[Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors

Panagiotis Christias Mon, 20 Mar 2006 16:26:01 -0800

On 3/18/06, Panagiotis Christias <[EMAIL PROTECTED]> wrote:
> Hello,
>
> we are observing the following behaviour with our clamd/clamav-milter setup:
>
> there some messages that exceed the StreamMaxLength remaining in the
> quarantine directory with filenames like msg.AuxBaE. Clamav-milter
> keeps around 17 open filedescriptors for each such file. These file
> descriptors are not released and over the time reach high numbers,
> around several thousands (~5000 or more). Eventually clamav-milter
> stops responding and gets restarted by the watchdog script
> (clmilter_watch).
>
> We have three mail gateways running the same setup and they have the
> same problem. All of them are running ClamAV version 0.88,
> clamav-milter version 0.87 on FreeBSD 5.3/5.4.
>
> Clamav-milter run as: clamav-milter -enNqd -m 150 -U /var/tmp/clamav
>
> Our clamd.conf contain:
>
> LogFile /var/log/clamav/clamd.log
> LogFileMaxSize 0
> LogTime
> LogSyslog
> LogFacility LOG_MAIL
> PidFile /var/run/clamav/clamd.pid
> TemporaryDirectory /var/tmp/clamav-tmp
> DatabaseDirectory /var/db/clamav
> LocalSocket /var/run/clamav/clamd
> FixStaleSocket
> TCPAddr 127.0.0.1
> MaxConnectionQueueLength 50
> StreamMaxLength 1M
> MaxThreads 100
> User clamav
> AllowSupplementaryGroups
> ScanPE
> DetectBrokenExecutables
> ScanOLE2
> ScanMail
> ScanHTML
> ScanArchive
> ArchiveMaxFileSize 1M
> ArchiveMaxCompressionRatio 1500
>
> Here is a sample of the quarantine directory followed by the output of
> lsof (I'm sorry about the formatting):
>
> % ls -lt /var/tmp/clamav | head
> total 5246994
> -rw-------  1 clamav  wheel  1049604 Mar 18 19:46 msg.AuxBaE
> drwx------  2 clamav  wheel     5120 Mar 18 19:45 060318
> -rw-------  1 clamav  wheel  1051111 Mar 18 19:43 msg.JxxvNF
> -rw-------  1 clamav  wheel  1050797 Mar 18 19:31 msg.VHSVPJ
> -rw-------  1 clamav  wheel  1050743 Mar 18 19:26 msg.Wbbvdw
> -rw-------  1 clamav  wheel  1049604 Mar 18 19:25 msg.EwAggU
> -rw-------  1 clamav  wheel  1051111 Mar 18 19:22 msg.jieLN6
> -rw-------  1 clamav  wheel  1049500 Mar 18 18:54 msg.vHmpcn
> -rw-------  1 clamav  wheel  1049496 Mar 18 18:41 msg.v02yjx
>
> % /usr/local/sbin/lsof -n -w -c clamav-milter | egrep msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
> clamav-mi 65257 clamav  134u  VREG       4,18  1049604 10058197
> /var/tmp/clamav/msg.AuxBaE
>
> I can provide you with some of /var/tmp/clamav/msg.* files for debugging.
>
> Regards,
> Panagiotis


Hello,

we tried to run clamav-milter without the quarantine option:

   clamav-milter -enNqd -m 150 -U /var/tmp/clamav

Now some of the messages that exceed the StreamMaxLength linger around
in the TemporaryDirectory (/var/tmp/clamav-tmp as defined in
clamav.conf). Actually they are not whole messages just the first part
of them (until they reach StreamMaxLength, set to 1MB).

