[Clamav-users] ClamAV-0.92 very high CPU usage
hello all, I am experiencing a very high CPU usage by clamd process. Top always shows the CPU usage more than 100%. I have clamav to scan AV for my mail server. Its a qmail installtion with simscan. Clamav is installed on FC5. Is this a known problem ? Any suggestion to what should i look into ? do let me know if more information is required. Chat on a cool, new interface. No download required. Go to http://in.messenger.yahoo.com/webmessengerpromo.php ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] centralized virus / spam scanner server
hi list, i am running clamav-0.88.7 for email scanning. i am using qmail as my MTA, setup according to the qmr instructions. qmail-scanner-queue.pl does both the spam and virus checks. i know its possible to have spamassassin (spamd) running on a remote machine and we can checked the mails from spam on the network. this way i can have a centralized spam filtering server with me. is the same kind of setup posible with clamav. if so how ? thanks Sandeep __ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How will be upgrade clamav 0.88?
--- sivakumar ramasamy [EMAIL PROTECTED] wrote: dear sir, I am using rhel.3 server , Already i am install the clamav 0.80 before the month but now my system recommand the 0.88. how is upgrade the newer one, please tell me, how is upgratation clamav. download the latest soruce from the website and follow the install instructions. __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
--- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: checked the logs after sending a mail size 6MB. reading the logs its clear that this is not clamd problem. its something else, whats the w_c:elapsed time in the log below ? i guess its the time waiting in the queue. if yes how can this be fixed ? You don't include the entire log for that particular mail message being processed (and I'm sure the readers of this list appreciate that as this isn't a ClamAV problem). One of those timestamps will be much larger than the others, so that's the one that is the cause of the problem. this is the only details in the log file for this process. it seems that the server is taking long in receiving mails. # cat qmail-queue.log | grep :31100: Tue, 04 Apr 2006 16:35:41 IST:31100: +++ starting debugging for process 31100 by uid=90 Tue, 04 Apr 2006 17:02:25 IST:31100: w_c: elapsed time from start 1604.306495 secs Tue, 04 Apr 2006 17:02:26 IST:31100: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED]' Tue, 04 Apr 2006 17:02:26 IST:31100: from='Sandeep Agarwal [EMAIL PROTECTED]', subj='Fwd: axe effect!!', via SMTP from 206.190.48.98 Tue, 04 Apr 2006 17:03:11 IST:31100: clamdscan: finished scan in 44.9711 secs Tue, 04 Apr 2006 17:03:11 IST:31100: SA: message too big - skip it Tue, 04 Apr 2006 17:03:11 IST:31100: p_s: finished scan in 0.011766 secs Tue, 04 Apr 2006 17:03:11 IST:31100: ini_sc: finished scan of /var/spool/qmailscan/tmp/ngblhost1114414874176031100... Tue, 04 Apr 2006 17:03:11 IST:31100: -- Process 31100 finished. Total of 1650.008028 secs Are you sure you don't have an actual network problem? can you guide me how can i check that its not a network problem. If none of the Qmail-Scanner subprocesses is responsible for the large times, then there is only one other option - network. Having mismatched duplex settings on the server's Ethernet card can do this, as well as long-distance-over-unreliable-links SMTP clients. i.e. maybe 1299 of those 1300 seconds is actually how long it took the message to be written to the queue - which indicates a slow network - not a software problem. The new release of Qmail-Scanner specifically separates out that time now - for this very reason. Thanks for the help Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV takes long to scan mails
hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files ***clamd.conf - Begin ** LogFile /var/log/clamd.log LogTime LogClean LogSyslog PidFile /var/run/clamav/clamd.pid DatabaseDirectory /usr/share/clamav LocalSocket /var/clamav/clamd.sock FixStaleSocket MaxConnectionQueueLength 20 MaxThreads 30 ReadTimeout 300 User qscand DetectBrokenExecutables ScanMail ScanHTML ScanArchive ScanRAR ***clamd.conf - End ** ***freshclam.conf - Begin ** DatabaseDirectory /usr/share/clamav UpdateLogFile /var/log/clam-update.log DatabaseOwner qscand DatabaseMirror database.clamav.net ***freshclam.conf - End ** the softlimit set for qmail is 300MB. but the time taken to scan a 4 MB mail is too long ... i am dumping the mail header **HEADER START Return-Path: email address protected Delivered-To: somedomain.com-email address protected Received: (qmail 10260 invoked by uid 92); 3 Apr 2006 17:12:12 +0530 Received: from 61.16.161.3 by ngblhost1 (envelope-from email address protected, uid 90) with qmail-scanner-1.24-st-qms (clamdscan: 0.88/1367. spamassassin: 3.1.0. perlscan: 1.24-st-qms. Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs); 03 Apr 2006 11:42:12 - X-Spam-Status: No, hits=? required=? X-Antivirus-MYDOMAIN-Mail-From: email address protected via ngblhost1 X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) Received: from unknown (HELO smtp.io-star.com) (61.16.161.3) by protected-domain with SMTP; 3 Apr 2006 16:50:01 +0530 Received: from Venu (iostar-2-161-16-hkg.io-star.com [61.16.161.2] (may be forged)) (authenticated bits=0) by smtp.io-star.com (8.12.8/8.12.8) with ESMTP id k33AitBC024135; Mon, 3 Apr 2006 16:15:11 +0530 Reply-To: email address protected From: Kabul email address protected To: 'C S Sethi' email address protected, 'charanbir sethi' email address protected Subject: Photo's Date: Mon, 3 Apr 2006 15:35:55 +0430 Organization: BSC - C C JV Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0027_01C65734.514DFFE0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 HEADER END* i cant figure our the possible cause of the delay. can someone help thanks Sandeep P.S.: I am using clamdscan and not clamscan as many qmail installations does that why the User for clamav is qscand so that it can work with qmail-scanner __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
--- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files First thing - wrong list - you are really asking a Qmail-Scanner question. Secondly, you don't mention you are also using SpamAssassin (I can see that from the message you included). Check the qmail-queue.log debug file - see where Qmail-Scanner is actually hanging (it keeps track of where all the time goes). I think you'll find it's hanging in SpamAssassin. If I'm wrong and it is clamd - then at least you'll know that much for sure. If it is clamd - then indeed this is the correct list to post this question to. In that case, ensure clamd is logging somewhere - either to a file or to syslog. Then see what clamd reports about these sorts of messages (and if it's SpamAssassin - then I really haven't solved anything. DNS timeouts come to mind - but I don't know how that could ever add up to the 1330 seconds you are seeing) when i re-check the header, as you suggested, i found that spamassassin is not even scanning the mail X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) this is what qmail-scanner has to say about it as on http://qmail-scanner.sourceforge.net/FAQ.php # Why do some messages get tagged with SA:0(?/?) instead of numbers?. SpamAssassins spamd daemon has a max e-mail size limit. If a message is larger than that size, it just returns with no score (as it skipped it). As such Qmail-Scanner has no numbers to report, so it uses ? to show that happened. Also, if some error occurs within SpamAssassin, Qmail-Scanner returns ? again - showing that SA couldn't do the job on that particular mail message. If you use softlimit to limit the max amount of RAM SA can use - that can impact this too. thanks Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV takes long to scan mails
--- Sandeep Agarwal [EMAIL PROTECTED] wrote: --- Jason Haar [EMAIL PROTECTED] wrote: Sandeep Agarwal wrote: hello all, i am running qmail+clamav. This is my clamd.conf and freshclam.conf files First thing - wrong list - you are really asking a Qmail-Scanner question. Secondly, you don't mention you are also using SpamAssassin (I can see that from the message you included). Check the qmail-queue.log debug file - see where Qmail-Scanner is actually hanging (it keeps track of where all the time goes). I think you'll find it's hanging in SpamAssassin. If I'm wrong and it is clamd - then at least you'll know that much for sure. If it is clamd - then indeed this is the correct list to post this question to. In that case, ensure clamd is logging somewhere - either to a file or to syslog. Then see what clamd reports about these sorts of messages (and if it's SpamAssassin - then I really haven't solved anything. DNS timeouts come to mind - but I don't know how that could ever add up to the 1330 seconds you are seeing) when i re-check the header, as you suggested, i found that spamassassin is not even scanning the mail X-Antivirus-MYDOMAIN: 1.24-st-qms (Clear:RC:0(61.16.161.3):SA:0(?/?):. Processed in 1330.693658 secs Process 10258) this is what qmail-scanner has to say about it as on http://qmail-scanner.sourceforge.net/FAQ.php # Why do some messages get tagged with SA:0(?