in volume periodically. Any ideas what makes this one so different from the rest? perhaps this may be interesting stuff for you: http://www.cs.berkeley.edu/~nweaver/sapphire/ Thanks but I would expect from that that the worm activity would tend to die down to a relatively constant nuisance level. However, its not doing that every couple days I get another flood of them. there may be several reasons: i) changing network behaviour (route flaps, etc.) ii) changing effectiveness of virus filters et al. iii) built-in automatisms in worm/virus itself NB: it is not always best to spread a virus/worm at the highest available speed (depends on number of infected hosts, bandwidth available to the hosts, etc.). i'm sure i missed another point i didn't think of now ;) -- mit vorzueglichster Hochachtung/best regards, Timo Schoeler //macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin | Germany Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19 PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus Distribution
I have a cron job that scans the clamd.log file every day and counts the specific virusus found. While the numbers tend to vary a bit from day to day the relative ratios between the various viruses found tend to stay the same - except for Worm.Zafi.B. One day it will find 1100 of them and the next day 8. It is never consistent. I am not seeing any significant number of viruses slipping through. It seems to be some sort of distribution issue with that virus itself. The others all seemed to come on strong at first and then die down to residual annoyances. But not this one. It keeps coming back in volume periodically. Any ideas what makes this one so different from the rest? --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Unusual Problem
I have two mail servers. One is used by users sending mail, the other receives mail. When a user sends me mail it goes through both servers. Both are running sendmail with clamav-milter and clamav. Normally I see the following header elements in such mail: X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on zoon.lafn.org X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on zoot.lafn.org I have one user who has been trying for days to send me a message. He has not been able to tell me the error message he gets accuratly so I had no idea whtat was happening. However, today he got one through to me. It contains a virus, CHRISTM3.EXE. Now I know why he was having a hard time sending to me. However, he eventually succeeded. The message has the virus and no clamav headers from either system. There is quite a bit of time lag between when it was accepted by the send server and when it was accepted by the receive server so the send server must have kept trying over and over again till it managed to get it through. The lack of messages indicates that somehow it got through without invoking clam-milter. Any ideas how that could have occurred? I see no evidence of any significant mail loads during that time. The actual volume of mail was very low at that time. No system error were generated and no other evidence of other mail slipping through. Every message I check around them show the clamav headers and check messages in maillog. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Aug 9, 2004, at 14:44, Steven Stern wrote: On Mon, 9 Aug 2004 11:03:27 -0700 (PDT), Scott Call <[EMAIL PROTECTED]> wrote: I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and the latest snapshot. I can't seem to find any information on this signature (nothing in the virusdb list and nothing on google). As usual, ClamAV's name came out too soon The standard naming seems to be [EMAIL PROTECTED] [Symantec] W32/[EMAIL PROTECTED] [McAfee], WORM_BAGLE.AC [Trend], Win32.Bagle.AG [Computer Associates] If thats a standard then by definition there are no standards, so why worry? --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd segment violations
On Jul 28, 2004, at 15:16, Doug Hardie wrote: I am running FreeBSD 4.6 ClamAV version devel-20040728 clamav-milter version 0.75b Sendmail 8.12.3p3 I was using clamav-0.70-rc for a long time because it was stable and never crashed. However, it started missing a lot of newer viruses so I upgraded to the version above. Clamd is giving a segment violation every 2 to 6 hours and I have to restart it. Thousands of messages are scanned while it is still running. I have used the following different configure commands and I don't see any real change in the behavior: configure --disable-urandom --enable-milter configure --disable-urandom --enable-milter --enable-bigstack I tried the following configure command but it fails to complete: configure --disable-pthreads --disable-urandom --enable-milter --enable-bigstack checking for mi_stop in -lmilter... no configure: error: Cannot find libmilter I need to get back to a stable version. Any ideas on what I should try? Problem has been corrected. The problem was larger than expected. As best as I can tell, if a email had no virus then the directory in /tmp that was named clamav-[large hex number] was not deleted. If it had a virus, the directory was deleted but the text file in it was not closed so that it continued to hang around. I corrected the problem by switching to: ClamAV version 0.75.1, clamav-milter version 0.75c I also used the following in configure: --disable-clamuko --disable-urandom --enable-milter --enable-bigstack I have only had this running for a few minutes, but no orphaned files and /tmp is clean. I suspect the snapshots have some debug stuff in them that is causing the problems I encountered. --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd segment violations
