Re: [Clamav-users] ClamAV timing out
On Fri, 1 Jun 2007, Rob Sterenborg wrote: > > Start with your mail log, which messages are causing the problem? are > > they big, do they have certain type of attachments, etc. (all these > > attributes can be controlled with MailScanner) If you can isolate > > one sample, better, that way you'll have something to test directly. > > From what I see in the logs it times out on virtually all email. If I > let the MTA continue receiving and scanning email, it will hangup > itself. > > > Have you tested clamav? for instance running clamscan on the test > > directory that comes with the source. > > Yes I tested clamscan and it is working, I suppose clamavmodule should > be working too then. > > We also use Sohpos so, after I wrote this message I disabled ClamAV and > tried with just Sohpos: the same timeout occurred. > So I deleted and reinstalled all of ClamAV. At first it didn't timeout > but later it started again. > Next I noticed SpamAssassin also started to timeout *a lot*. > > Since we suffered a crash because of poweroutage (it's quite silly: the > UPS-es worked great and we would have survived it if it weren't for the > airco's that were not connected to an external power aggregate. A lot of > machines shutdown -some more, some less- because of heat problems) I > figure we have data corruption or something. > > So, I'm not so sure if this is ClamAV related. Maybe this doesn't belong > here... I'll continue searching. Are you using clamscan instead of clamdscan? That could be the reason for your trouble. Both programs take a long time to start up, easily long enough to overrun a timeout. But clamdscan starts up only once, whereas clamscan starts up fresh for every new mail message. Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Stream logging patch
Hi all,
In my setup I have several mail-relay and wanted to use a dedicated
server running clamd to scan viruses for all my mail-relays. For this
purpose, I am using a program called clamd-stream-client on each
mail-relay to check for viruses, all pointing to my clamd server. This
gives me the option to simply add another server whenever the clamd
server starts getting into trouble cpu/ram/etc., or for backup/failover
situations.
When using clamd to scan streams, logging is _extremely_ basic. This did
not allow me to get statistics of which mail-relay was the one placing
the greatest demand on the clamd server, so after looking at the code, I
modified the logging so that the ip address of the calling client is
also displayed in the logs, making it easier to determine who is
actually using the server. I have included a patch for 0.90.3, which
also works for 0.90.2.
Since I started logging the ip addresses of all stream clients, I have
only found that my mail-relays are using it, but can now easily spot if
there are unauthorized accesses. Hope this helps
--
Jorge Valdes
[EMAIL PROTECTED]
diff -rub clamav-0.90.3-orig/clamd/scanner.c clamav-0.90.3/clamd/scanner.c
--- clamav-0.90.3-orig/clamd/scanner.c 2007-04-16 10:52:14.0 -0600
+++ clamav-0.90.3/clamd/scanner.c 2007-02-27 18:43:46.0 -0600
@@ -416,8 +416,6 @@
const char *virname;
char buff[FILEBUFF];
struct sockaddr_in server;
+ struct sockaddr_in peer;
+ socklen_t addrlen;
struct hostent he;
struct cfgstruct *cpt;
char *tmpname;
@@ -499,22 +497,21 @@
return -1;
}
-if((acceptd = accept(sockfd, NULL, NULL)) == -1) {
+addrlen = sizeof(peer);
+if((acceptd = accept(sockfd, (struct sockaddr *)&peer, &addrlen)) == -1) {
close(sockfd);
mdprintf(odesc, "accept() ERROR\n");
logg("!ScanStream %d: accept() failed.\n", port);
return -1;
}
-logg("*Accepted connection on port %d, fd %d\n", port, acceptd);
+logg("*Accepted connection from %s on port %d, fd %d\n",
inet_ntoa(peer.sin_addr), port, acceptd);
if ((tmpname = cli_gentempdesc(NULL, &tmpd)) == NULL) {
shutdown(sockfd, 2);
close(sockfd);
close(acceptd);
mdprintf(odesc, "tempfile() failed. ERROR\n");
- logg("!ScanStream %d: Can't create temporary file.\n", port);
+ logg("!ScanStream %s %d: Can't create temporary file.\n",
inet_ntoa(peer.sin_addr), port);
return -1;
}
@@ -533,7 +530,7 @@
closesocket(sockfd);
closesocket(acceptd);
mdprintf(odesc, "Temporary file -> write ERROR\n");
- logg("!ScanStream %d: Can't write to temporary file.\n", port);
+ logg("!ScanStream %s %d: Can't write to temporary file.\n",
inet_ntoa(peer.sin_addr), port);
close(tmpd);
if(!cfgopt(copt, "LeaveTemporaryFiles")->enabled)
unlink(tmpname);
@@ -545,7 +542,7 @@
btread = (maxsize - size); /* only read up to max */
if(btread <= 0) {
- logg("^ScanStream %d: Size limit reached (max: %d)\n", port,
maxsize);
+ logg("^ScanStream %s %d: Size limit reached (max: %d)\n",
inet_ntoa(peer.sin_addr), port, maxsize);
break; /* Scan what we have */
}
}
@@ -554,11 +551,11 @@
switch(retval) {
case 0: /* timeout */
mdprintf(odesc, "read timeout ERROR\n");
+ logg("!ScanStream %s %d: read timeout.\n",
inet_ntoa(peer.sin_addr), port);
- logg("!ScanStream %d: read timeout.\n", port);
break;
case -1:
mdprintf(odesc, "read poll ERROR\n");