/?) instead of numbers?. SpamAssassins spamd daemon has a max e-mail size limit. If a message is larger than that size, it just returns with no score (as it skipped it). As such Qmail-Scanner has no numbers to report, so it uses ? to show that happened. Also, if some error occurs within SpamAssassin, Qmail-Scanner returns ? again - showing that SA couldn't do the job on that particular mail message. If you use softlimit to limit the max amount of RAM SA can use - that can impact this too. thanks Sandeep checked the logs after sending a mail size 6MB. reading the logs its clear that this is not clamd problem. its something else, whats the w_c:elapsed time in the log below ? i guess its the time waiting in the queue. if yes how can this be fixed ? Tue, 04 Apr 2006 17:02:25 IST:31100: w_c: elapsed time from start 1604.306495 secs Tue, 04 Apr 2006 17:02:26 IST:31100: return-path='***', recips='***' Tue, 04 Apr 2006 17:02:26 IST:31100: from='Sandeep Agarwal ', subj='Fwd: axe effect!!', via SMTP from 206.190.48.98 Tue, 04 Apr 2006 17:03:11 IST:31100: clamdscan: finished scan in 44.9711 secs Tue, 04 Apr 2006 17:03:11 IST:31100: SA: message too big - skip it Tue, 04 Apr 2006 17:03:11 IST:31100: p_s: finished scan in 0.011766 secs Tue, 04 Apr 2006 17:03:11 IST:31100: ini_sc: finished scan of /var/spool/qmailscan/tmp/ngblhost1114414874176031100... Tue, 04 Apr 2006 17:03:11 IST:31100: -- Process 31100 finished. Total of 1650.008028 secs Sandeep __ Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Regd. ClamAV Virus protection
--- Nigel Horne [EMAIL PROTECTED] wrote: On Saturday 18 Sep 2004 13:24, Sandeep Agarwal wrote: hello list, I have recently installed ClamAV on my Linux box, it is working fine, but when i tested my mail server against virus attach (http://www.testvirus.org/), it successfully blocked 21 out 25 different ways of sending virus which indeed is a good result, but was unable to block test number 20,23,24 and 25, 24 and 25 contain no virus so there is nothing to detect. You haven't said what version of clamAV you're using, but it's probably 0.75.1, you should find that the latest development version catches 20 and 23. Sandeep sorry for not mentioning the verison, yes i am using 0.75.1, will test for the undetected virus with the latest development. 24 and 25 contains no virus but the mail i received for these virus says: For test #24 Test #24 (non-virus): Test for the Partial (Fragmented) Vulnerability. BThis does not include the Eicar virus/B, however your mail server should still block this since a virus can use this technique to break itself into multiple emails, bypassing virus scanners, and reassembling itself in your inbox. (attachment can be opened by virtually any mail program) For test #25 Test #25 (non-virus): Attachment with a CLSID extension which may hide the real file extension. BThis does not include the Eicar virus/B, however your mail server should still block this since the CLSID technique can be used to hide the true extension of a malicious file. (attachment can be opened by any Windows computer) thanks Sandeep __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Regd. ClamAV Virus protection
--- Scott Call [EMAIL PROTECTED] wrote: The MIME vulnerabilities (last two tests) are an MTA issue not a clamav issue. Depending on your MTA (sendmail, exim , qmail, etc) there are different ways of dealing with that. The eximscan patch for exim, for example, includes a mime ACL you can use to reject them, and it's included in the docs for the patch and is beyond the scope or charter of the clamav message list :) -S thanks for the details Sandeep __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Regd. ClamAV Virus protection
hello list, I have recently installed ClamAV on my Linux box, it is working fine, but when i tested my mail server against virus attach (http://www.testvirus.org/), it successfully blocked 21 out 25 different ways of sending virus which indeed is a good result, but was unable to block test number 20,23,24 and 25, are there some special setting to be done to block this 4 tests also so that we can get 100% result,my clamav.conf file is *Begin - clamav.conf** LogFile /var/log/clamd.log LogFileMaxSize 2M LogTime PidFile /var/clamav/clamd.pid DataDirectory /var/clamav LocalSocket /var/clamav/clamd.sock FixStaleSocket StreamSaveToDisk StreamMaxLength 10M MaxThreads 200 ReadTimeout 500 MaxDirectoryRecursion 15 User clamav ScanMail ScanArchive ScanRAR ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec ClamukoIncludePath /home ClamukoMaxFileSize 1M ClamukoScanArchive *End - clamav.conf** thanks Sandeep ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users