I just noticed that clamd has a large number of files opened that the directory entries have been deleted. There are well over a hundred of them. The sizes appear to be about right for emails. On Jul 28, 2004, at 15:16, Doug Hardie wrote: I am running FreeBSD 4.6 ClamAV version devel-20040728 clamav-milter version 0.75b Sendmail 8.12.3p3 I was using clamav-0.70-rc for a long time because it was stable and never crashed. However, it started missing a lot of newer viruses so I upgraded to the version above. Clamd is giving a segment violation every 2 to 6 hours and I have to restart it. Thousands of messages are scanned while it is still running. I have used the following different configure commands and I don't see any real change in the behavior: configure --disable-urandom --enable-milter configure --disable-urandom --enable-milter --enable-bigstack I tried the following configure command but it fails to complete: configure --disable-pthreads --disable-urandom --enable-milter --enable-bigstack checking for mi_stop in -lmilter... no configure: error: Cannot find libmilter I need to get back to a stable version. Any ideas on what I should try? --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd segment violations
On Jul 29, 2004, at 00:32, Trog wrote: On Wed, 2004-07-28 at 23:16, Doug Hardie wrote: I was using clamav-0.70-rc for a long time because it was stable and never crashed. However, it started missing a lot of newer viruses so I upgraded to the version above. Clamd is giving a segment violation every 2 to 6 hours and I have to restart it. Thousands of messages are scanned while it is still running. I have used the following different configure commands and I don't see any real change in the behavior: Please attach gdb to the running clamd and do a backtrace when it crashes. Here is the first attempt: [Switching to process 86282, thread 2] Program received signal SIGSEGV, Segmentation fault. 0x281299a9 in _spinlock_debug () from /usr/lib/libc_r.so.4 (gdb) Continuing. I have no idea why it decided to continue at that point. Anyway it just quit as normal so I couldn't get anything useful. Trying again. Somehow I manage to miss the crashes. --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd segment violations
I am running FreeBSD 4.6 ClamAV version devel-20040728 clamav-milter version 0.75b Sendmail 8.12.3p3 I was using clamav-0.70-rc for a long time because it was stable and never crashed. However, it started missing a lot of newer viruses so I upgraded to the version above. Clamd is giving a segment violation every 2 to 6 hours and I have to restart it. Thousands of messages are scanned while it is still running. I have used the following different configure commands and I don't see any real change in the behavior: configure --disable-urandom --enable-milter configure --disable-urandom --enable-milter --enable-bigstack I tried the following configure command but it fails to complete: configure --disable-pthreads --disable-urandom --enable-milter --enable-bigstack checking for mi_stop in -lmilter... no configure: error: Cannot find libmilter I need to get back to a stable version. Any ideas on what I should try? --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] quarantined viruses
I have clamav-70 with senmail and milter with a quarantine directory. I see a number of files left there that do apear to contain a virus. However, there are some files that are very short remaining that have been identified as containing a virus in the maillog file but only contain one empty mime attachment. The info on the attachment is what I would expect for the indicated virus. Running clamdscan on the remaining file indicates that it has found the virus in it. However, the attachment is empty. So, I am a bit confused. Is clamav identifying the virus based on the mime information or the content of the attachment? It appears that it is using only the mime info. I was going to save some of that but it was just too late last night so I don't have any examples handy. At first I was going to send them in as false viruses, but after looking at them, the only thing they really contained was the empty attachment which probably did at one time include a virus. I decided none of my users would want to receive them even without the virus so leaving them blocked was just fine. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and milter - dedicated mailing list.
On Apr 14, 2004, at 12:00, Antony Stone wrote: On Wednesday 14 April 2004 7:28 pm, B. van Ouwerkerk wrote: - cross posting - questions send to the wrong list I think both of these examples are things which would be improved by having two lists. Good idea. While you are at it, create additional lists so that the issues that are with Linux, PCs SpamAssassin, etc. are not in this list either as they are a waste of my time. I only want FreeBSD, clamd, and clamav-milter in this list. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] syslog facility
On Apr 5, 2004, at 15:56, rosander wrote: Can anyone comment if clamd support setting specific syslog facilities and if so how I would set it in the conf file? I paroused the documentation but nothing poped out at me except the switch to enable output to syslog. The facility is hard coded to LOG_LOCAL6 in the source. I doubt that much is alterable without changing the source and rebuilding. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Troubles with recent clamav's
On Mar 19, 2004, at 05:17, Robert Blayzor wrote: On 3/18/04 5:40 PM, "Doug Hardie" <[EMAIL PROTECTED]> wrote: My quick look at the code behind --disable-urandom gave me the impression that it only disabled the test for urandom and forced clamd to use urandom. Thats why I manually deleted the define. I guess I will have to look a bit closer. That would be easier to remember when moving to a new version. From what I read through configure is that when using --disable-urandom it reverts back to using just rand(). Since I did this, our servers have been running 14+ hours without a single hang and all the databases seem to have loaded with a second or two instead of multiple minutes. I'm hoping that this urandom problem is addressed in the future. I'm not exactly sure of what the problem is and why clamd hangs, disabling /dev/urandom should not be the fix, but rather the workaround. Well, I went back and rebuilt clamd with --disable-urandom and thats exactly what it does. It comments out the define of C_URANDOM. I don't quite see how it does that yet, but thats not important. It make clamd stable for me. I agree that not checking for errors in the read statement is incorrect, but the workaround does work. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd hanging on SunOS 5.8
