clamd configuration?

Jason Ede j.ede at birchenallhowden.co.uk
Fri Jul 6 15:41:43 IST 2007 

ClamAV was running as user clamav and group clamav

The incoming work group parameter in mailscanner.conf is set to clamav

the incoming dir is owned by user postfix group clamav

If I set the clamd to being run as user root then it all seems to work quite happily and detects the test viruses as below... I'll use this setup for now I think.

Jason





Jul  6 15:38:07 gateway MailScanner[21753]: Files hidden in very deeply nested archive in 0EC8D9685C2.D171D
Jul  6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20
Jul  6 15:38:08 gateway postfix/smtpd[21683]: connect from unknown[58.186.231.112]
Jul  6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0
Jul  6 15:38:08 gateway MailScanner[21753]: Virus and Content Scanning: Starting
Jul  6 15:38:08 gateway MailScanner[21753]: Commencing scanning by clamd...
Jul  6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On
Jul  6 15:38:08 gateway MailScanner[21827]: Use Threads : NO
Jul  6 15:38:08 gateway MailScanner[21827]: Socket    : /tmp/clamd
Jul  6 15:38:08 gateway MailScanner[21827]: IP        : Using Sockets
Jul  6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED
Jul  6 15:38:08 gateway MailScanner[21827]: Time Out  : 300
Jul  6 15:38:08 gateway MailScanner[21827]: Scan Dir  : /var/spool/MailScanner/incoming/21753
Jul  6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING
Jul  6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG'
Jul  6 15:38:08 gateway MailScanner[21827]: ClamD is running
Jul  6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN /var/spool/MailScanner/incoming/21753
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip
Jul  6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com
Jul  6 15:38:08 gateway MailScanner[21753]: Completed scanning by clamd
Jul  6 15:38:09 gateway MailScanner[21753]: Virus Scanning: Clamd found 7 infections


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rick Cooper
Sent: 06 July 2007 15:17
To: 'MailScanner discussion'
Subject: RE: clamd configuration?



 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On
 > Behalf Of Jason Ede
 > Sent: Friday, July 06, 2007 9:38 AM
 > To: MailScanner discussion
 > Subject: RE: clamd configuration?
 >
 > Ok... I'm getting an unknown error returned now...
 >
 > Jason
 >
[...]
 > Jul  6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN
 > CLAMD RETURN ./lstat() failed. ERROR ::
[...]

This is (almost) certainly a permissions problem. It could, of course, be
the working dir/files are gone but that is pretty close to impossible since
the mail processing continues.

What user/group is clamd running as?
What are the
What User/Group owns the incomming work dir? (MS Config incoming Work User =
incoming Work Group =)

My guess is they are different. Solutions:

        1. Run clamd as root
        2. set the Incomming Work Group to the clamd user group and set
Incoming Work Permissions = 0640 (or 0660)
        3. Add clamd user to the MailScanner user group and set
AllowSupplementaryGroups to yes (must be started by root)

I would opt for options 1 or 2 (Don't forget the Incoming Work Permissions =
0640 part!)

I haven't been able to find what exactly "triggers lstat() failed" verses
"permission denied." In ClamAV but both are generally permissions related,
although the lstat problem can happen if a temporary file is removed before
clamd gets to it... This should/could never happen with MailScanner.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list