Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001

[Rick Pim]

 > > I can't think of any reason you couldn't just download and compile the
 > > source from  and install all the files for v1.0.6.

i can't speak for MacOS, but that procedure worked for me with
solaris 10 and failed for solaris 9. i waited for the vendor
patches.

rp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] 0.95.3 under solaris 5.10

[Rick Pim]

Török Edwin writes:
 > This patch might be needed:
 > http://wiki.clamav.net/pub/Main/UpgradeNotes0953/patch-0.95.3-bug1737.diff

i couldn't get it to apply using the default vendor-supplied
tools -- hence the request for a hint or a patched source kit.

rp

rick pim   r...@post.queensu.ca
information technology services  (613) 533-2242
queen's university, kingston   
---
"Nine million terrorists in the world, and I gotta kill one with feet
smaller'n my sister."
-- Die Hard
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] 0.95.3 under solaris 5.10

[Rick Pim]

i took a stab at compiling 0.95.3 on solaris 5.10 yesterday with the
vendor-supplied gcc (3.4.3, compiled 0.95.1 just fine) and it failed,
messily. before i dump stuff on the list:
 
 - is this a known issue?
 - is the patch mentioned on the website (it mentions fedora and freebsd)
   relevant for addressing this?
 - if so, i couldn't get the default solaris tools to apply it. does anyone
   have a hint or a patched source kit somewhere?

rp

rick pim   r...@post.queensu.ca
information technology services  (613) 533-2242
queen's university, kingston   
---
"`When Alexander saw the breadth of his domain, he wept, for there were
no more worlds to conquer.' ...Benefits of a classical education."
-- Alan Rickman in Die Hard
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[rick pim]

Charles Gregory writes:
 > but at
 > least please tell me there isn't a 'big' company out there that is failing
 > to handle 4xx codes properly (holding breath)

does IBM count?

their canadian arm was a problem for a while and i had to whitelist
their outgoing MTA. this has since been fixed, but stuff like this
pops up from time to time, usually for 'small' companies but
occasionally for large. currently, the only thing in my
graylisting whitelist file is (shudder) facebook. (don't get me
started about them...)

it's not (IMHO) enough of an issue to avoid using graylisting. just
be aware that it IS an issue from time to time, and the occasional
Big Player might well be involved.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Better watch out, Carrot, or you're going to wind up as a Saturday 
morning cartoon character, just like Mr. T!"
"Alright! That did it!"
-- Flaming Carrot
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[rick pim]

Ian Eiloart writes:
 > --On 8 August 2008 13:06:00 -0400 rick pim <[EMAIL PROTECTED]> wrote:
 > > in practice, one of the
 > > prime advantages of greylisting -- the fact that it will never
 > > block 'real' mail -- turns out, um, not to be true. there are so many
 > > standards-noncompliant MTAs out there that greylisting does block
 > > real mail. (this is one of the things that makes me crazy.)
 > 
 > If it's not standards compliant, it's not an MTA. RFC2821 defines the 
 > behaviour of an MTA, and anything that breaks the standard can't expect to 
 > deliver email. That's our policy here.

you're preaching to the choir. unfortunately, some of the offenders
are high profile, fortune-500 companies. if l'il 'ol me gets told
"professor smith can't get mail from BloatedMegaCorp because you're
blocking it", it doesn't MATTER if they're standards-noncompliant, it
doesn't MATTER if they're not real MTAs -- i have to find a way for
professor smith to get his email.

(aside: there are many, many such examples.)

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"There's too many people here!  Maybe we should kill some!"
-- Flaming Carrot
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[rick pim]

On Fri, 8 Aug 2008, Charles Gregory wrote:
> Well, first of all, yes it IS. It's *everyone's* problem. That forged
> address could be on *your* server, and *you* get the backscatter from some
> other victim system that also "doesn't care what the ISP does with it"...

what he said: we have two accounts/addresses that get, between them,
about 200,000 bounces a day; this has been going on for something more
than 8 months.

(that said, there's something to be said for bouncing mail: one of our 
vendors is occasionally silently blocking my email to them. clearly
SOMETHING about my messages are triggering their spam filters. it sure
would be nice if i got the bounces for those)


rp

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[rick pim]

Gerard writes:
 > Employing 'greylisting' would vastly improve the chances of eliminating
 > the acceptance of SPAM at the MTA level.

it certainly does. unfortunately, in practice, one of the
prime advantages of greylisting -- the fact that it will never
block 'real' mail -- turns out, um, not to be true. there are so many
standards-noncompliant MTAs out there that greylisting does block
real mail. (this is one of the things that makes me crazy.)