On Mar 18, 2004, at 14:03, Thomas Lamy wrote: turgut kalfaoglu schrieb: Well, even after I disable urandom, which my system does not have anyway, I still have clamd hanging; eating up over 90% of the CPU, and doing nothing basically. I am trying daily builds, but it does not help. This sometimes happen after five minutes of runtime, but sometimes with just 2 minutes of runtime. help! -turgut any output from "truss -p " where is the process id of the cpu eating clamd ? The problem with ktrace or truss is that you often are looking at library calls and they may look like similar calls in the source. That fooled me for quite a few days. The poll call was not the one in the clamd source. Spent a lot of time trying to figure out how a constant got changed to zero only when poll was called. Turned out the poll was in the read library. Walking through the code with gdb is more effective, but takes a lot more time and really disrupts the system performance. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd hanging on SunOS 5.8
What I did is to be sure the build incorporate -g and then get it hung. Open it up with gdb and start stepping through the code to see where it is hanging. The hang I was was only about 6 instructions so it was easy to find that loop in the code. On Mar 18, 2004, at 12:39, turgut kalfaoglu wrote: Well, even after I disable urandom, which my system does not have anyway, I still have clamd hanging; eating up over 90% of the CPU, and doing nothing basically. I am trying daily builds, but it does not help. This sometimes happen after five minutes of runtime, but sometimes with just 2 minutes of runtime. help! -turgut --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Doug --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Troubles with recent clamav's
My quick look at the code behind --disable-urandom gave me the impression that it only disabled the test for urandom and forced clamd to use urandom. Thats why I manually deleted the define. I guess I will have to look a bit closer. That would be easier to remember when moving to a new version. On Mar 18, 2004, at 10:05, Robert Blayzor wrote: On 3/16/04 7:29 PM, "Doug Hardie" <[EMAIL PROTECTED]> wrote: In case it might help someone else, the approach I used to find the problem was to use a test system and pass a large number of directories (The FreeBSD source code) to clamdscan and let it beat clamd up for about 5 minutes. Then I let it finish what it could and return to its "idle" state. At that point it was using all the available CPU time. I entered it via gdb and let it single step around awhile to find out where it really was and what was going on. Ktrace was not helpful as it kept showing a poll with a time period of 0. Apparently the poll is in the read code. A messy way to test, but it worked. Doug, in some limited testing here is what I've found so far: I did not have rndcontrol using any IRQ's, so I set that to use the IRQ's from two network cards and the hard drive controller. Upon doing that (rdncontrol -s 3 -s 5 -s 7) it seems as though the problem happens less, but still happens from time to time. By compiling clamd with "--disable-urandom", so far, clamd has not hung at all. While not optimal, clamd is stable at least. -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 My computer NEVER cras -- Doug --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Troubles with recent clamav's
Go into the clamav.h file and remove the definition for C_URANDOM. I just commented it out. The make it again. On Mar 18, 2004, at 08:52, Robert Blayzor wrote: On 3/16/04 7:29 PM, "Doug Hardie" <[EMAIL PROTECTED]> wrote: The problem I encountered has now been identified and I have a working clamd that does not hang. I compiled it two different ways and both worked. The problem was /dev/urandom returning either a -1 or a 0. Either of those will cause others.c to hang as it does not test for that condition. One approach was to put in a trivial test for it and exit from the loop. The other was to remove the define for C_URANDOM in the .h file. Both of those approaches worked in my testing. Since I couldn't easily determine if the first would have some side effects if it didn't return enough random bits, I have gone with the second approach. My production server has been running for slightly over 6 hours now and no problems have been seen. In case it might help someone else, the approach I used to find the problem was to use a test system and pass a large number of directories (The FreeBSD source code) to clamdscan and let it beat clamd up for about 5 minutes. Then I let it finish what it could and return to its "idle" state. At that point it was using all the available CPU time. I entered it via gdb and let it single step around awhile to find out where it really was and what was going on. Ktrace was not helpful as it kept showing a poll with a time period of 0. Apparently the poll is in the read code. A messy way to test, but it worked. I'm having the problem you've been having on a FreeBSD 4.7 box. I'm willing to test your work around if you're willing to share it. I have some fairly high volume production clusters I'd like to put this on to beat it up. The problem I see usually is that clamd answers and processes clamdscan requests normally but what happens on random scans is that it gobbles up all the CPU resources, then eventually continues after several minutes. I usually notice the problem more whenever clamd seems to reload the database, but it also happens on a lot of text/mail file scanning. -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Portable: Survives system reboot. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Doug --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Troubles with recent clamav's
