clamd configuration?
Rick Cooper
rcooper at dwford.com
Fri Jul 6 15:52:20 IST 2007
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Jason Ede
> Sent: Friday, July 06, 2007 10:42 AM
> To: MailScanner discussion
> Subject: RE: clamd configuration?
>
>
> ClamAV was running as user clamav and group clamav
>
> The incoming work group parameter in mailscanner.conf is set
> to clamav
>
> the incoming dir is owned by user postfix group clamav
>
> If I set the clamd to being run as user root then it all
> seems to work quite happily and detects the test viruses as
> below... I'll use this setup for now I think.
>
> Jason
Remember check the incommming work dir permissions, the default is (IIRC)
0600 so the clamav group would not be able to access it. (if, of course, you
want to go back to using the clamav user/group)
Rick
>
>
>
>
>
> Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in
> very deeply nested archive in 0EC8D9685C2.D171D
> Jul 6 15:38:08 gateway MailScanner[21753]:
> Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20
> Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from
> unknown[58.186.231.112]
> Jul 6 15:38:08 gateway MailScanner[21753]:
> Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0
> Jul 6 15:38:08 gateway MailScanner[21753]: Virus and
> Content Scanning: Starting
> Jul 6 15:38:08 gateway MailScanner[21753]: Commencing
> scanning by clamd...
> Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On
> Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO
> Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd
> Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets
> Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED
> Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300
> Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir :
> /var/spool/MailScanner/incoming/21753
> Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING
> Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG'
> Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running
> Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN
> /var/spool/MailScanner/incoming/21753
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip
> Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED::
> Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com
> Jul 6 15:38:08 gateway MailScanner[21753]: Completed
> scanning by clamd
> Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning:
> Clamd found 7 infections
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Rick Cooper
> Sent: 06 July 2007 15:17
> To: 'MailScanner discussion'
> Subject: RE: clamd configuration?
>
>
>
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > Behalf Of Jason Ede
> > Sent: Friday, July 06, 2007 9:38 AM
> > To: MailScanner discussion
> > Subject: RE: clamd configuration?
> >
> > Ok... I'm getting an unknown error returned now...
> >
> > Jason
> >
> [...]
> > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN
> > CLAMD RETURN ./lstat() failed. ERROR ::
> [...]
>
> This is (almost) certainly a permissions problem. It could,
> of course, be
> the working dir/files are gone but that is pretty close to
> impossible since
> the mail processing continues.
>
> What user/group is clamd running as?
> What are the
> What User/Group owns the incomming work dir? (MS Config
> incoming Work User =
> incoming Work Group =)
>
> My guess is they are different. Solutions:
>
> 1. Run clamd as root
> 2. set the Incomming Work Group to the clamd user
> group and set
> Incoming Work Permissions = 0640 (or 0660)
> 3. Add clamd user to the MailScanner user group and set
> AllowSupplementaryGroups to yes (must be started by root)
>
> I would opt for options 1 or 2 (Don't forget the Incoming
> Work Permissions =
> 0640 part!)
>
> I haven't been able to find what exactly "triggers lstat()
> failed" verses
> "permission denied." In ClamAV but both are generally
> permissions related,
> although the lstat problem can happen if a temporary file is
> removed before
> clamd gets to it... This should/could never happen with MailScanner.
>
> Rick
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list