(we still use it, of course.)

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"You call this a *trial*?!  This is nothing but a *kangaroo* *court* 
without the hoppy, furry guy!"
--  The Flash (TV)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] simplest replacement for ancient amavis-perl

[rick pim]

David F. Skoll writes:
 > [EMAIL PROTECTED] wrote:

i'm far from an expert but at some level i believe that you're both
right. the real question boils down (i think) to "who is trying to deliver
this piece of unwanted email?"

if it's a Real MTA, then kicking back a 550 will -- probably -- have the
MTA trying to return the message to the "sender". there will probably
be backscatter.

if it's NOT a real MTA -- if it's a spam proxy or a virus trying to send
the message -- then kicking back a 550 will -- probably -- have the message
dropped on the floor. there will probably not be backscatter.

so i think you're both right, more or less.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Hmm hmm hmmm Reality stinks. That's why I try to improve on it 
whenever I can."
-- The Flash (TV)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Memory usage for clamd is huge

[rick pim]

Dennis Peterson writes:
 > But we know from the volumes of spam and viruses now approaching 
 > if not exeeding 90% that you are the exception, not the norm.


spam yes, viruses. not so much. our experience has been that
email-borne viruses are way, way down: yesterday's logs from one of
our mail gateways said there were about 15 viruses caught in something
more than half-a-million email messages.

phishing is up, of course, but viruses (i'm one of those folks that
mentally files phishing under 'spam') are way down. 

rp
rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"How many men you got 'ere, Colonel?"
"Oh, 7,000 infantry, 600 artillery, and 2 divisions of paratroops."
"Paratroops, Dino!"  "It'd be a shame of someone was to set fire to dem."
"Set fire to them?!"
"Fire's 'appen, Colonel."  "Fings's burn..."

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Phishing feature defaults, naming, and 0.92

[rick pim]

David F. Skoll writes:
 > But you are missing the point.  The problem is not the configfiles.  Anyone
 > can easily edit a config file.
 > 
 > The problem is that new behaviour suddenly appears when using an *old*
 > configfile.  It's the hard-coded defaults in the source that are the problem.

i'm probably going to get my tuchis flamed off here, but

this is pre-version-1.0 software: it's a beta. who on earth upgrades
from one beta to another and uses the same configfile???

i'm not claiming that my upgrade procedure is ideal but at the very
least i do a line-by-line comparison of my existing configfile
with the template that comes with the newer version. i expect to have
to do that (or something like it) whenever fiddling with new versions
of stuff under active development.

when clam hits v1.0, i know my expectations will go up somewhat. but
until then, as long as the new template contains enough of an
explanation that i can tell "here be dragons", i'm happy.

 > As I said before, as a general principle, new behaviour should not suddenly
 > appear.  It should have to be explicitly turned on.

post v1.0 i'd agree with you. this is beta software. expect surprises.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"If it can't be done in VMS it isn't worth doing."
-- Harvey Brydon
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Vote for ClamAV as the best anti-malware solut ion

[rick pim]

On Fri, 26 Oct 2007, Dennis Peterson wrote:
> There needs to be a generic end user that everyone can use on line. A "Jane 
> Doe" kind
> of non-person. The equivalent of http://Example.com/ but which sounds less 
> offensive
> than "anonymous coward".

it's kind of a crap shoot, but www.bugmenot.com is occasionally
useful.

rp

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] meaning of a particular error message

[rick pim]

solaris 5.10, clamav 0.91.2, sparc 420r, sendmail 8.14.1

from time to time, i get the following message on the console:

# Sep 26 11:43:29 plait sendmail[17149]: l8QFhTPu017149: Milter (clamav): error 
connecting to filter: Connection refused by /var/clamav/clmilter.sock

which i assume is something running out of some resource. i've fiddled
around and i'm still not certain what it is that it wants more of.
what does this error signify and what's the optimal way to 
make it go away?

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"You know what I wish?  I wish all the scum of the Earth had one throat
and I had my hands about it."