On Mar 16, 2004, at 11:48, Everton da Silva Marques wrote: On Tue, Mar 16, 2004 at 03:36:40PM +0200, turgut kalfaoglu wrote: I am running clamav under SunOS 5.8. Ever since version 0.67 (or so, I am not checking them regularly) , I have been unable to leave ClamAV running. It does run, but after some minutes, it stops processing emails. It is still running, in fact, it uses up to 85% of the CPU(!), but no email goes thru. Did anyone else experience this problem? Yes. I have posted a similiar issue here: http://www.mail-archive.com/[EMAIL PROTECTED]/ msg06462.html Doug Hardie is tracking a similar issue: http://www.mail-archive.com/[EMAIL PROTECTED]/ msg06907.html The problem I encountered has now been identified and I have a working clamd that does not hang. I compiled it two different ways and both worked. The problem was /dev/urandom returning either a -1 or a 0. Either of those will cause others.c to hang as it does not test for that condition. One approach was to put in a trivial test for it and exit from the loop. The other was to remove the define for C_URANDOM in the .h file. Both of those approaches worked in my testing. Since I couldn't easily determine if the first would have some side effects if it didn't return enough random bits, I have gone with the second approach. My production server has been running for slightly over 6 hours now and no problems have been seen. In case it might help someone else, the approach I used to find the problem was to use a test system and pass a large number of directories (The FreeBSD source code) to clamdscan and let it beat clamd up for about 5 minutes. Then I let it finish what it could and return to its "idle" state. At that point it was using all the available CPU time. I entered it via gdb and let it single step around awhile to find out where it really was and what was going on. Ktrace was not helpful as it kept showing a poll with a time period of 0. Apparently the poll is in the read code. A messy way to test, but it worked. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
On Mar 15, 2004, at 18:44, Doug Hardie wrote: On Mar 8, 2004, at 13:18, Doug Hardie wrote: After a review of clamd/session.c and the developers forum archives I know what the cause of my problem is, but not necessarily why. The version that works (clamd / ClamAV version devel-20040209', clamav-milter version '0.66m) does not use either poll or select. At least neither is called directly. All of the later versions use select and they fail - when calling poll. So I suspect that on my system select is calling poll. However, the time field is getting set to zero when the source code clearly indicates that it should be non-zero. The time field is reset to a constant after each select call. Recompiling with no optimization does not change the outcome so its not likely to be an overlay either. I am guessing that haveing quite a number of threads active may be too much for select which may be getting them confused. However, thats a wild guess. I have no idea how to check that out. Granted I am only working with one OS type/version, but it appears to me that neither the poll or select is reuqired. The accept seems to handle the situation fine by itself. The above should have included both session.c and scanner.c. I have been playing with .70rc and have finally found a way to create the problems above on a test system. Its bizarre, but what I do is feed all the source to FreeBSD to clamdscan and wait until top shows virtually no idle time. Stopping the feed leaves clamd running and eating up all the processor. Then I can run gdb on it. It shows some (but not all) of the threads are hung around line 282 of cl_rndnum in others.c. It is trying to read /dev/urandom and appears to be getting back zero bytes (or possibly a -1) and just sits in that loop forever. I can't imagine why urandom is failing as it doesn't seem to fail in any other application. Unfortunately, I was not able on the first try to figure out how to print out bread. gdb kept saying it didn't exist. I am tempted to insert the statement: if (bread <= 0) break; after the read statement but down't know what side affects that might cause. I'll probably give it a try and see what breaks. With that change clamd withstood the barrage of source thrown at it and returned eventually to zero CPU utilization. If it would be of any help/interest I could put some form of logging in that check and see what the return was. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
On Mar 8, 2004, at 13:18, Doug Hardie wrote: After a review of clamd/session.c and the developers forum archives I know what the cause of my problem is, but not necessarily why. The version that works (clamd / ClamAV version devel-20040209', clamav-milter version '0.66m) does not use either poll or select. At least neither is called directly. All of the later versions use select and they fail - when calling poll. So I suspect that on my system select is calling poll. However, the time field is getting set to zero when the source code clearly indicates that it should be non-zero. The time field is reset to a constant after each select call. Recompiling with no optimization does not change the outcome so its not likely to be an overlay either. I am guessing that haveing quite a number of threads active may be too much for select which may be getting them confused. However, thats a wild guess. I have no idea how to check that out. Granted I am only working with one OS type/version, but it appears to me that neither the poll or select is reuqired. The accept seems to handle the situation fine by itself. The above should have included both session.c and scanner.c. I have been playing with .70rc and have finally found a way to create the problems above on a test system. Its bizarre, but what I do is feed all the source to FreeBSD to clamdscan and wait until top shows virtually no idle time. Stopping the feed leaves clamd running and eating up all the processor. Then I can run gdb on it. It shows some (but not all) of the threads are hung around line 282 of cl_rndnum in others.c. It is trying to read /dev/urandom and appears to be getting back zero bytes (or possibly a -1) and just sits in that loop forever. I can't imagine why urandom is failing as it doesn't seem to fail in any other application. Unfortunately, I was not able on the first try to figure out how to print out bread. gdb kept saying it didn't exist. I am tempted to insert the statement: if (bread <= 0) break; after the read statement but down't know what side affects that might cause. I'll probably give it a try and see what breaks. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] usefulness of complaining to abuse@whatever.com for Netsky/Bagle