Here is the ls -lt output:

% ls -lt /var/tmp/clamav-tmp/clamav-c11d50658f95ce57
total 42240
-rw-------  1 clamav  wheel  1049685 Mar 20 22:56 msg.PU9k1M
-rw-------  1 clamav  wheel  1049407 Mar 20 20:32 msg.N3bV6C
-rw-------  1 clamav  wheel  1049399 Mar 20 20:11 msg.UwRgAj
-rw-------  1 clamav  wheel  1049404 Mar 20 19:43 msg.lQ8HVp
-rw-------  1 clamav  wheel  1049386 Mar 20 19:16 msg.1bleQF
-rw-------  1 clamav  wheel  1049421 Mar 20 19:03 msg.RrElJ2
-rw-------  1 clamav  wheel  1049389 Mar 20 18:46 msg.PHLTDC
-rw-------  1 clamav  wheel  1049360 Mar 20 18:11 msg.e39fVc
-rw-------  1 clamav  wheel  1049361 Mar 20 17:55 msg.NviCyQ
-rw-------  1 clamav  wheel  1049357 Mar 20 17:14 msg.4HCWK5
-rw-------  1 clamav  wheel  1049500 Mar 20 16:58 msg.J6V4d6
-rw-------  1 clamav  wheel  1049406 Mar 20 16:55 msg.AzNZqD
-rw-------  1 clamav  wheel  1049536 Mar 20 16:48 msg.m5pG4q
-rw-------  1 clamav  wheel  1049434 Mar 20 16:13 msg.o9rDH0
-rw-------  1 clamav  wheel  1049466 Mar 20 15:45 msg.MYbS6g
-rw-------  1 clamav  wheel  1049597 Mar 20 15:22 msg.Ml3P9v
-rw-------  1 clamav  wheel  1049690 Mar 20 14:59 msg.BKRNp9
-rw-------  1 clamav  wheel  1049642 Mar 20 14:48 msg.2y8EKy
-rw-------  1 clamav  wheel  1049468 Mar 20 14:47 msg.gB7OkU
-rw-------  1 clamav  wheel  1049515 Mar 20 14:30 msg.rnEDJB
-rw-------  1 clamav  wheel  1050562 Mar 20 14:21 msg.xFXWO0
-rw-------  1 clamav  wheel  1050562 Mar 20 14:21 msg.e5mcKb
-rw-------  1 clamav  wheel  1050763 Mar 20 14:04 msg.0m2Ig4
-rw-------  1 clamav  wheel  1049908 Mar 20 13:52 msg.YSTy5h
-rw-------  1 clamav  wheel  1049485 Mar 20 13:18 msg.4x4vDr
-rw-------  1 clamav  wheel  1049541 Mar 20 10:54 msg.FT82FS
-rw-------  1 clamav  wheel  1049649 Mar 20 10:54 msg.SXXnDE
-rw-------  1 clamav  wheel  1049545 Mar 20 10:14 msg.ERwc4A
-rw-------  1 clamav  wheel  1049586 Mar 20 10:10 msg.BoHuJH
-rw-------  1 clamav  wheel  1049537 Mar 20 10:06 msg.4DiQvF
-rw-------  1 clamav  wheel  1049638 Mar 20 10:04 msg.6ByOgM
-rw-------  1 clamav  wheel  1049676 Mar 20 09:59 msg.lxhRro
-rw-------  1 clamav  wheel  1049491 Mar 19 12:46 msg.PUWrSU
-rw-------  1 clamav  wheel  1050609 Mar 18 23:10 msg.UwLJeY
-rw-------  1 clamav  wheel  1049614 Mar 18 20:15 msg.BI7zxJ
-rw-------  1 clamav  wheel  1049604 Mar 18 20:15 msg.sJW9OM
-rw-------  1 clamav  wheel  1051111 Mar 18 20:12 msg.X3UQPg
-rw-------  1 clamav  wheel  1049604 Mar 18 19:55 msg.4P66rd
-rw-------  1 clamav  wheel  1049614 Mar 18 19:55 msg.d8cM55
-rw-------  1 clamav  wheel  1051111 Mar 18 19:52 msg.z7pjCQ

Lsof still reports 11 to 14 open file descriptors for each of those
files by clamav-milter.

Any ideas or suggestions? Has anybody else come across such left overs?

Thanks
Panagiotis
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors

Reply via email to