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] performance on solaris (was: Major Problem with Clamd Startup)

[rick pim]

Trog writes:
 > You've taken note of the recent postings on trouble with the standard
 > Solaris regex library? And how to switch to using PCRE, which solves the
 > problem.

i have. i got this box mostly finished back in early august and then
took off on holidays before putting it into production.  (i mean, i'm
insane, but not insane enough to drop something new into production
and then leave for the better part of a month.)  the latest pcre
thread was in the backlog of things i filtered through on returning.

so: i have three alternatives. in more or less the order of increasing
amount of work:

 - turn off PhishingScanURLs

 - write a script to restart clam once or twice a day

 - download, compile & install pcre. (don't want to use a precompiled
   one from, say, sunfreeware because of version mismatch worries.)
   then edit source code & ancillary clam files and rebuild

i'm _tempted_ to take door #1 or door #2 pending word from the clam
team or sourcefire or SOMEONE as to what ClamTNG will suggest/support.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Nine million terrorists in the world, and I gotta kill one with feet
smaller'n my sister."
-- Die Hard
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] performance on solaris (was: Major Problem with Clamd Startup)

[rick pim]

Rob MacGregor writes:
 > Maybe you meant to include some actual technical details, like O/S,
 > version of clamav installed etc (and possibly why you restart sendmail
 > and clamd daily)?

it wasn't me that reported it, but i'm on the verge of doing the
same thing. here's why:

environment: solaris 5.10, sparc 420R (4x450MHz CPU, 4 GB RAM), 
  sendmail 8.14.1, clamav 0.91.2.

clam was compiled with the stock (ie installed with the OS) solaris
5.10 gcc (3.4.3). the configuration was done with:

./configure --prefix=/export/home/clamav --enable-milter

and clamd.conf looks like:

LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
TemporaryDirectory /export/home/clamav/tmp
LocalSocket /var/clamav/clamd.sock
FixStaleSocket yes
MaxConnectionQueueLength 32
StreamMaxLength 64M
MaxThreads 64
SelfCheck 3600
User clamav
ScanMail yes

everything works fine for a while -- something more than 8 hours -- with
CPU usage normally being <10%. sometime overnight, however, it started to
climb. this morning it was holding steady at about 88%. i stopped sendmail,
stopped clmilter, stopped clamd and waited.

after five minutes, clamd was still running at 88% CPU so i fed it a
kill -9, cleaned out the temp directories, and restarted everything.
everything looks 'normal' right now.

we first ran into this issue on an older box when we tried to upgrade
from 0.88.7. there's been a lot of water under the bridge since then
with clam, and this is a new box (well, newer) with fresh installs of
everything. things are better than they were -- six months ago it
would blow up within an hour or so -- but the performance issues on
solaris clearly still haven't been licked.

if we can control it with a once-a-day restart, that'll be workable.


rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Normal people bore me -- I prefer lunatics. At least the lunatics are
committed."
-- Batman Returns
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] latest worry-free version on solaris sparc?

[rick pim]

shuttlebox writes:
 > I recommend Blastwave, easy (apt-style) install of fresh software.
 > 
 > http://www.blastwave.org

blastwave has 0.91.1, which at least two recent threads have suggested
has problems under solaris. it's the version i'm searching for at the
moment; the installation method (source, blastwave, sunfreeware)
comes later. 

(probably source -- we've used blastwave and sunfreeware for some
things and been mostly happy with them. i'm not convinced that we need
to do that with clamav; certainly up to 0.88.7, a manual compile was,
if anything, easier than a blastwave install.)

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"I'm disappointed too, but keep in mind that transmogrification is a 
new technology."
-- Calvin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] latest worry-free version on solaris sparc?

[rick pim]

i have one gateway machine running clamav; it's a running solaris
5.9 on sparc hardware. every couple of years i upgrade it to a
new box (well, since i use cast-off hardware for it, a new old
box, but you know what i mean) with up to date OS, sendmail, etc.

right now i'm doing that. it'll be solaris 5.10 on sparc, 
sendmail 8.14.1, and clamav... not sure about that yet.

my old box is stuck at 0.88.7; i found that the first few releases of
0.90 i couldn't get stable on that system and i wasn't alone on that
front. watching recent list traffic makes me think that there are
still stability and performance issues for some clamav distributions
on at least some versions of solaris.

what's the consensus for the newest version that will compile, run and
be stable with no surprises on solaris 5.10, sparc, sendmail (gcc
3.4.3)?

thanks in advance.