On Mar 14, 2004, at 11:57, jef moskot wrote: It looks like you get the proper IP of the offending machine firing off these worms in the header (even though everything else is forged). Is there any point in telling [EMAIL PROTECTED] that one of their DSL customers is spamming the Internet with noxious messages? Anyone have any experience regarding these warnings being responded to properly? I know you can often get educational and small business sys admins to take care of the problem (and often they're thankful of the warning), but I wonder if it's worth the effort to notify the big guys. It all depends on the person first receiving the notice at giantISP.com. If they feel they have to go to management, forget it. You will never get anything accomplished except for a string of denials that it came from their users. However, there are occasions were it gets seen by someone who knows what they are doing and takes care of the situation. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
After a review of clamd/session.c and the developers forum archives I know what the cause of my problem is, but not necessarily why. The version that works (clamd / ClamAV version devel-20040209', clamav-milter version '0.66m) does not use either poll or select. At least neither is called directly. All of the later versions use select and they fail - when calling poll. So I suspect that on my system select is calling poll. However, the time field is getting set to zero when the source code clearly indicates that it should be non-zero. The time field is reset to a constant after each select call. Recompiling with no optimization does not change the outcome so its not likely to be an overlay either. I am guessing that haveing quite a number of threads active may be too much for select which may be getting them confused. However, thats a wild guess. I have no idea how to check that out. Granted I am only working with one OS type/version, but it appears to me that neither the poll or select is reuqired. The accept seems to handle the situation fine by itself. The above should have included both session.c and scanner.c. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
On Mar 5, 2004, at 15:26, Doug Hardie wrote: On Mar 5, 2004, at 02:41, Trog wrote: On Fri, 2004-03-05 at 01:15, Doug Hardie wrote: I just uncommented the thread timeout the last time I restarted clamd a couple minutes ago so I don't know what effect that will have. ThreadTimeout isn't used in the current CVS version. Here is some more information: After running with the timeout set to 500, clamd no longer dies. It chugs along for quite awhile (about 10 minutes) at full cpu usage and then returns to normal use. I don't see anything different in the load between the periods. However a ktrace of clamd shows a significant difference. Normally clamd shows nothing much when idle and it shows the messages being received (read) when processing a message. However, when its running at full cpu utilization, ktrace shows thousands of sequences like: 8313 clamdPSIG SIGPROF caught handler=0x28116228 mask=0x0 code=0x0 8313 clamdCALL gettimeofday(0x2815fe4c,0) 8313 clamdRET gettimeofday 0 8313 clamdCALL sigprocmask(0x3,0x2815fed8,0) 8313 clamdRET sigprocmask 0 8313 clamdCALL sigaltstack(0x2817c000,0) 8313 clamdRET sigaltstack 0 8313 clamdCALL poll(0x806f000,0x1,0) 8313 clamdRET poll 0 8313 clamdCALL sigreturn(0x808ac64) 8313 clamdRET sigreturn JUSTRETURN and then there will be one message processed and then back to a few more thousand of those sequences. This looks entirely broken. Your trace indicates that the last argument to poll (the timeout) is zero. The code looked like this count = poll(poll_data, 1, CL_DEFAULT_SCANTIMEOUT*1000); i.e. the timeout *can't* be zero unless you changed the value of CL_DEFAULT_SCANTIMEOUT or your system is fundamentally broken. unless your system is using poll to spin somewhere. -trog That was my thought also. I don't know why its zero. When clamd is only using about 2% of the cpu, the number is on the order of 5 to 10 seconds. However, something is very unusual here. The line of code above is not in the version I am using. I am using the snapshot from the morning of 4 Mar. After a review of clamd/session.c and the developers forum archives I know what the cause of my problem is, but not necessarily why. The version that works (clamd / ClamAV version devel-20040209', clamav-milter version '0.66m) does not use either poll or select. At least neither is called directly. All of the later versions use select and they fail - when calling poll. So I suspect that on my system select is calling poll. However, the time field is getting set to zero when the source code clearly indicates that it should be non-zero. The time field is reset to a constant after each select call. Recompiling with no optimization does not change the outcome so its not likely to be an overlay either. I am guessing that haveing quite a number of threads active may be too much for select which may be getting them confused. However, thats a wild guess. I have no idea how to check that out. Granted I am only working with one OS type/version, but it appears to me that neither the poll or select is reuqired. The accept seems to handle the situation fine by itself. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ScanMail destabilizing clamd?
