I have ClamAV running on several Linux mailservers. All of them stopped working last night with similar symptoms:
- Some time after 23h CEST (21h GMT) freshclam started complaining it couldn't connect any update server. Apr 6 23:07:06 lx1 freshclam[15939]: nonblock_connect: connect timing out (30 secs) Apr 6 23:07:06 lx1 freshclam[15939]: Can't connect to port 80 of host db.de.clamav.net (IP: 62.26.160.3) Apr 6 23:07:06 lx1 freshclam[15939]: Trying host db.de.clamav.net (62.201.161.84)... [repeating every 30 seconds with varying IP addresses] This in itself isn't normally a reason for concern. - Five minutes later it gives up on incrementals and switches to main.cvd, which is probably standard behaviour, but the connection problems persist: Apr 6 23:12:08 lx1 freshclam[15939]: Incremental update failed, trying to download main.cvd Apr 6 23:12:38 lx1 freshclam[15939]: nonblock_connect: connect timing out (30 secs) Apr 6 23:12:38 lx1 freshclam[15939]: Can't connect to port 80 of host db.de.clamav.net (IP: 195.246.234.199) Apr 6 23:12:38 lx1 freshclam[15939]: Trying host db.de.clamav.net (212.1.60.18)... Apr 6 23:13:08 lx1 freshclam[15939]: nonblock_connect: connect timing out (30 secs) - Some time later ClamAV complains it cannot update its database, and exits: Apr 6 23:15:28 lx1 clamav-milter[15949]: Unable to lock database directory Apr 6 23:15:28 lx1 clamav-milter[15949]: Failed to load updated database Apr 6 23:15:31 lx1 clamav-milter[15947]: ClamAv: mi_stop=1 Apr 6 23:15:31 lx1 clamav-milter[15947]: Stopping ClamAV 0.92.1/6635/Sun Apr 6 18:29:31 2008 Or on a different machine using MIMEdefang instead of clamav-milter: Apr 6 23:49:10 monolith clamd[4648]: reload db failed: Unable to lock database directory (try 3) Apr 6 23:49:10 monolith clamd[4648]: reload db failed: Unable to lock database directory Apr 6 23:49:10 monolith clamd[4648]: Terminating because of a fatal error. Apr 6 23:49:10 monolith clamd[4648]: Socket file removed. Apr 6 23:49:10 monolith clamd[4648]: Pid file removed. Apr 6 23:49:10 monolith clamd[4648]: --- Stopped at Sun Apr 6 23:49:10 2008 From that point on, mail is blocked because I deliberately configured the servers in question not to let messages pass unchecked in case of a virus scanner outage. - Several hours later, the update finally succeeds: Apr 7 02:41:25 lx1 freshclam[15939]: Downloading main-46.cdiff [100%] Apr 7 02:41:29 lx1 freshclam[15939]: main.inc updated (version: 46, sigs: 231834, f-level: 26, builder: sven) Apr 7 02:42:01 lx1 freshclam[15939]: Downloading daily-6636.cdiff [100%] [...] Apr 7 02:49:17 lx1 freshclam[15939]: Downloading daily-6637.cdiff [100%] Apr 7 02:49:28 lx1 freshclam[15939]: Downloading daily-6638.cdiff [100%] Apr 7 02:49:45 lx1 freshclam[15939]: Downloading daily-6639.cdiff [100%] Apr 7 02:49:45 lx1 freshclam[15939]: daily.inc updated (version: 6639, sigs: 13046, f-level: 26, builder: ccordes) Apr 7 02:49:45 lx1 freshclam[15939]: Database updated (244880 signatures) from db.de.clamav.net (IP: 85.199.169.78) Apr 7 02:49:45 lx1 freshclam[15939]: Clamd successfully notified about the update. Apr 7 02:49:45 lx1 freshclam[15939]: -------------------------------------- But the clamd process stays dead. - When I come into the office in the morning I find all mailservers blocking their mail. I restart all the ClamAV daemons, and all is well again. Simple question: why did that happen? IMHO a failure to update the signatures, even if it persists for several hours, should not prevent the continued use of the scan service with the signatures it already has. Is this: - a misconfiguration (ie. my own fault)? - a bug? - a feature? TIA T. -- Tilman Schmidt Phoenix Software GmbH Tel. +49 228 97199 0 Adolf-Hombitzer-Str. 12 Fax +49 228 97199 99 53227 Bonn, Germany www.phoenixsoftware.de
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
