Hi Ged and thank you for your reply. > The error message doesn't say that permission was denied, it says that > the connection was refused. That means that nothing is listening on > the socket. Maybe the daemon died?
Good question. Although I checked the clamav service (clamd) is running. [root@mail ~]# service clamd status clamd (pid 12081) is running... [root@mail ~]# netstat -tapn | grep 12081 tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 12081/clamd Amavis is listening as well. [root@mail ~]# netstat -tapn | grep amavis tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 12055/amavisd (mast tcp 0 0 127.0.0.1:46618 127.0.0.1:3306 ESTABLISHED 17488/amavisd (ch4- tcp 0 0 127.0.0.1:46943 127.0.0.1:3306 ESTABLISHED 18567/amavisd (ch3- But when I checked the amavis service I saw a curious message: [root@mail ~]# service amavisd status amavisd (pid 18567 17488 12055) is running... amavis-milter is stopped I checked /etc/init.d and found no amavis-milter service. Whatever could this possibly mean and could this be causing the error I'm receiving? Dec 6 07:04:45 li135-81 amavis[18567]: (18567-02) (!)ClamAV-clamd: Can't connect to UNIX socket /tmp/clamd.socket: Connection refused, retrying (2) Dec 6 07:04:51 li135-81 amavis[18567]: (18567-02) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /tmp/clamd.socket (Can't connect to UNIX socket /tmp/clamd.socket: Connection refused) at (eval 93) line 375.\n Dec 6 07:04:51 li135-81 amavis[18567]: (18567-02) (!!)WARN: all primary virus scanners failed, considering backups These are the only references I can find in my amavis conf file (/etc/amavis.conf) to ClamAV. Perhaps something is misconfigured? @av_scanners = ( # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)# ['Sophie', # \&ask_daemon, ["{}/\n", '/var/run/sophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ # ['Sophos SAVI', \&sophos_savi ], # ### http://www.clamav.net/ ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/tmp/clamd.socket"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # NOTE: run clamd under the same user as amavisd, or run it under its own # uid such as clamav, add user clamav to the amavis group, and then add # AllowSupplementaryGroups to clamd.conf; # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # # NOTE: run clamd under the same user as amavisd, or run it under its own # # uid such as clamav, add user clamav to the amavis group, and then add # # AllowSupplementaryGroups to clamd.conf; # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd". # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/m ], # ### http://www.openantivirus.org/ # ['OpenAntiVirus ScannerDaemon (OAV)', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], # qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], # ### http://www.vanja.com/tools/trophie/ # ['Trophie', # \&ask_daemon, ["{}/\n", '/var/run/trophie'], # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], # qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], # ### http://www.f-prot.com/ # ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 # \&ask_daemon, # ["SCAN FILE {}/*\n", '127.0.0.1:10200'], # qr/^(0|8|64) /m, # qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, # qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], # ### http://www.f-prot.com/ # ['F-Prot f-protd', # old version # \&ask_daemon, # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", # ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', # '127.0.0.1:10203', '127.0.0.1:10204'] ], # qr/(?i)<summary[^>]*>clean<\/summary>/m, # qr/(?i)<summary[^>]*>infected<\/summary>/m, # qr/(?i)<name>(.+)<\/name>/m ], # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later # [pack('N',1). # DRWEBD_SCAN_CMD # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES # pack('N', # path length # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). # '{}/*'. # path # pack('N',0). # content size # pack('N',0), # '/var/drweb/run/drwebd.sock', # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default # # '127.0.0.1:3000', # or over an inet socket # ], # qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, # ], # # NOTE: If using amavis-milter, change length to: # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). ### http://www.kaspersky.com/ (kav4mailservers) ['KasperskyLab AVP - aveclient', ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, # currupted or protected archives are to be handled ### http://www.kaspersky.com/ ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? qr/infected: (.+)/m, sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], @av_scanners_backup = ( ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV ['ClamAV-clamscan', 'clamscan', "--stdout --no-summary -r --tempdir=$TEMPBASE {}", [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 ['F-PROT Antivirus for UNIX', ['fpscan'], '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], ### http://www.trendmicro.com/ - backs up Trophie ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], '-path={} -al -go -ot -cn -upn -ok-', [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], ### http://www.kaspersky.com/ ['Kaspersky Antivirus v5.5', ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', '/opt/kav/5.5/kav4unix/bin/kavscanner', '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, # sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], # Commented out because the name 'sweep' clashes with Debian and FreeBSD # package/port of an audio editor. Make sure the correct 'sweep' is found # in the path when enabling. # # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl # ['Sophos Anti Virus (sweep)', 'sweep', # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. # '--no-reset-atime {}', # [0,2], qr/Virus .*? found/m, # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, # ], # # other options to consider: -idedir=/usr/local/sav # Always succeeds and considers mail clean. # Potentially useful when all other scanners fail and it is desirable # to let mail continue to flow with no virus checking (when uncommented). # ['always-clean', sub {0}], ); ----- Original Message ----- From: "G.W. Haywood" <g...@jubileegroup.co.uk> To: clamav-users@lists.clamav.net Sent: Tuesday, December 6, 2011 6:47:00 AM Subject: Re: [clamav-users] clamav can't access socket file Hi there, On Tue, 6 Dec 2011 Tim Dunphy wrote: > ... for some reason I am getting clamav errors in my postfix log > files complaining that it can't access it's socket file. I've tried > opening the permissions all the way and the problem persists. I'm > curious as to what effect this will have if uncorrected and how best > to fix the problem > > > Dec 5 10:51:56 li135-81 amavis[11829]: (11829-03) (!)ClamAV-clamd: \ > Can't connect to UNIX socket /tmp/clamd.socket: Connection refused, ... The error message doesn't say that permission was denied, it says that the connection was refused. That means that nothing is listening on the socket. Maybe the daemon died? -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