On Mar 5, 2004, at 11:54, Everton da Silva Marques wrote: Hi, I'm testing clamd from CVS as of 2004-03-04 under Solaris 7 on Sparc with the following basic config: # clamav.conf LogFile /var/adm/clamav/clamd.log LogFileMaxSize 10M LogTime PidFile /var/adm/clamav/clamd.pid TCPSocket 3310 TCPAddr 127.0.0.1 StreamSaveToDisk StreamMaxLength 30M MaxThreads 10 MaxDirectoryRecursion 15 User clamav AllowSupplementaryGroups ScanOLE2 #ScanMail ScanArchive ArchiveMaxFileSize 30M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 200 ArchiveDetectEncrypted clamd seems pretty stable, unless the ScanMail option is enabled. If I turn ScanMail on, clamd eventually goes wild and consumes huge amounts of CPU cycles indefinitely. My current fix is to restart clamd. Is ScanMail known to be unstable? I'm searching for similar experiences. Please share your thoughts. I have gone back to devel-20040209 which does not have that problem. Something was changed shortly after that snapshot that causes the problem. I have tried a number of versions since then and all lock up the cpu. I am putting in a bit of time to try and find the specific change that causes it but haven't succeeded so far. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
On Mar 5, 2004, at 02:41, Trog wrote: On Fri, 2004-03-05 at 01:15, Doug Hardie wrote: I just uncommented the thread timeout the last time I restarted clamd a couple minutes ago so I don't know what effect that will have. ThreadTimeout isn't used in the current CVS version. Here is some more information: After running with the timeout set to 500, clamd no longer dies. It chugs along for quite awhile (about 10 minutes) at full cpu usage and then returns to normal use. I don't see anything different in the load between the periods. However a ktrace of clamd shows a significant difference. Normally clamd shows nothing much when idle and it shows the messages being received (read) when processing a message. However, when its running at full cpu utilization, ktrace shows thousands of sequences like: 8313 clamdPSIG SIGPROF caught handler=0x28116228 mask=0x0 code=0x0 8313 clamdCALL gettimeofday(0x2815fe4c,0) 8313 clamdRET gettimeofday 0 8313 clamdCALL sigprocmask(0x3,0x2815fed8,0) 8313 clamdRET sigprocmask 0 8313 clamdCALL sigaltstack(0x2817c000,0) 8313 clamdRET sigaltstack 0 8313 clamdCALL poll(0x806f000,0x1,0) 8313 clamdRET poll 0 8313 clamdCALL sigreturn(0x808ac64) 8313 clamdRET sigreturn JUSTRETURN and then there will be one message processed and then back to a few more thousand of those sequences. This looks entirely broken. Your trace indicates that the last argument to poll (the timeout) is zero. The code looked like this count = poll(poll_data, 1, CL_DEFAULT_SCANTIMEOUT*1000); i.e. the timeout *can't* be zero unless you changed the value of CL_DEFAULT_SCANTIMEOUT or your system is fundamentally broken. unless your system is using poll to spin somewhere. -trog That was my thought also. I don't know why its zero. When clamd is only using about 2% of the cpu, the number is on the order of 5 to 10 seconds. However, something is very unusual here. The line of code above is not in the version I am using. I am using the snapshot from the morning of 4 Mar. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems with clamd
On Mar 4, 2004, at 15:02, Doug Hardie wrote: I am trying to use clamav to scan mail on a prduction mail server that has fairly high volume of mail and quite a large volume of viruses being receivied. The only version of clamd I can run for any duration is clamav-devel-20040209. That version runs for 4 to 5 days on my production mail server before dying. Everything since then can't last over an hour. I am trying clamav-devel-20040304 right now and it has managed to last an hour twice and 44 minutes once. What happens is that clamd runs using less than 3% of the cpu until it nears the end. Then it takes over all the available cpu running idle to zero. It continues to function this way for a couple minutes and then quits responding at all to clamav-milter. Then it goes away quietly. The only messages associated with it are notes from sendmail that it is unable to malloc more memory. I have submitted debug logs etc. but heard nothing back. One possibility is that this is a thread issue. Perhaps the clamav.conf settings are not optimal for this volume. However, I don't see anyway to determine the thread usage. If it used processes the standard unix tools would let me see what is going on. I don't see anything similar for threads. The appropriate entries are: StreamSaveToDisk StreamMaxLength 5M MaxThreads 200 #ThreadTimeout 500 I just uncommented the thread timeout the last time I restarted clamd a couple minutes ago so I don't know what effect that will have. Running on FreeBSD 4.6 with sendmail clamd / ClamAV version devel-20040304, clamav-milter version 0.67j I really don't want to have to go back to the old version as the volume of encrypted zip files is quite large. Here is some more information: After running with the timeout set to 500, clamd no longer dies. It chugs