Hello:
In the past few days we have experienced multiple stability problems with clamav. Here
is our environment:
Solaris 9 (sparc)
mimedefang 2.36 w/ sendmail 8.12.10
clamav 0.65
The problems appear to be two fold:
1) freshclam, run as a daemon, crashes without sending a notify.
freshclam appears to die anytime it finds a problem with a database update
instead of just
reporting the error and keep on running to try again later.
2) "something" is causing clamd to die. this just started Monday.
the only indication of a problem is that mimedefang starts reporting all sorts of
strange errors.
in mimedefang, we are using clamdscan instead of clamd directly, as it appears to
catch some problems
that are missed when running clamd directly under the control of mimedefang
(which I view as a
mimedefang problem, not a clamav problem).
Detailed logs showing these problems, and commentary explaining what happened when,
follow the signature paragraph. I should also add that we deleted both the main and
daily databases locally and loaded new ones just to ensure that some local database
corruption was not the cause of the problem.
Suggestion for a new clamd and freshclam feature: Have a "notify on program exit" that
will log a notice or take other action the daemon die.
This was submitted to [EMAIL PROTECTED] yesterday... just curious, is there any type
of acknowledgment that we should expect from such submittals?
TIA for all help!
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214
FRESHCLAM PROBLEMS:
===================
This is how we start freshclam -- and in the recent past we have received
notifications when updates fail, but I cannot recall ever receiving a notification
when freshclam crashes.
/usr/local/bin/freshclam -d \
-c 24 \
-u ${CLAMU} \
-l ${CAVLOG} \
--daemon-notify=${CAVCONF} \
--on-error-execute="/usr/bin/logger -i -t freshclam -p
daemon.alert 'clamav virus signatures database update failed'"
Here is an example of the problem from today. The previous entry in the log was from
an hour earlier and all was OK. We discovered freshclam had died (with no notice sent)
when we were preparing the documentation for the clamd problem. We received no notice
that freshclam had any problems or had died.
--------------------------------------
ClamAV update process started at Tue Jan 20 12:22:46 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
ClamAV update process started at Tue Jan 20 12:22:56 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
ClamAV update process started at Tue Jan 20 12:23:06 2004
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29)
--------------------------------------
Here is another example, this from last Friday, where freshclam died, again, without
any notice being logged.
--------------------------------------
ClamAV update process started at Fri Jan 16 14:53:19 2004
ERROR: Verification: MD5 verification error.
ClamAV update process started at Fri Jan 16 14:57:26 2004
ERROR: Verification: MD5 verification error.
ClamAV update process started at Fri Jan 16 15:06:39 2004
ERROR: Maximal time (1200 seconds) reached.
CLAMD PROBLEMS:
===============
Yesterday, just before 11:00 we started getting all sorts of 'strange' mimedefang
errors -- none of which were 'problem running virus scanner'. Checking, we found that
clamd was not running. (We use clamdscan in mimedefang, not clamd directly, as it
appears to be somewhat better at catching some viruses.)
Notice that it appeared to die the first time shortly after finding 'Worm.Gibe.F' --
with no indication of why it died. (The virus hit was successfully passed back to
mimedefang.)
Next, at 12:04 we restarted clamd and it died due to a timeout at 12:28.
Then we restarted clamd at 12:31 and it died again for some unknown reason around
13:30.
At 13:32 we restarted clamd and also changed mimedefang to use clamscan instead of
clamdscan. clamd appears stable in so long as it is not being used.
We have tried to track down what clamd may have been doing when it died, but we have
not been able to find anything in common at its various points of failure.
Mon Jan 19 11:00:09 2004 -> +++ Started at Mon Jan 19 11:00:09 2004
Mon Jan 19 11:00:09 2004 -> Log file size limited to 8388608 bytes.
Mon Jan 19 11:00:09 2004 -> Running as user defang (UID 104, GID 25)
Mon Jan 19 11:00:09 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 11:00:10 2004 -> Protecting against 20206 viruses.
Mon Jan 19 11:00:11 2004 -> Unix socket file /var/clamav/clamd.sock
Mon Jan 19 11:00:11 2004 -> Setting connection queue length to 60
Mon Jan 19 11:00:11 2004 -> Maximal number of threads: 40
Mon Jan 19 11:00:11 2004 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Jan 19 11:00:11 2004 -> Archive: Recursion level limit set to 5.
Mon Jan 19 11:00:11 2004 -> Archive: Files limit set to 1000.
Mon Jan 19 11:00:11 2004 -> Archive support enabled.
Mon Jan 19 11:00:11 2004 -> RAR support disabled.
Mon Jan 19 11:00:11 2004 -> Mail files support enabled.
Mon Jan 19 11:00:11 2004 -> Self checking every 3600 seconds.
Mon Jan 19 11:00:11 2004 -> Timeout set to 180 seconds.
Mon Jan 19 11:00:11 2004 -> SelfCheck: Database status OK.