+ logg("!ScanStream %s %d: read poll failed.\n",
inet_ntoa(peer.sin_addr), port);
- logg("!ScanStream %d: read poll failed.\n", port);
break;
}
@@ -578,17 +575,17 @@
if(ret == CL_VIRUS) {
mdprintf(odesc, "stream: %s FOUND\n", virname);
+ logg("stream %s %d: %s FOUND\n", inet_ntoa(peer.sin_addr), port,
virname);
- logg("stream %d: %s FOUND\n", port, virname);
virusaction("stream", virname, copt);
} else if(ret != CL_CLEAN) {
if(retval == 1) {
mdprintf(odesc, "stream: %s ERROR\n", cl_strerror(ret));
+ logg("stream %s %d: %s ERROR\n", inet_ntoa(peer.sin_addr), port,
cl_strerror(ret));
- logg("stream %d: %s ERROR\n", port, cl_strerror(ret));
}
} else {
mdprintf(odesc, "stream: OK\n");
if(logok)
+ logg("stream %s %d: OK\n", inet_ntoa(peer.sin_addr), port);
- logg("stream %d: OK\n", port);
}
return ret;
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] daily.wmd trouble with 0.91rc1
I seem to be having trouble with clamscan 0.91rc1 choking with the current daily.wmd file. It was working fine until the most recent db update. # clamscan --version ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 # clamscan /tmp/email.txt Segmentation fault (core dumped) Now remove the current daily.wdb from daily.inc: # rm /var/db/clamav/daily.inc/daily.wdb # clamscan /tmp/tmp/email.txt /tmp/tmp/email.txt: OK clamd is also hung and unkillable. Anyone else having this problem? -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > I seem to be having trouble with clamscan 0.91rc1 choking with the current > daily.wmd file. It was working fine until the most recent db update. I don't have this problem, but I don't seem to have a daily.wmd file in my daily.inc either. I have daily.wdb and .zmd, but now .wmd == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 09:56 PM 6/1/2007, Christopher X. Candreva wrote: >On Fri, 1 Jun 2007, Noel Jones wrote: > > > I seem to be having trouble with clamscan 0.91rc1 choking with the current > > daily.wmd file. It was working fine until the most recent db update. > >I don't have this problem, but I don't seem to have a daily.wmd file in my >daily.inc either. I have daily.wdb and .zmd, but now .wmd fatfinger error on the name, I am referring to daily.wdb as the pasted session shows. Are you using 91rc1? It's very repeatable here. I have re-downloaded daily.cvd and get the same error. # clamscan --version ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 # clamscan /tmp/email.txt Segmentation fault (core dumped) Now remove the current daily.wdb from daily.inc: # rm /var/db/clamav/daily.inc/daily.wdb # clamscan /tmp/tmp/email.txt /tmp/tmp/email.txt: OK clamd is also hung and unkillable. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > fatfinger error on the name, I am referring to daily.wdb as the > pasted session shows. Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) > Are you using 91rc1? It's very repeatable here. I have Yes, so far it has been running fine. My monitoring scripts haven't restarted it once. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 10:20 PM 6/1/2007, Christopher X. Candreva wrote: >On Fri, 1 Jun 2007, Noel Jones wrote: > > > fatfinger error on the name, I am referring to daily.wdb as the > > pasted session shows. > >Ah, sorry. Bleary-eyed error not catching it in the sesion. :-) > > > Are you using 91rc1? It's very repeatable here. I have > >Yes, so far it has been running fine. My monitoring scripts haven't >restarted it once. Ok, I've narrowed it down to the following TWO lines in daily.wdb: X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- X:http.//info.citibank.com.+:https.//offer.citibank.com:14- (I believe daily.wdb is a whitelist for the experimental antiphishing code. I'm not sure this file is used if you don't compile with --enable-experimental.) If *BOTH* these lines are present, clamscan coredumps when scanning an email with an html part. The email need not have URLs that reference the sites in the two rules. This is very repeatable with multiple email messages. clamscan still works properly on text files or email with no html. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > Ok, I've narrowed it down to the following TWO lines in daily.wdb: > X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- > X:http.//info.citibank.com.+:https.//offer.citibank.com:14- I removed the files in the .inc directories and freshclam pulled down a new main.cvd and daily.cvd. Deleting daily.cvd stopped clamscan from dumping core for me. Quick and brainless, but the easiest move to make when in Panic Mode. Not ideal, obviously. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 10:48 PM 6/1/2007, jef moskot wrote: >On Fri, 1 Jun 2007, Noel Jones wrote: > > Ok, I've narrowed it down to the following TWO lines in daily.wdb: > > X:http.//www\.ebay\.co\.uk.+:.+emailpics.\.ebay\.com:14- > > X:http.//info.citibank.com.+:https.