along for quite awhile (about 10 minutes) at full cpu usage and then returns to normal use. I don't see anything different in the load between the periods. However a ktrace of clamd shows a significant difference. Normally clamd shows nothing much when idle and it shows the messages being received (read) when processing a message. However, when its running at full cpu utilization, ktrace shows thousands of sequences like: 8313 clamdPSIG SIGPROF caught handler=0x28116228 mask=0x0 code=0x0 8313 clamdCALL gettimeofday(0x2815fe4c,0) 8313 clamdRET gettimeofday 0 8313 clamdCALL sigprocmask(0x3,0x2815fed8,0) 8313 clamdRET sigprocmask 0 8313 clamdCALL sigaltstack(0x2817c000,0) 8313 clamdRET sigaltstack 0 8313 clamdCALL poll(0x806f000,0x1,0) 8313 clamdRET poll 0 8313 clamdCALL sigreturn(0x808ac64) 8313 clamdRET sigreturn JUSTRETURN and then there will be one message processed and then back to a few more thousand of those sequences. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Problems with clamd
I am trying to use clamav to scan mail on a prduction mail server that has fairly high volume of mail and quite a large volume of viruses being receivied. The only version of clamd I can run for any duration is clamav-devel-20040209. That version runs for 4 to 5 days on my production mail server before dying. Everything since then can't last over an hour. I am trying clamav-devel-20040304 right now and it has managed to last an hour twice and 44 minutes once. What happens is that clamd runs using less than 3% of the cpu until it nears the end. Then it takes over all the available cpu running idle to zero. It continues to function this way for a couple minutes and then quits responding at all to clamav-milter. Then it goes away quietly. The only messages associated with it are notes from sendmail that it is unable to malloc more memory. I have submitted debug logs etc. but heard nothing back. One possibility is that this is a thread issue. Perhaps the clamav.conf settings are not optimal for this volume. However, I don't see anyway to determine the thread usage. If it used processes the standard unix tools would let me see what is going on. I don't see anything similar for threads. The appropriate entries are: StreamSaveToDisk StreamMaxLength 5M MaxThreads 200 #ThreadTimeout 500 I just uncommented the thread timeout the last time I restarted clamd a couple minutes ago so I don't know what effect that will have. Running on FreeBSD 4.6 with sendmail clamd / ClamAV version devel-20040304, clamav-milter version 0.67j I really don't want to have to go back to the old version as the volume of encrypted zip files is quite large. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] TCP Wrapper Support in clamav-milter
I am trying to get clamd / ClamAV version devel-20040221, clamav-milter version 0.67g working. There have been some changes in TCP Wrapper support that leave me a bit confused. smfi_getsymval is called to get {if_name}. Where is that set? The messages in syslog indicate that its not set. By adding unkinown to 127.0.0.1 in the hosts file it works fine, but I don't believe that was the intended approach. If nothing else it generates an error message about {if_name} for every message processed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Error Message
On Feb 16, 2004, at 01:52, Andy Fiddaman wrote: On Mon, 16 Feb 2004, Nigel Horne wrote: ; On Monday 16 Feb 2004 4:37 am, Doug Hardie wrote: ; ; > Feb 15 19:14:18 <1.4> zoon clamav-milter: ClamAv: private data not NULL ; > What does the message mean and is ; > there a configuration parameter I need to alter to avoid it? ; ; This sounds like an error thrown by sendmail even though sendmail makes it ; look like it came from clamav. Check your sendmail.mc file is correct. This is a message from libmilter which means that the milter returned from cb_eom or that the milter context session terminated in some other way but that the context private data was not NULL - so it's a problem in the milter somewhere - probably just a condition where clamfi_cleanup isn't called. The warning is just to let you know that there's a memory leak. Thanks. I found the message in libmilter. I suspect this may be the reason that I periodically run out of memory. Occasionally sendmail completely loses all ability to function and I get a large string of out of memory errors from it (malloc unable to allocate). I have to restart sendmail, clamd, and clamav-milter to get things going again. (While I'm looking, there are also a few places where memory can leak in clamfi_envfrom. It mallocs the private data structure then can return without freeing it or assigning it to the session context, so it will never be cleaned up. It just needs a few free(privdata) calls before the 'return cl_error' lines.) Andy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Doug --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Error Message