Mon Jan 19 11:00:29 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 11:00:31 2004 -> Database correctly reloaded (20205 viruses)
Mon Jan 19 11:41:47 2004 ->
/var/spool/MIMEDefang/run/mdefang-i0JGfhb5024243/./Work/msg-9414-65.exe: Worm.Gibe.F
FOUND
Mon Jan 19 11:41:52 2004 ->
/var/spool/MIMEDefang/run/mdefang-i0JGfhb5024243/Work/msg-9414-65.exe: Worm.Gibe.F
FOUND
Mon Jan 19 11:46:50 2004 ->
/var/spool/MIMEDefang/run/mdefang-i0JGklb5024650/./Work/msg-9436-3.exe: Worm.Gibe.F
FOUND
Mon Jan 19 11:46:52 2004 ->
/var/spool/MIMEDefang/run/mdefang-i0JGklb5024650/Work/msg-9436-3.exe: Worm.Gibe.F FOUND
Mon Jan 19 12:04:35 2004 -> +++ Started at Mon Jan 19 12:04:35 2004
Mon Jan 19 12:04:35 2004 -> Log file size limited to 8388608 bytes.
Mon Jan 19 12:04:35 2004 -> Running as user defang (UID 104, GID 25)
Mon Jan 19 12:04:35 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 12:04:36 2004 -> Protecting against 20205 viruses.
Mon Jan 19 12:04:37 2004 -> WARNING: Socket file /var/clamav/clamd.sock exists.
Unclean shutdown? Removing...
Mon Jan 19 12:04:37 2004 -> Unix socket file /var/clamav/clamd.sock
Mon Jan 19 12:04:37 2004 -> Setting connection queue length to 60
Mon Jan 19 12:04:37 2004 -> Maximal number of threads: 40
Mon Jan 19 12:04:37 2004 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Jan 19 12:04:37 2004 -> Archive: Recursion level limit set to 5.
Mon Jan 19 12:04:37 2004 -> Archive: Files limit set to 1000.
Mon Jan 19 12:04:37 2004 -> Archive support enabled.
Mon Jan 19 12:04:37 2004 -> RAR support disabled.
Mon Jan 19 12:04:37 2004 -> Mail files support enabled.
Mon Jan 19 12:04:37 2004 -> Self checking every 3600 seconds.
Mon Jan 19 12:04:37 2004 -> Timeout set to 180 seconds.
Mon Jan 19 12:04:37 2004 -> SelfCheck: Database status OK.
Mon Jan 19 12:28:11 2004 -> Session 0 stopped due to timeout.
Mon Jan 19 12:31:26 2004 -> +++ Started at Mon Jan 19 12:31:26 2004
Mon Jan 19 12:31:26 2004 -> Log file size limited to 8388608 bytes.
Mon Jan 19 12:31:26 2004 -> Running as user defang (UID 104, GID 25)
Mon Jan 19 12:31:26 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 12:31:28 2004 -> Protecting against 20205 viruses.
Mon Jan 19 12:31:29 2004 -> WARNING: Socket file /var/clamav/clamd.sock exists.
Unclean shutdown? Removing...
Mon Jan 19 12:31:29 2004 -> Unix socket file /var/clamav/clamd.sock
Mon Jan 19 12:31:29 2004 -> Setting connection queue length to 60
Mon Jan 19 12:31:29 2004 -> Maximal number of threads: 40
Mon Jan 19 12:31:29 2004 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Jan 19 12:31:29 2004 -> Archive: Recursion level limit set to 5.
Mon Jan 19 12:31:29 2004 -> Archive: Files limit set to 1000.
Mon Jan 19 12:31:29 2004 -> Archive support enabled.
Mon Jan 19 12:31:29 2004 -> RAR support disabled.
Mon Jan 19 12:31:29 2004 -> Mail files support enabled.
Mon Jan 19 12:31:29 2004 -> Self checking every 3600 seconds.
Mon Jan 19 12:31:29 2004 -> Timeout set to 180 seconds.
Mon Jan 19 12:31:29 2004 -> SelfCheck: Database status OK.
Mon Jan 19 13:01:33 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 13:01:36 2004 -> Database correctly reloaded (20211 viruses)
Mon Jan 19 13:32:46 2004 -> +++ Started at Mon Jan 19 13:32:46 2004
Mon Jan 19 13:32:46 2004 -> Log file size limited to 8388608 bytes.
Mon Jan 19 13:32:46 2004 -> Running as user defang (UID 104, GID 25)
Mon Jan 19 13:32:46 2004 -> Reading databases from /usr/local/share/clamav
Mon Jan 19 13:32:48 2004 -> Protecting against 20211 viruses.
Mon Jan 19 13:32:49 2004 -> WARNING: Socket file /var/clamav/clamd.sock exists.
Unclean shutdown? Removing...
Mon Jan 19 13:32:49 2004 -> Unix socket file /var/clamav/clamd.sock
Mon Jan 19 13:32:49 2004 -> Setting connection queue length to 60
Mon Jan 19 13:32:49 2004 -> Maximal number of threads: 40
Mon Jan 19 13:32:49 2004 -> Archive: Archived file size limit set to 10485760 bytes.
Mon Jan 19 13:32:49 2004 -> Archive: Recursion level limit set to 5.
Mon Jan 19 13:32:49 2004 -> Archive: Files limit set to 1000.
Mon Jan 19 13:32:49 2004 -> Archive support enabled.
Mon Jan 19 13:32:49 2004 -> RAR support disabled.
Mon Jan 19 13:32:49 2004 -> Mail files support enabled.
Mon Jan 19 13:32:49 2004 -> Self checking every 3600 seconds.
Mon Jan 19 13:32:49 2004 -> Timeout set to 180 seconds.
Mon Jan 19 13:32:49 2004 -> SelfCheck: Database status OK.
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
