I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and restarting clamd fixed the problem.
This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem began a few minutes later clamd run out of file descriptors. I also had to clean out TemporaryDirectory before restarting. Not sure what the exact reason for problem is. There is an EOF-15 in a subsig. Perhaps this causes a performance hit on large text files as end of file must be seeked to and this is sufficient on busy system to cause demand to exceed supply. sigtool --find Vbs.Downloader.Generic-6431223-0 Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274 sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs VIRUS NAME: Vbs.Downloader.Generic-6431223-0 TDB: Engine:51-255,Target:7 LOGICAL EXPRESSION: (0|1)&2&3 * SUBSIG ID 0 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: public sub * SUBSIG ID 1 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: sub * SUBSIG ID 2 +-> OFFSET: EOF-15 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: = "re" end if * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: exe /c start David Shrimpton ________________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Carlos García Gómez <carlos.gar...@f-integra.org> Sent: Saturday, January 27, 2018 12:03:32 AM To: clamav-users@lists.clamav.net Subject: [clamav-users] Problem with Max Open desciptor Files limit Hi, We have a problem with ClamAV due to Max Open desciptor Files limit It’s seems like delete temp files are not freeded When the soft is reached the clamav proccess responses with an ERROR THe problem has begined Today with 0.99.2 clamav version We have updated to the last release 0.99.3 but then problem again be here. [root@mx2 tmp]# ps -ef |grep clamav clamav 22927 1 0 13:50 ? 00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d root 23128 21677 0 15:01 pts/1 00:00:00 grep clamav clamav 23137 1 2 13:51 ? 00:01:39 /home/vmail/antivirus/clamav/sbin/clamd [root@mx2 tmp]# lsof -p 23137 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME clamd 23137 clamav cwd DIR 8,1 4096 2 / clamd 23137 clamav rtd DIR 8,1 4096 2 / clamd 23137 clamav txt REG 8,2 330823 1507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd clamd 23137 clamav 11u REG 8,2 46 1540613 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp (deleted) clamd 23137 clamav 12u REG 8,2 119 1540264 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp (deleted) clamd 23137 clamav 13u REG 8,2 119 1540266 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted) clamd 23137 clamav 14u REG 8,2 36 1540265 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp (deleted) clamd 23137 clamav 15u REG 8,2 4793 1540268 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted) clamd 23137 clamav 16u REG 8,2 4793 1540267 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted) clamd 23137 clamav 17u REG 8,2 58 1540270 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp (deleted) clamd 23137 clamav 18u REG 8,2 183 1540272 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted) clamd 23137 clamav 19u REG 8,2 293 1540273 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted) clamd 23137 clamav 20u REG 8,2 183 1540271 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted) clamd 23137 clamav 21u REG 8,2 3137 1540274 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp (deleted) clamd 23137 clamav 22u REG 8,2 3137 1540276 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted) clamd 23137 clamav 23u REG 8,2 42 1540275 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp (deleted) clamd 23137 clamav 24u REG 8,2 44 1540277 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp (deleted) clamd 23137 clamav 25u REG 8,2 677 1540279 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-2b9716c6173771c795a3b1c3bef56470.tmp (deleted) clamd 23137 clamav 26u REG 8,2 155 1540280 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-e63b9a7454908ebb5f47657898bdb2c5.tmp (deleted) clamd 23137 clamav 27u REG 8,2 1681 1540281 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ba047ebfc0396a5b38b595eeec0f7437.tmp (deleted) clamd 23137 clamav 28u REG 8,2 46 1540278 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-49dbcc76c3c8b14d279a9d0aa74310a1.tmp (deleted) clamd 23137 clamav 29u REG 8,2 1681 1540283 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-46898158d350efefbe01636215301fad.tmp (deleted) clamd 23137 clamav 30u REG 8,2 48 1540282 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fdc1f1fdaca0933e22778c22bf4306c2.tmp (deleted) clamd 23137 clamav 31u REG 8,2 1235 1540285 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-3849f6d05e67f2ad565d668e9a925158.tmp (deleted) clamd 23137 clamav 32u REG 8,2 38 1540284 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-9428301ea35432270076585aad066354.tmp (deleted) When there are 1024 FD => ClamAV crash Any Ideas? Regards. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
