On Thu, Apr 25, 2013 at 4:41 PM, Kim Johansen <c...@weiser.dk> wrote:
> Hey, > > I am setting up a Maia mailguard system with ClamAV for virus scanning. > > I'm getting these in my logfile: > clamav.log > Thu Apr 18 18:13:40 2013 -> WARNING: lstat() failed on: > /var/amavisd/tmp/amavis-**20130403T221718-26913 > Thu Apr 18 18:13:52 2013 -> WARNING: lstat() failed on: > /var/amavisd/tmp/amavis-**20130418T181352-01899/parts > Thu Apr 18 18:13:53 2013 -> WARNING: lstat() failed on: > /var/amavisd/tmp/amavis-**20130403T221718-26913 > Thu Apr 18 18:15:08 2013 -> WARNING: lstat() failed on: > /var/amavisd/tmp/amavis-**20130403T221718-26913 > Thu Apr 18 18:15:52 2013 -> WARNING: lstat() failed on: > /var/amavisd/tmp/amavis-**20130403T221718-26913 > > > > I have configured ClamAV to run as amavis: > mail ~ $ ps uax |grep amavis > amavis 1292 0.0 4.7 393792 194180 ? Ssl 18:12 0:00 > /usr/sbin/clamd > amavis 1405 0.4 0.0 39848 1904 ? Ss 18:12 0:01 > /usr/bin/freshclam -d --quiet > amavis 1896 0.3 2.0 205400 83232 ? Ss 18:13 0:01 amavisd > (master) > amavis 1899 0.0 2.1 285688 85184 ? S 18:13 0:00 amavisd > (ch1-avail) > amavis 1900 0.0 2.0 206680 81848 ? S 18:13 0:00 amavisd > (virgin child) > > > > > And if I run the scan manual with clamdscan it shows the error: > amavis@mail:~$ clamdscan /var/amavisd/tmp/amavis-**20130403T221718-26913/ > /var/amavisd/tmp/amavis-**20130403T221718-26913: lstat() failed: > Permission denied. ERROR > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Total errors: 1 > Time: 0.000 sec (0 m 0 s) > > > > But it I run clamscan as the amavis user (The same user as clamd is > running with) manual it works fine: > amavis@mail:~$ clamscan /var/amavisd/tmp/amavis-**20130403T221718-26913/ > /var/amavisd/tmp/amavis-**20130403T221718-26913/email.**txt: OK > ----------- SCAN SUMMARY ----------- > Known viruses: 2163386 > Engine version: 0.97.7 > Scanned directories: 1 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 6.011 sec (0 m 6 s) > amavis@mail:~$ > > > > Here is the configuration file for ClamAV > mail ~ $ cat /etc/clamav/clamd.conf > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #Please read /usr/share/doc/clamav-base/**README.Debian.gz for details > LocalSocket /var/run/clamav/clamd.ctl > FixStaleSocket true > #LocalSocketGroup clamav > LocalSocketGroup amavis > LocalSocketMode 666 > # TemporaryDirectory is not set to its default /tmp here to make overriding > # the default with environment variables TMPDIR/TMP/TEMP possible > #User clamav > User amavis > AllowSupplementaryGroups true > ScanMail true > ScanArchive true > ArchiveBlockEncrypted false > MaxDirectoryRecursion 15 > FollowDirectorySymlinks false > FollowFileSymlinks false > ReadTimeout 180 > MaxThreads 12 > MaxConnectionQueueLength 15 > LogSyslog false > LogFacility LOG_LOCAL6 > LogClean false > LogVerbose false > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > Foreground false > Debug false > ScanPE true > ScanOLE2 true > ScanHTML true > DetectBrokenExecutables false > ExitOnOOM false > LeaveTemporaryFiles false > AlgorithmicDetection true > ScanELF true > IdleTimeout 30 > PhishingSignatures true > PhishingScanURLs true > PhishingAlwaysBlockSSLMismatch false > PhishingAlwaysBlockCloak false > DetectPUA false > ScanPartialMessages false > HeuristicScanPrecedence false > StructuredDataDetection false > CommandReadTimeout 5 > SendBufTimeout 200 > MaxQueue 100 > ExtendedDetectionInfo true > OLE2BlockMacros false > StreamMaxLength 50M > LogFile /var/log/clamav/clamav.log > LogTime true > LogFileUnlock false > LogFileMaxSize 0 > Bytecode true > BytecodeSecurity TrustSigned > BytecodeTimeout 60000 > OfficialDatabaseOnly false > CrossFilesystems true > > > > Generally do the amavis user have RWX rights on all the folders except > from the /var folder > > Anyone have any ideas? > > -- > Kim > ______________________________**_________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml> > Kim, 1) Make sure that clamd has been restarted. (And amavisd, for that matter.) 2) Are you running SELinux or AppArmor or something like that? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