//offer.citibank.com:14- > >I removed the files in the .inc directories and freshclam pulled down a >new main.cvd and daily.cvd. Deleting daily.cvd stopped clamscan from >dumping core for me. Quick and brainless, but the easiest move to make >when in Panic Mode. > >Not ideal, obviously. So you're having this same problem? If you remove daily.cvd you won't be protected from a large number of current viruses; far from idea. I used sigtool -u to unpack daily.cvd, then hand-created a daily.inc directory with all the unpacked files, then hand-edited daily.wdb to remove the offending lines. Oh, and then moved daily.cvd out of the way. I've disabled freshclam for the night so my hand-crafted .wdb won't be overwritten, and will revisit this tomorrow. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones wrote: > At 09:56 PM 6/1/2007, Christopher X. Candreva wrote: >> On Fri, 1 Jun 2007, Noel Jones wrote: >> >>> I seem to be having trouble with clamscan 0.91rc1 choking with the current >>> daily.wmd file. It was working fine until the most recent db update. >> I don't have this problem, but I don't seem to have a daily.wmd file in my >> daily.inc either. I have daily.wdb and .zmd, but now .wmd > > fatfinger error on the name, I am referring to daily.wdb as the > pasted session shows. > Are you using 91rc1? It's very repeatable here. I have > re-downloaded daily.cvd and get the same error. > > # clamscan --version > ClamAV 0.91rc1-exp/3337/Fri Jun 1 18:05:09 2007 > > # clamscan /tmp/email.txt > Segmentation fault (core dumped) > > Now remove the current daily.wdb from daily.inc: > # rm /var/db/clamav/daily.inc/daily.wdb > > # clamscan /tmp/tmp/email.txt > /tmp/tmp/email.txt: OK > > clamd is also hung and unkillable. I'm running Solaris 10 x86 here and cannot duplicate your error. I moved the daily.wdb file to /tmp and clamd died. I restarted it with svcadm and it started and ran file. I then rsync'd daily.wdb from /tmp back to the working directory and it's still running. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
On Fri, 1 Jun 2007, Noel Jones wrote: > So you're having this same problem? Yes, I was getting core dumps trying to clamscan. > I used sigtool -u to unpack daily.cvd, then hand-created a daily.inc > directory with all the unpacked files, then hand-edited daily.wdb to > remove the offending lines. Oh, and then moved daily.cvd out of the > way. Thanks, I hadn't messed around with unpacking signatures to know the best thing to do. I just went for the thing that stopped the core dumps ASAP! > I've disabled freshclam for the night so my hand-crafted .wdb won't be > overwritten, and will revisit this tomorrow. As will I. Thanks again! Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
At 11:39 PM 6/1/2007, Dennis Peterson wrote: >Noel Jones wrote: > > >I'm running Solaris 10 x86 here and cannot duplicate your error. I moved >the daily.wdb file to /tmp and clamd died. I restarted it with svcadm >and it started and ran file. I then rsync'd daily.wdb from /tmp back to >the working directory and it's still running. Thanks for trying Dennis... I should mention that I'm running FreeBSD 5.3 on this server. I recompiled clamav without --enable-experimental and still have the error. It's unclear if this flag does anything interesting right now since the anti-phishing code is enabled by default in this version. The error is very reproducible here, and definitely related to the anti-phishing code. Using "clamscan --no-phishing-scan-urls email.txt" prevents the core dumps. I strongly suspect setting clamd.conf "PhishingScanURLs no" would fix this too, at the expense of no longer detecting bogus URL phish. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] daily.wmd trouble with 0.91rc1
Noel Jones wrote the following on 6/1/2007 10:22 PM -0800: > At 11:39 PM 6/1/2007, Dennis Peterson wrote: > >> Noel Jones wrote: >> >> I'm running Solaris 10 x86 here and cannot duplicate your error. I moved >> the daily.wdb file to /tmp and clamd died. I restarted it with svcadm >> and it started and ran file. I then rsync'd daily.wdb from /tmp back to >> the working directory and it's still running. >> > > Thanks for trying Dennis... > I should mention that I'm running FreeBSD 5.3 on this server. > > I recompiled clamav without --enable-experimental and still have the > error. It's unclear if this flag does anything interesting right now > since the anti-phishing code is enabled by default in this version. > > The error is very reproducible here, and definitely related to the > anti-phishing code. > > Using "clamscan --no-phishing-scan-urls email.txt" prevents the core > dumps. I strongly suspect setting clamd.conf "PhishingScanURLs no" > would fix this too, at the expense of no longer detecting bogus URL phish. > > Noel, I started seeing the same problem this evening with ClamAV 0.90.3. I finally had to recompile with --disable-experimental and everything has run fine here since. I wonder if you disable the experimental sections in the clamd.conf file if that will have any affect. Also, can you compile with experimental specifically disabled (--disable-experimental)? Good luck... Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
