On 1/17/07, Stephen Gran <[EMAIL PROTECTED]> wrote:
On Wed, Jan 17, 2007 at 08:49:14AM -0500, Edward Dam said:
> On 1/2/07, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >On 20/12/06 16:49, Edward Dam wrote:
> >> On 12/13/06, Ian Abbott <[EMAIL PROTECTED]> wrote:
> >>>
> >>> #if 0 /* original */
> >>> logg("SelfCheck: Database status OK.\n");
> >>> return NULL;
> >>> #else /* temporary test */
> >>> logg("SelfCheck: Database status OK. Reloading
anyway.\n");
> >>> return root;
> >>> #endif
> >>>
> >>> This will force the self-check to reload the database files even if
> >>> nothing has changed. Then if you get MD5 errors randomly after this
> >>> message in the logs, you'll know it has nothing to do with
freshclam,
> >>> and more to do with random disk read/write errors.
> >>
> >> I've done this code change, and the mail system just died.
> >> Here's the relevant clip from the clamd log:
> >>
> >> Wed Dec 20 09:53:33 2006 -> SelfCheck: Database status OK. Reloading
anyway.
> >> Wed Dec 20 09:53:33 2006 -> Reading databases from /var/clamav
> >> Wed Dec 20 09:53:33 2006 -> ERROR: reload db failed: MD5 verification
error
> >
> >Sorry for the tardiness of this reply! Those logs appear to be
> >generated as a result of clamd's scheduled self-check, as no changes to
> >the timestamps of the database files were detected (that would result
in
> >"SelfCheck: Database modification detected. Forcing reload.").
> >
> >However, there is a small possibility that freshclam could be updating
> >the database files during clamd's scheduled self-check in such a way
> >that clamd does not notice that the timestamps have changed, but due to
> >the code change is reloading the (possibly modified) database files
> >anyway. To rule out this possibility, it would be necessary to look at
> >the freshclam logs to see when it last notified clamd about the updated
> >files.
Unlikely - freshclam writes to a temp file, and verifies that before
doing anything to the main file. The OP can verify by correlating
timestamps of freshclam download attempts with the last crash on Dec
20th, however.
So, OP - can you supply logfiles for both clamd and freshclam around the
times of the crash? It really looks to me like freshclam is verifying
the md5 signature, and immediately after, clamd is failing to do so.
Very, very odd.
--
--------------------------------------------------------------------------
| Stephen Gran | Nothing is so often irretrievably
|
| [EMAIL PROTECTED] | missed as a daily opportunity. --
|
| http://www.lobefin.net/~steve |
Ebner-Eschenbach |
--------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFrkMxSYIMHOpZA44RAunsAJoDTo2iflIc8n2oUyhFDPpe1PlCGgCeMZ9H
Js05ijZa+8YNb0PaThug0Y0=
=tFfx
-----END PGP SIGNATURE-----
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
As requested, here are log snippets from the latest crash.
Freshclam.log:
Here it gets a successful update and notifies clam:
Jan 16 17:01:00 LINUXSERV CROND[17998]: (root) CMD (run-parts
/etc/cron.hourly)
--------------------------------------
freshclam daemon 0.88.7 (OS: linux-gnu, ARCH: i386, CPU: i686)
ClamAV update process started at Tue Jan 16 18:36:34 2007
main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder:
tkojm)
daily.cvd updated (version: 2459, sigs: 3178, f-level: 9, builder: sven)
Database updated (87129 signatures) from db.ca.clamav.net (IP:
209.139.239.158)
Clamd successfully notified about the update.
... cut to the section where it dies:
--------------------------------------
Jan 17 07:01:00 LINUXSERV CROND[11334]: (root) CMD (run-parts
/etc/cron.hourly)
--------------------------------------
ClamAV update process started at Wed Jan 17 07:30:32 2007
main.cvd updated (version: 42, sigs: 83951, f-level: 10, builder: tkojm)
daily.cvd updated (version: 2459, sigs: 3178, f-level: 9, builder: sven)
Database updated (87129 signatures) from db.ca.clamav.net (IP:
209.172.34.149)
ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310
So you see that clam was down at 7:30am.
Here's the relevant snippet from clamd.log
Jan 16 22:01:00 LINUXSERV CROND[4087]: (root) CMD (run-parts
/etc/cron.hourly)
Tue Jan 16 22:40:09 2007 ->
/var/spool/qmailscan/tmp/LINUXSERV11690052074934404/1169005209.4406-
0.LINUXSERV: HTML.Phishing.Bank-627 FOUND
Tue Jan 16 22:40:09 2007 -> SelfCheck: Database status OK. Reloading
anyway.
Tue Jan 16 22:40:09 2007 -> Reading databases from /var/clamav
Tue Jan 16 22:40:09 2007 ->
/var/spool/qmailscan/tmp/LINUXSERV11690052074934404/orig-LINUXSERV11690052074934404:
HTML.Phishing.Bank-627 FOUND
Tue Jan 16 22:40:10 2007 -> ERROR: reload db failed: MD5 verification error
So you can see that at 10:40PM last night, a reload of the DB failed, and
hung mail... so the next update of databases from freshclam (at 7am)
couldn't notify clam as it was already dead.
Thanks,
Ed
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
