Re: [Clamav-users] clamdscan processes running away

Tue, 30 Nov 2004 05:57:57 -0800 

On Tue, 2004-11-30 at 13:35, Scott Ryan wrote:
> On Tuesday 30 November 2004 14:14, Trog wrote:
> > On Tue, 2004-11-30 at 12:04, Scott Ryan wrote:
> > > I am using clamdscan (clamav 0.80 - RHEL3) on 5 very intensively used
> > > mail servers and generally, I have no issues and it works wonderfully.
> > > But however, every now and again, to which there is no random pattern,
> > > and across all 5 servers, clamdscan processes go through the roof. All
> > > logging stops. Here is current status of one of the machines as it has
> > > happened:
> >
> > What version of zlib are you using?
> 
> [EMAIL PROTECTED] root]# rpm -qa|grep zlib
> zlib-1.1.4-8.1

Should be ok, but you never know what patching RH has done to it.

There's basically two things you can do:

1. Attach gdb to clamd to see if it is crashing, and then do a
backtrace.

2. When this happens, have a look in /proc/<clamd pid>/fd and see what
files clamd is currently processing, these should be short lived (if you
actually see any that are not pipes, sockets, or clamd's own files), but
if not, you can recover the files by simply copying the relevant entries
from here to somewhere else.

For example:

# ps auxw | grep clamd
alias     4093  2.0  1.7 44936 15712 ?       S    13:47   0:04 [clamd]

# ls -l /proc/4093/fd
total 0
lr-x------    1 root     root           64 Nov 30 13:51 0 -> /dev/null
l-wx------    1 root     root           64 Nov 30 13:51 1 -> pipe:[5167]
l-wx------    1 root     root           64 Nov 30 13:51 2 -> pipe:[5167]
l-wx------    1 root     root           64 Nov 30 13:51 3 ->
/var/log/clamd.log
lrwx------    1 root     root           64 Nov 30 13:51 4 ->
socket:[181294352]
lrwx------    1 root     root           64 Nov 30 13:51 5 ->
socket:[187606583]
lr-x------    1 root     root           64 Nov 30 13:51 6 ->
pipe:[181294361]
l-wx------    1 root     root           64 Nov 30 13:51 7 ->
pipe:[181294361]
lr-x------    1 root     root           64 Nov 30 13:51 8 ->
/tmp/scan-8937/message.txt


...then I can:

# cp /proc/4093/fd/8 /tmp/file.msg

to get a copy of the file, even if it's been deleted.

NOTE: don't muck about with the pipes or sockets!

Hopefully, the issue is then repeatable by scanning the files you have
copied.

-trog

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Reply via email to