I'm running ClamAV 0.88.2 via daemontools and qscanq for use with qmail. I've been having an issue with clamd not being unable to allocate memory. From the logs (as an example):
2006-06-27 08:36:36.985532500 LibClamAV Error: cli_malloc(): Can't allocate memory (123 bytes). 2006-06-27 08:36:36.985554500 malloc_problem: Cannot allocate memory 2006-06-27 08:36:36.985584500 LibClamAV Error: cli_malloc(): Can't allocate memory (123 bytes). 2006-06-27 08:36:36.985606500 malloc_problem: Cannot allocate memory 2006-06-27 08:36:36.985635500 LibClamAV Error: cli_malloc(): Can't allocate memory (95 bytes). 2006-06-27 08:36:36.985656500 malloc_problem: Cannot allocate memory 2006-06-27 08:36:36.985683500 LibClamAV Error: cli_malloc(): Can't allocate memory (123 bytes). 2006-06-27 08:36:36.985704500 malloc_problem: Cannot allocate memory 2006-06-27 08:36:36.985730500 LibClamAV Error: cli_malloc(): Can't allocate memory (8 bytes). 2006-06-27 08:36:36.985752500 malloc_problem: Cannot allocate memory The problem is that this causes clamd to crater (CPU usage for the clamd process goes to 100%) and makes the mail server unavailable (sending mail returns an SMTP 4.3.0 temporarily not available). This will usually eventually resolve itself, but it could take hours for mail service to be restored. I've upped the softlimit on clamd from 10Mb to 30Mb to 50Mb but that didn't solve the problem. I researched this problem in the list archives and found the ExitOnOOM directive, however incorporating that doesn't solve the problem either: clamd does not die when it cannot allocate memory. I cannot seem to find any other solutions, so I would appreciate some insight. For reference: # cat /service/clamd/run #!/bin/sh exec 2>&1 CLAMD_FILE=./root/clamd SCAN_FILE=$0 # Check for a leftover socket. if [ -e $CLAMD_FILE ] then echo "run: WARNING: file $CLAMD_FILE exists" if clamdscan $SCAN_FILE then echo "run: FATAL: Clamd is already running. Trying to start anyway..." else echo "run: INFO: Clamd is not running. Deleting $CLAMD_FILE" rm -f $CLAMD_FILE fi fi # Run the scanner daemon. # NOTE: ClamAV v.80 will not run with this setuidgid line. Removing seems to fix the issue per Clamav-users list #exec setuidgid gqscanq /usr/local/sbin/clamd exec /usr/local/bin/softlimit -a 50000000 /usr/local/sbin/clamd -c /etc/clamav/clamd.conf exec /usr/local/sbin/freshclam --daemon --checks 2 # cat /etc/clamav/clamd.conf ## ## Example config file for the Clam AV daemon ## Please read the clamav.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running the daemon. # Full path is required. LogFile /dev/stderr # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. #LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. #LogFileMaxSize 2M # Log time with an each message. LogTime # Log also clean files. May be useful in debugging but will drastically # increase the log size. #LogClean # Use system logger (can work together with LogFile). #LogSyslog # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. Default is LOG_LOCAL6. LogFacility LOG_MAIL # Enable verbose logging. #LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). #PidFile /var/run/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. #TemporaryDirectory /var/tmp # Path to the database directory. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # but it depends on installation options). #DatabaseDirectory /var/lib/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /tmp/clamd # Remove stale socket after unclean shutdown. FixStaleSocket # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default is 15. #MaxConnectionQueueLength 30 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. #StreamSaveToDisk # Close the connection if this limit is exceeded. #StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. #MaxThreads 10 # Waiting for data from a client socket will timeout after this time (seconds). # Default is 120. Value of 0 disables the timeout. #ReadTimeout 300 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 15 # Follow a directory symlinks. # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. #FollowDirectorySymlinks # Follow regular file symlinks. #FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). #SelfCheck 600 # Execute a command when a virus is found. In the command string %v will # be replaced by the virus name. # #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. User gqscanq # Initialize the supplementary group access (for all groups in /etc/group # user is added in. clamd must be started by root). #AllowSupplementaryGroups # Don't fork into background. Useful in debugging. Foreground # Enable debug messages in libclamav. #Debug # Do not remove temporary files (for debug purposes). #LeaveTemporaryFiles ## ## Document scanning ## # This option enables scanning of Microsoft Office document macros. ScanOLE2 ## ## Mail support ## # Uncomment this option if you are planning to scan mail files. ScanMail ## ## Archive support ## # Comment this line to disable scanning of the archives. ScanArchive # By default the built-in RAR unpacker is disabled by default because the code # terribly leaks, however it's probably a good idea to enable it. #ScanRAR # Options below protect your system against Denial of Service attacks # with archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR # archives are decompressed to the memory. That's why never disable # this limit (but you may increase it of course!) ArchiveMaxFileSize 10M # Archives are scanned recursively - e.g. if Zip archive contains RAR file, # the RAR file will be decompressed, too (but only if recursion limit is set # at least to 1). With this option you may set the recursion level. # Value of 0 disables the limit. ArchiveMaxRecursion 5 # Number of files to be scanned within archive. # Value of 0 disables the limit. ArchiveMaxFiles 1000 # Mark potential archive bombs as viruses (0 disables the limit) ArchiveMaxCompressionRatio 200 # Use slower decompression algorithm which uses less memory. This option # affects bzip2 decompressor only. #ArchiveLimitMemoryUsage # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). #ArchiveBlockEncrypted ## ## Clamuko settings ## WARNING: This is experimental software. It is very likely it will hang ## up your system !!! ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. #ClamukoScanOnAccess # Set access mask for Clamuko. ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec # Set the include paths (all files in them will be scanned). You can have # multiple ClamukoIncludePath options, but each directory must be added # in a seperate option. All subdirectories are scanned, too. ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. #ClamukoExcludePath /home/guru # Limit the file size to be scanned (probably you don't want to scan your movie # files ;)) # Value of 0 disables the limit. 1 Mb should be fine. ClamukoMaxFileSize 1M # Enable archive support. It uses the limits from clamd section. # (This option doesn't depend on ScanArchive, you can have archive support # in clamd disabled). ClamukoScanArchive # Make ClamAV die if it cannot allocate memory. If it dies, daemontools will restart it ExitOnOOM _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