rp
rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Just think! With the push of a button, you could be a 500-story 
gastropod -- a slug the size of the Chrysler Building."
"Gosh, how can I refuse?"
"Well, if you don't likethat, be something else! I don't care!"
-- Calvin and Hobbes
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: 0.90.1 issues on solaris 5.9

[Rick Pim]

René Berber writes:

 > > at which point the CPU falls back. the memory footprint of clamd
 > > also seems to increase: after about an hour (wall clock) top
 > > claims it's 95-100MB. CPU usage at the same time is 81 minutes --
 > > about 1/3 of the total available. kinda sorta.
 > 
 > Something is very wrong there, after 1 day running I have clamd
 > using only 32M of RAM (30M RSS).  How many clamd threads do you
 > see?

i tried this today. (well, yesterday.)

for the first hour or two, clamd sits at /3 or so while clamav-milter
bounces around, typically in the 10-20 range. after this the NLWP on
clamd starts to rise, frequently hitting 30+.

   PID USERNAME  SIZE   RSS STATE  PRI NICE  TIME  CPU PROCESS/NLWP   
 16427 clamav 60M   59M cpu0590   2:42:12  88% clamd/17
 16430 clamav   3984K 2576K sleep   590   0:07:46 0.0% clamav-milter/26

 NLWP on clamav-milter i could see as high as 40+, but neither
approached 64 which is (i think) the nominal limits in clamd.conf and
on the clamav-milter command line.

if i shut down sendmail, within a few minutes the load is back down
and clamd is back to /1:

   PID USERNAME  SIZE   RSS STATE  PRI NICE  TIME  CPU PROCESS/LWPID  
 16427 clamav 59M   58M sleep   590   0:01:27 0.0% clamd/1
 16430 clamav   3712K 2304K sleep   590   0:00:00 0.0% clamav-milter/3
 16430 clamav   3712K 2304K sleep   590   0:00:07 0.0% clamav-milter/1


rp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: 0.90.1 issues on solaris 5.9

[Rick Pim]

René Berber writes:

 > Something is very wrong there, after 1 day running I have clamd
 > using only 32M of RAM (30M RSS).  How many clamd threads do you
 > see?

via ps -efL? or another mechanism. i'll check; i don't know if i'll
get a chance to do it this afternoon -- three day weekend coming up
and i want to make sure it's stable before i head out the door.

rp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: 0.90.1 issues on solaris 5.9

[Rick Pim]

René Berber writes:
 > > ./configure --prefix=/export/home/clamav --enable-milter
 > 
 > So it has libcurl which brings openssl... some problem reports had this, 
 > could
 > you try a recompile w/o curl?

i can.

i tried a build with 

./configure --prefix=/export/home/clamav --enable-milter --without-libcurl

with ScanArchive yes in clamd.conf, it starts and seems to be scanning
okay. CPU usage seems a lot 'spikier' than 0.88.7 with peaks at 80% or
more of the (4 CPU) system. when the CPU peaks, there always seems to
be a logged message on the console:

ERROR: No data received from clamd in 120 seconds
clamfi_eom: read nothing from clamd on sennit

at which point the CPU falls back. the memory footprint of clamd
also seems to increase: after about an hour (wall clock) top
claims it's 95-100MB. CPU usage at the same time is 81 minutes --
about 1/3 of the total available. kinda sorta.

at the two hour point, the system load is about 16 and the CPU is 90%+
and staying there. there is certainly an _improvement_ by adding
'--without-libcurl'. but it's not a miracule cure. :-)

rp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: 0.90.1 issues on solaris 5.9

[Rick Pim]

René Berber writes:

 > > system: 4 CPU Sun E450, solaris 5.9, gcc 3.4.3
 > [snip]
 > > at the moment, i'm probably going to back out to 0.88.7. before i do,
 > > are there any other suggestions folks might have as to things to try?
 > 
 > Did you build the package?  What options did you used?

pretty vanilla:

./configure --prefix=/export/home/clamav --enable-milter

 > What process, clamd/clamav-milter, is the one using more CPU?

typically clamd. when i let it run for several days with 'ScanArchive no'
it was clamav-milter after it started throwing milter errors.

 > What is your mail configuration (is it only sendmail/milters)?  I'm using
 > sendmail + MailScanner + clamd + SpamAssassin (+ some modules) and the only 
 > CPU
 > spikes are when clamd re-reads the database.

sendmail + milters (clam, graymilter) + DNSBLs.

