Same basic errors in each file. I have logs going to /var/log/
The restart occurs via a script run by cron. However, the output is redirected to /dev/null. [root@rhel7test ~]# clamconf -n Checking configuration files in /etc Config file: clamd.d/scan.conf ------------------------------ LogRotate = "yes" TemporaryDirectory = "/var/tmp" TCPSocket = "3310" TCPAddr = "127.0.0.1" ReadTimeout = "300" CommandReadTimeout = "120" CrossFilesystems disabled ConcurrentDatabaseReload disabled User = "clamscan" ScanArchive disabled OnAccessIncludePath = "/usr", "/home", "/etc", "/root", "/opt", "/boot", "/tmp" OnAccessExcludePath = "/opt/splunkforwarder", "/opt/commvault", "/opt/SolarWinds" OnAccessExcludeUname = "clamscan" OnAccessRetryAttempts = "3" Config file: freshclam.conf --------------------------- DatabaseMirror = "database.clamav.net" mail/clamav-milter.conf not found Software settings ----------------- Version: 0.103.3 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021 bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021 daily.cvd: version 26505, sigs: 1977345, built on Thu Apr 7 04:25:37 2022 Total number of signatures: 8624864 Platform information -------------------- uname: Linux 3.10.0-1160.62.1.el7.x86_64 #1 SMP Wed Mar 23 09:04:02 UTC 2022 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.7 (1.2.7), compile flags: a9 platform id: 0x0a217c7c0800000002040805 Build information ----------------- GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5) CPPFLAGS: -I/usr/include/libprelude CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' sizeof(void*) = 8 Engine flevel: 124, dconf: 124 Thanks, Jeff Hoevenaar -----Original Message----- From: clamav-users <[email protected]> On Behalf Of G.W. Haywood via clamav-users Sent: Wednesday, May 4, 2022 8:46 AM To: Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users <[email protected]> Cc: G.W. Haywood <[email protected]> Subject: EXT: Re: [clamav-users] error files in / WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe. Hi there, On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote: > I am getting these strange files in the root file system "/" on my linux > servers. > > -rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U > -rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U > -rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U > > > The files contain the error message. > > ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name. > ClamScanQueue: stopped Do they all contain the same error message? Two of the files are 75 bytes long, the other one is 98 bytes. The error message in your post is (give or take formatting in an email) 98 bytes. The first line of the error is 75 bytes (with the same proviso). To connect to clamd, an IP address would be more reliable than a hostname. It wouldn't rely on some flaky name resolution service. In any case more information is needed. Please could you let us have the output of the command clamconf -n cut and pasted into an email so that there are no accidental changes? > I believe it is occurring when the clam services are restarted each day. It isn't really necessary to restart those services daily, but it probably won't do any harm and it might help highlight some issues (for example like this one). But I'd be inclined to disable the restarts, at least for a while, just to find out if the restarts really are triggering this. > Any idea how to route these errors messages elsewhere? It will be easy to do but more information is needed. There are very few reasons to write files in the root directory, and nothing like ClamAV has any business doing that. It might mean there's something wrong with your configuration; it might not be the ClamAV-specific configuration but that's a place to start. ClamAV might be started or restarted by some configuration that's provided by your operating system distribution, and not by ClamAV itself. It would help if you could give us information about that, such as the OS distribution(s), the packages which provide ClamAV, etc. and any local configuration changes made to the distribution defaults. The ideal would be to get any utility (such as one provided by ClamAV) to know where to write its error output (e.g. /var/log/somewhere) before actually doing it. -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
