MailScanner broken suddenly?!?!

Richard Frovarp Richard.Frovarp at sendit.nodak.edu
Fri Jul 20 19:28:16 IST 2007 

Gottschalk, David wrote:
> I have 5 MailScanner machines.
>  
> I had to do some configuration changes, so I restarted them. One of 
> them now appears to be completely hosed. I've checked my 
> configuration, and can't figure out what is going on. I don't see 
> anything wrong at all.
>  
> -sh-3.00$ sudo /usr/sbin/MailScanner --lint
> Checking version numbers...
> Version installed (4.60.8) does not match version stated in
> MailScanner.conf file (4.57.6), you may want to run 
> upgrade_MailScanner_conf
> to ensure your MailScanner.conf file contains all the latest settings.
>  
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> Using locktype = posix
> Creating hardcoded struct_flock subroutine for linux (Linux-type)
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: bitdefender, clamavmodule
>  
> Here is what is going on:
>  
> 1. MailScanner starts, but just sits there does nothing:
>  
> root     22553     1  0 13:58 ?        00:00:00 MailScanner: master 
> waiting for children, sleeping
> root     22554 22553 70 13:58 ?        00:00:35 MailScanner: starting 
> children
> root     22624 22553 69 13:58 ?        00:00:31 MailScanner: starting 
> children
> root     22680 22553 67 13:58 ?        00:00:27 MailScanner: starting 
> children
> root     22733 22553 73 13:58 ?        00:00:26 MailScanner: starting 
> children
> root     22780 22553 44 13:58 ?        00:00:13 MailScanner: starting 
> children
> root     22831 22553 42 13:58 ?        00:00:10 MailScanner: starting 
> children
> root     22884 22553 47 13:58 ?        00:00:09 MailScanner: starting 
> children
> root     22957 22553 44 13:59 ?        00:00:07 MailScanner: starting 
> children
> root     23005 22553 31 13:59 ?        00:00:03 MailScanner: starting 
> children
> root     23054 22553 49 13:59 ?        00:00:02 MailScanner: starting 
> children
> If I trace a childre process, here is what it is doing over and over:
>  
> sudo strace -p 19920
> Process 19920 attached - interrupt to quit
> read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096
> read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096
> read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096
> read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096
> read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096
> read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096
> read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096
> brk(0x4f23000)                          = 0x4f23000
> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096
> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096
> read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096
> read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096
> read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096
> read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096
> read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096
> read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096
> read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096
> read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096
> read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096
> read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096
> read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096
> read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096
> read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096
> read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096
> read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096
>  
> 2. Strangely enough, if I start just MailScanner it works fine (with 
> sendmail not running)
>  
> 3. If I start MailScanner with sendmail to, it will just hang there as 
> described. If I stop it, the master process dies for MailScanner, but 
> the children hang.
>  
> 4. I did have this problem, but I resolved it quickly by changing the 
> option in MailScanner.conf to look for *.inc files.
>  
> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by 
> the "Monitors For ClamAV Updates" patterns exist!
> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by 
> the "Monitors For ClamAV Updates" patterns exist!
>  
> Any ideas? I'm banging my head.
>  
> David Gottschalk
> david.gottschalk at emory.edu <mailto:david.gottschalk at emory.edu>
>  
What version of ClamAV? 0.90 takes a very long time to load signatures. 
I do have one box in which it was very quick. The other ones took at 
least 3 minutes to get up and going. Upgrading to 0.91 fixed that.

More information about the MailScanner mailing list