 > An unrelated note: don't listen to "install gdb" posts, what would
 > you do with it?

shrug. i could provide a dump.

this is an old machine. a summer project was going to be recreating
it on different (hopefully slightly newer) hardware with new versions
of all the software components. (gcc in particular: compiling it from
scratch has become quite the chore with all the prerequisites.)

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Why are you RUNNING?  Cerebus just wants to KILL you a little..."
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] 0.90.1 issues on solaris 5.9

[Rick Pim]

system: 4 CPU Sun E450, solaris 5.9, gcc 3.4.3

before i start: i don't have a copy of gdb on this system, so i'm
unable to provide a debug log.

this system is fairly low load (after blocklists, something less than
50k messages per day) and has been running 0.88.7 since mid-january with
no problems. i tried an upgrade to 0.90 when it came out with many of
the same issues that people were seeing so i backed out to 0.88.7.

recently, i tried installing 0.90.1 with slightly different
issues. here's my initial clamd.conf:

LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
TemporaryDirectory /export/home/clamav/tmp
LocalSocket /var/clamav/clamd.sock
FixStaleSocket yes
MaxConnectionQueueLength 32
StreamMaxLength 64M
MaxThreads 64
SelfCheck 3600
User clamav
ScanMail yes
ScanArchive yes

clam is started with the following code fragment:

   if [ -f /export/home/clamav/sbin/clamd -a -f 
/export/home/clamav/etc/clamd.conf ] ; then
   echo "clamd starting."
   /export/home/clamav/sbin/clamd >/dev/console 2>&1
   fi
   sleep 30
   if [ -f /export/home/clamav/sbin/clamav-milter ] ; then
   echo "clamav-milter starting."
   /export/home/clamav/sbin/clamav-milter -PHl --postmaster=root -m 64 
--external /var/clamav/clmilter.sock >/dev/console 2>&1

the only change from the previous (0.88.7) startup is the addition of
the 'sleep' between clamd and clamav-milter.

with this setup, clam starts up, scans messages and find Bad Things.
just as with 0.90, however, the system load grows over time, but seems
to grow more slowly. after about 15 minutes, CPU on a four-processor
system is pegged and the system load is about 9 and slowly
growing. (by this time with 0.90 i would have had a load of 40+ with
a probable clamd crash.)

as a second try, i've changed
  ScanArchive yes
to
  ScanArchive no
and restarted.

the cpu usage for clamd *seems* to bounce around more than it did, but
it seems to recover, at least in the short term. i let the system run
for about a day with no visible problems. at around the 2-2.5 day
mark, however, we started seeing errors in the logs:

Mar 30 20:07:23 sennit sendmail[11833]: [ID 801593 mail.error] l2V01r0J011833: 
Milter (clamav): timeout before data read
Mar 30 20:07:23 sennit sendmail[11833]: [ID 801593 mail.info] l2V01r0J011833: 
Milter (clamav): to error state

which repeated for a while, to be followed by:

Mar 30 20:18:59 sennit sendmail[12799]: [ID 801593 mail.error] l2V0Ixa9012799: 
Milter (clamav): error connecting to filter: Connection refused by 
/var/clamav/clmilter.sock
Mar 30 20:18:59 sennit sendmail[12799]: [ID 801593 mail.info] l2V0Ixa9012799: 
Milter (clamav): to error state

by this point, clmilter was using 100% of one CPU (as far as i could tell).


the next thing was to change clamd.conf in two ways:

ScanArchive yes
ArchiveMaxRecursion 1

with these settings, the system was stable for about five-to-six hours (albeit
with significantly higher load than with ScanArchive no), at which
point the load started to grow and clamd started consuming more
CPU. at the 7 hour point it was using about 100% of available
CPU and the load was approaching 20.

at the moment, i'm probably going to back out to 0.88.7. before i do,
are there any other suggestions folks might have as to things to try?

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Leaving a trail of slime wherev-"
   >CLICK!<
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] load under 0.90

[Rick Pim]

a followup to my last note.

using clamav-milter with --external seems to cause significant
load issues: the system load average seemed top climb without bound --
i shut things down when it hit around 40.

i shutdown clamd and clamav-milter and restarted clamav-milter
without the --external option.

again, the load average climbs (but not as quickly). before
long, i start getting errors logged on the console (see below).
ultimately, clamav-milter dies itself.

all of this seems to be new with .90. ideas?

