On Wed, Nov 7, 2012 at 3:20 AM, Philipp Schwaha <phil...@schwaha.net> wrote:
> hi everybody! > > I recently set up a combination of exim and clamav which was working > very nicely until clamav seemingly started to choke. Switching > debugging on I obtained the following: > > Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 4 > Wed Nov 7 01:52:06 2012 -> Got new connection, FD 9 > Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 5 > Wed Nov 7 01:52:06 2012 -> fds_poll_recv: timeout after 5 seconds > Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 9 > Wed Nov 7 01:52:06 2012 -> got command SCAN > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml (63, 5), > argument: /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml > Wed Nov 7 01:52:06 2012 -> mode -> MODE_WAITREPLY > Wed Nov 7 01:52:06 2012 -> Breaking command loop, mode is no longer > MODE_COMMAND > Wed Nov 7 01:52:06 2012 -> Consumed entire command > Wed Nov 7 01:52:06 2012 -> THRMGR: queue (single) crossed low > threshold -> signaling > Wed Nov 7 01:52:06 2012 -> THRMGR: queue (bulk) crossed low threshold > -> signaling > Wed Nov 7 01:52:06 2012 -> Number of file descriptors polled: 1 fds > Wed Nov 7 01:52:06 2012 -> fds_poll_recv: timeout after 600 seconds > Wed Nov 7 01:52:06 2012 -> > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't > create temporary directory ERROR > Wed Nov 7 01:52:06 2012 -> Finished scanthread > Wed Nov 7 01:52:06 2012 -> Scanthread: connection shut down (FD 9) > Wed Nov 7 01:52:06 2012 -> THRMGR: queue (single) crossed low > threshold -> signaling > Wed Nov 7 01:52:06 2012 -> THRMGR: queue (bulk) crossed low threshold > -> signaling > > This seems very odd, since it seems that it wants to create a > temporary file which has exactly the same name as the input file and > hence little probability of success. Am I interpreting the error > message incorrectly? > Or is this maybe some other issue? > > I have now tried with clamav versions 0.97.4, 0.97.5 and 0.97.6. Exim > is at version 4.80. Its log file contains the corresponding message: > > 1TVtsE-0006lJ-9m malware acl condition: clamd: ClamAV returned: > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't > create temporary directory ERROR > > Of note is that it happens for all mails, even the most simplistic > ones (e.g., generated by swaks), where there is nothing to unpack. The > description I found here: > http://lurker.clamav.net/message/20120618.182545.25960b6a.en.html lets > me think that the error message might not be quite ok? > > I have also tried with different settings of 'TemporaryDirectory' > going through several useful settings such as /tmp or /var/tmp and > also obviously broken directories, just in order to see if anything > changes. So far I have not had any luck to change clamav's behaviour > at all. > > Do you have any suggestions how to further track down and hopefully > fix this issue? > > cheers > Philipp > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > This a result message. It is starting with the file it was asked to scan, not the directory it is trying to create. The message it is printing is because the scanning result has a value of CL_ETMPDIR somewhere within the scanning attempt and that bubbled up to be the final result. One of the first things ClamAV does within the mail scanning is create a folder to dump attachments to as temporary files for scanning. That is probably where it is happening. But it looks as if you only have debug level logging for the server thread and not for the actual scanning thread. The scanning library should be printing out a line that will tell you what directory it failed to create. Everywhere that the CL_ETMPDIR return code is initially returned, it is printing a message (frequently at debug level) to say what directory it could not create. In the case of the mail message related failure I am guessing above [inside function cli_scanmail()] it will look like this: Mail: Can't create temporary directory /dir/name/goes/here That would tell you what folder it failed to create. So you need to get that message printed, which means checking the config. Can you share your clamd.conf file? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