On Feb 16, 2004, at 00:34, Nigel Horne wrote: On Monday 16 Feb 2004 4:37 am, Doug Hardie wrote: Feb 15 19:14:18 <1.4> zoon clamav-milter: ClamAv: private data not NULL What does the message mean and is there a configuration parameter I need to alter to avoid it? This sounds like an error thrown by sendmail even though sendmail makes it look like it came from clamav. Check your sendmail.mc file is correct. What operating system is this? FreeBSD 4.6 What arguments are you using to call clamav-milter? /usr/local/sbin/clamav-milter -f -q --quarantine-dir=/var/clamav Is clamd still running? (run ps -e | fgrep clamav, or ps -a | fgrep clamav according to your operating system). Yes it continues to run, however, after a few of those messages it quits scanning new messages and I start getting timeout messages. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Doug --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Error Message
I am occasionally receiving a number of the following entries in /var/log/messages: Feb 15 19:14:18 <1.4> zoon clamav-milter: ClamAv: private data not NULL Shortly after they start, some threads start returning an error to sendmail. Some time after that all the threads are returning an error. I can't find this message in either clamav-milter or in clamd unless it is from one of the assert statements. What does the message mean and is there a configuration parameter I need to alter to avoid it? ClamAV version 'clamd / ClamAV version devel-20040209', clamav-milter version '0.66m' --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV versions
I have been running with devel-20040209 for a week or so since 0.65 didn't meet my needs. The development version does. However, 0.66 has now been released. Is it based on 0.65 or the development branch? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Postmaster Notifications
On Feb 10, 2004, at 02:20, Nigel Horne wrote: On Tuesday 10 Feb 2004 8:30 am, Doug Hardie wrote: However, things have changed. As best as I can tell the equivallent should be clamav-milter -f -q local:/var/run/virus.sock but that still sends mail to postmaster for each virus found. -q does stop messages being generated by the milter to postmaster et al. Please post a sample of the mails you are seeing. I have found the cause of the notification to postmaster. Its not clamav. Ever since sendmail got split into 2 separate processes the maillog entries have been difficult to properly parse. After much reveiw of the logs, I find it is the user level sendmail that is generating the notification to postmaster. Somehow I managed to get the entries confused yesterday. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Saved virus files
Running clamav-devel-20040209. At first I found it left a lot of files reamining with no entries in the file structures. However, previous messages here identified the issue and I switched to using quarantine-dir to give them a home. However, at this time the number of viruses being blocked is quite large. That directory is growing quite large with known viruses/worms for which it would be most unhelpful to report. So, I have no use for those files. Is there a configuration option to cause those to be deleted rather than saved? Since the files currently being colllected to be scanned are there also I can't just delete everything. After they are a day old I can easily delete them but that will be a lot of files to hold on to. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Postmaster Notifications
On Feb 10, 2004, at 05:47, Nigel Horne wrote: I am running clamav-milter from clamav-devel-20040209 and trying to get it to not send mail to postmaster when it finds a virus. With version 0.65 I used clamav-milter -ol local:/var/run/virus.sock and it worked properly. What version are you running now (clamav-milter --version)? -Nigel clamav-devel-20040209 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Postmaster Notifications
In article <[EMAIL PROTECTED]>, Doug Hardie <[EMAIL PROTECTED]> wrote: > I am running clamav-milter from clamav-devel-20040209 and trying to get > it to not send mail to postmaster when it finds a virus. With version > 0.65 I used clamav-milter -ol local:/var/run/virus.sock and it worked > properly. However, things have changed. As best as I can tell the > equivallent should be clamav-milter -f -q local:/var/run/virus.sock but > that still sends mail to postmaster for each virus found. What am I > doing wrong? I have narrowed down the issue such that mail sent from the mail server host itself when it has a virus will send mail to postmaster with the above configuration. However, mail from client machines does not. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Postmaster Notifications
I am running clamav-milter from clamav-devel-20040209 and trying to get it to not send mail to postmaster when it finds a virus. With version 0.65 I used clamav-milter -ol local:/var/run/virus.sock and it worked properly. However, things have changed. As best as I can tell the equivallent should be clamav-milter -f -q local:/var/run/virus.sock but that still sends mail to postmaster for each virus found. What am I doing wrong? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users