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Congratulations, gentlemen. Thanks to the diligence of the FBI, this 
particular vacuum cleaner will never fall into the wrong hands."
-- Howard Hughes (the Rocketeer)



console logs:

Feb 14 16:01:42 sennit sendmail[16617]: l1EKuitu016617: Milter (clamav): 
timeout before data read
   (above error repeated a dozen times for different sequence numbers)
 LibClamAV Warning: Encrypted PDF files not yet supported
Feb 14 16:05:51 sennit clamav-milter[16437]: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.anbOgG: No 
viruses detected ERROR
ERROR: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.anbOgG: No 
viruses detected ERRORLibClamAV Warning: l1EL4uTI017774: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.anbOgG: No 
viruses detected ERROR
Feb 14 16:05:51 sennit clamav-milter[16437]: l1EL4uTI017774: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.anbOgG: No 
viruses detected ERROR
Feb 14 16:05:52 sennit clamav-milter[16437]: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.bnbOgG: No 
viruses detected ERROR
ERROR: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.bnbOgG: No 
viruses detected 
ERROR/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.hnbOgG:
 Too many open files
Feb 14 16:05:53 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.hnbOgG 
creation failed
LibClamAV Warning: l1EL4ta2017765: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.bnbOgG: No 
viruses detected ERROR
Feb 14 16:05:53 sennit clamav-milter[16437]: l1EL4ta2017765: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.bnbOgG: No 
viruses detected ERROR
Feb 14 16:05:53 sennit clamav-milter[16437]: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.WmbOgG: No 
viruses detected ERROR
ERROR: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.WmbOgG: No 
viruses detected ERRORLibClamAV Warning: l1EL4BYL017677: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.WmbOgG: No 
viruses detected ERROR
Feb 14 16:05:53 sennit clamav-milter[16437]: l1EL4BYL017677: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.WmbOgG: No 
viruses detected ERROR
Feb 14 16:05:53 sennit clamav-milter[16437]: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.MkbOgG: No 
viruses detected ERROR
ERROR: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.MkbOgG: No 
viruses detected ERRORLibClamAV Warning: l1EL3uZK017640: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.MkbOgG: No 
viruses detected ERROR
Feb 14 16:05:54 sennit clamav-milter[16437]: l1EL3uZK017640: 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.MkbOgG: No 
viruses detected ERROR
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.tnbOgG: Too 
many open files
Feb 14 16:05:55 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.tnbOgG 
creation failed
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.ynbOgG: Too 
many open files
Feb 14 16:05:55 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.ynbOgG 
creation failed
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.DnbOgG: Too 
many open files
Feb 14 16:05:56 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.DnbOgG 
creation failed
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.InbOgG: Too 
many open files
Feb 14 16:05:56 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.InbOgG 
creation failed
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf31eb/msg.NnbOgG: Too 
many open files
Feb 14 16:05:56 sennit clamav-milter[16437]: Temporary quarantine file 
/export/home/clamav/tmp/clamav-10856503f8bb8211ccd5ac5dc3cf

[Clamav-users] first impressions on 0.90

[Rick Pim]

platform: solaris 5.9, sendmail 8.13.something, gcc 3.4.3,
4-cpu sun 450 (300 MHz CPUs; it's kinda old).

clamav seems to have built and installed without issue; 
nice job.

i have some random thoughts and observations and a question:

 - i have not yet enabled experimental code; i'm going to let it
   run for a while first.

 - the Makefile seems to no longer install the man pages. if this is
   deliberate, perhaps the banner at the top of clamd.conf:
 ## Example config file for the Clam AV daemon
 ## Please read the clamd.conf(5) manual before editing this file.
   should be changed. :-)

 - my simpleminded startup script contains code that looks like
   this:

   if [ -f /export/home/clamav/sbin/clamd -a -f 
/export/home/clamav/etc/clamd.conf ] ; then
echo "clamd starting."
/export/home/clamav/sbin/clamd >/dev/console 2>&1
fi

if [ -f /export/home/clamav/sbin/clamav-milter ] ; then
echo "clamav-milter starting."
/export/home/clamav/sbin/clamav-milter -PHl --postmaster=root 
-m 64 --external /var/clamav/clmilter.sock >/dev/console 2>&1
fi

   (the clamd socket is also in /var/clamav) this has worked for, well, 
   a long time. post upgrade to 0.90, i get the following error from 
   the startup of clamav-milter:

  /var/clamav/clamd.sock: No such file or directory
  Can't talk to clamd server via /var/clamav/clamd.sock
  Check your entry for LocalSocket in /export/home/clamav/etc/clamd.conf

   it's true; if i start clamd and then check, the clamd socket isn't
   there. but if i leave clamd alone for a few seconds the socket 
   appears and clamav-milter starts happily after that. i've tucked 
   a "sleep 30" into the startup script and things seem happy. is
   there anything obvious i'm missing?

 - the CPU footprint seems a little higher, so i'm wondering if i'm
   doing the most load-efficient thing. i'm starting clamav-milter 
   with the --external flag. is it in any way better to skip
   this? what have folks found to give the best performance?

rp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Max Children Value

[rick pim]

Sarthan writes:
 > I recently installed ClamAV on our mailserver (sendmail) , now I was 
 > wondering what a good value would be for the --max-children parameter 
 > when our mailserver handles about 1000 mails a day ?  Currently it is 
 > set to 5 , is this enough or should I increase it ?

i run 64 on a modestly-sized machine with no known issues. (4 GB
memory, ~50k messages/day).  small caveat: clam probably sees about
half that number (a little less than 25k, say) because of blocklists
and so on which drop mail before clam sees it.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Padlock?"
"The IRS.  Picky picky picky."
___
http://lurker.clamav.net/list/clamav-users.html

Fwd: [Clamav-users] Re: which scans mail

[rick pim]

Bart Silverstrim writes:

 > CAN SOMEONE PLEASE UNSUBSCRIBE HIM?  Maybe permanently?...
 > 
 > After the 15th time, I really start to hate those @#$%! OoO replies...

15? wow. i fly into a rage with the first. probably bad for my
blood pressure.

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
STRESS('stres)n:
  that confusion created when one's mind overrides the desire to
  choke the living daylights out of some jerk who really deserves it.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] How to use clamav-milter?

[rick pim]

Damian Menscher writes:
 > clamav-milter IS wholly-contained, though it DOES depend on libclamav 
 > (but not clamd).

 > There's a bug in clamav-milter 0.84 through 0.85.1 (fixed in milter 
 > 0.85e, which is part of 0.86rc1) that causes occasional milter hangs 
 > during the database reload.  One workaround is to use clamd (since then 
 > the milter isn't handling the database reload).

this workaround works like a charm. i'm happy to hear that the bug has
been fixed. when the bug was discovered, there was a little bit of
discussion on the list about efficiency of clamd+clamav-milter vs
just clamav-milter alone. 

which is more efficient:
clamav-milter alone
or
clamav-milter --external + clamd


neither one is harder to configure, really. using the second option
requires two daemons and the first only requires one. besides this,
are there any performance reasons to use one configuration over
the other?

this is on a dedicated mail router: sendmail plus local clamd.

rp


rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Oh oh!  No more buttered scones for me, Mater,
I'm off to play the grand piano!"
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

followup from yesterday.

some of the responses i received yesterday suggesting increasing
the -m (max-children) switch on clamav-milter. i was running
with:
  clamav-milter -PHl --postmaster=root -m 64
i increased this to:
  clamav-milter -PHl --postmaster=root -m 96
and restarted clam late yesterday afternoon.

this morning it failed again, with the same symptoms as before:

May  4 10:47:00 sennit sendmail[20697]: [ID 801593 mail.error] j44Eh0F6020697: 
Milter (clamav): timeout before data read
May  4 10:47:00 sennit sendmail[20697]: [ID 801593 mail.info] j44Eh0F6020697: 
Milter (clamav): to error state

both clamd and clamav-milter processes were still running. 

two things:

   - i have freshclam running via cron at xx:37 -- this failure started
 about ten minutes after a freshclam run. yesterday's failure also
 started about ten minutes after a freshclam run. coincidence?

   - other suggestions from yesterday included adding the "--external"
 switch to clamav-milter. i've reset -m and added --external and 
 restarted. current command line is:
   clamav-milter -PHl --postmaster=root -m 64 --external
 it's working (viruses are appearing in the postmaster mailbox
 and being logged. we'll see if this configuration remains up.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"We are Earth's only chance! We must fight and die like famous heroes! 
Fight for a world that perhaps considers us, that considers us all, well,
let's say, perhaps, goofy!"
-- Flaming Carrot
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

> Mind you I am
> worried about the mode 777 for clamd.sock, if nothing else that seems
> like a security breach to me.
true. but it seems to do that itself:
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:02 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
# /export/home/clamav/sbin/clamd
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:06 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=

You don've have a "clmilter.sock" file, which points to clamav-milter not having been started.
i recognize that -- this was just to illustrate that clamd.sock being
777 was done by clamd itself.
rp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

 > None without some information such as options used to start
 > clamav-milter, clamd.conf, /etc/mail/sendmail.mc etc etc. 

clamav-milter is started with:
  clamav-milter -PHl --postmaster=root -m 64 /var/clamav/clmilter.sock

here's an extract from clamd.conf:

# grep -v ^# clamd.conf | grep -v '^$'
LogTime
LogSyslog
LogFacility LOG_MAIL
TemporaryDirectory /export/home/clamav/tmp
LocalSocket /var/clamav/clamd.sock
FixStaleSocket
MaxConnectionQueueLength 32
StreamMaxLength 20M
MaxThreads 64
SelfCheck 3600
User clamav
ScanMail

sendmail.mc extract:

INPUT_MAIL_FILTER(`clamav', `S=local:/var/clamav/clmilter.sock, 
F=,T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clamav')

 > Mind you I am
 > worried about the mode 777 for clamd.sock, if nothing else that seems
 > like a security breach to me.

true. but it seems to do that itself:

# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:02 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
# /export/home/clamav/sbin/clamd
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:06 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"The main difference between men and women is that men are lunatics and 
women are idiots."
-- Rebecca West
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

 > Not to be obvious, but was clamav-milter running ? (And clamd, if you run 
 > with --external ). 
 > 

meant to include that. yesterday clamav-milter had died. today
it hadn't:

# ps -ef | grep clam
root 19241 21218  0 16:37:14 pts/30:00 grep clam
  clamav 13432 1  0 20:20:17 ?0:00 /export/home/clamav/sbin/clamd
  clamav 13434 1 25 20:20:21 ?   120:52 
/export/home/clamav/sbin/clamav-milter -PHl --postmaster=root -m 64 /var/clamav


 > I'm running Solaris 8 here on Ultrasparc hardware, and haven't seen this.  
 > Are you on Sparc or Intel ?

this is on sparc (an E450).

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Advertising is the rattling of a stick inside a swill bucket."
-- George Orwell
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] problems after .84 upgrade

[rick pim]

environment: solaris 5.9, sendmail 8.13.2, clamav .84 (w/clamav-milter).

i upgraded to .84 yesterday with (as far as i could tell) no
problems. things started afterwards and ran as expected.

there were problems yesterday afternoon but i restarted things and
everything looked fine. this afternoon the same thing has happened.

symptoms:

 May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.error] j43JbUXa013416: 
Milter (clamav): timeout before data read
May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.info] j43JbUXa013416: 
Milter (clamav): to error state

but the corresponding message was apparently delivered.

later on, the error message get rather more worrisome:

May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.error] j43JlKch014381: 
Milter (clamav): error connecting to filter: Connection refused by 
/var/clamav/clmilter.sock
May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.info] j43JlKch014381: 
Milter (clamav): to error state

the socket appears to be present:

# ll /var/clamav/
total 4
drwxr-xr-x   2 clamav   clamav   512 May  2 20:20 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  2 20:20 clamd.sock=
srwxr-xr-x   1 clamav   clamav 0 May  2 20:20 clmilter.sock=

upon restart, things seem to work okay. 


ideas?

rp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR

[rick pim]

thank you!

rp
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Milter: data, reject=451 4.3.2 Please try again later

[Rick Pim]

Cesar Gonzalez writes:
 > 
 > I'm getting this on my maillog, any ideas? It runs for a while, and for no
 > aparent reason starts doing that, stoping clamd and milter and restarting
 > them fixes the problem, but it's rather annoying doing several times a day.

it may be a complete coincidence, but i was seeing this under load
with 0.80. when this was happening it looked like the number of
sendmail processes was bumping up against MaxDaemonChildren.

i increased MaxThreads (in clamd.conf) and MaxDaemonChildren (sendmail.cf)
and the problem went away.

possibly a coincidence, of course -- i'm a clamav newbie.

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"calorie: Basic measure of the amount of rationalization offered by the
 average individual prior to taking a second helping of a particular food."
-- The Cook's Dictionary
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users