MailScanner broken suddenly?!?!

Gottschalk, David dgottsc at emory.edu
Fri Jul 20 19:59:32 IST 2007 

So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed.

I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time.

Clamscan takes forever to scan messages now.

sudo clamscan  -v mailertable.new
Scanning mailertable.new
mailertable.new: OK

----------- SCAN SUMMARY -----------
Known viruses: 139329
Engine version: 0.90.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 37.524 sec (0 m 37 s)
-sh-3.00$ du -sh mailertable.new
12K     mailertable.new

All of my *.cvd directories in /usr/local/share/clamav are now gone.

They are all renamed to *.inc at the time of the  breakage.  I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue.

David Gottschalk

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Gottschalk, David
Sent: Friday, July 20, 2007 2:41 PM
To: MailScanner discussion
Subject: RE: MailScanner broken suddenly?!?!


ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007

I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me.

David Gottschalk

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Frovarp
Sent: Friday, July 20, 2007 2:28 PM
To: MailScanner discussion
Subject: Re: MailScanner broken suddenly?!?!

Gottschalk, David wrote:
> I have 5 MailScanner machines.
>
> I had to do some configuration changes, so I restarted them. One of
> them now appears to be completely hosed. I've checked my
> configuration, and can't figure out what is going on. I don't see
> anything wrong at all.
>
> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version
> numbers...
> Version installed (4.60.8) does not match version stated in
> MailScanner.conf file (4.57.6), you may want to run
> upgrade_MailScanner_conf to ensure your MailScanner.conf file contains
> all the latest settings.
>
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database SpamAssassin reported no
> errors.
> Using locktype = posix
> Creating hardcoded struct_flock subroutine for linux (Linux-type)
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: bitdefender, clamavmodule
>
> Here is what is going on:
>
> 1. MailScanner starts, but just sits there does nothing:
>
> root     22553     1  0 13:58 ?        00:00:00 MailScanner: master
> waiting for children, sleeping
> root     22554 22553 70 13:58 ?        00:00:35 MailScanner: starting
> children
> root     22624 22553 69 13:58 ?        00:00:31 MailScanner: starting
> children
> root     22680 22553 67 13:58 ?        00:00:27 MailScanner: starting
> children
> root     22733 22553 73 13:58 ?        00:00:26 MailScanner: starting
> children
> root     22780 22553 44 13:58 ?        00:00:13 MailScanner: starting
> children
> root     22831 22553 42 13:58 ?        00:00:10 MailScanner: starting
> children
> root     22884 22553 47 13:58 ?        00:00:09 MailScanner: starting
> children
> root     22957 22553 44 13:59 ?        00:00:07 MailScanner: starting
> children
> root     23005 22553 31 13:59 ?        00:00:03 MailScanner: starting
> children
> root     23054 22553 49 13:59 ?        00:00:02 MailScanner: starting
> children
> If I trace a childre process, here is what it is doing over and over:
>
> sudo strace -p 19920
> Process 19920 attached - interrupt to quit read(12,
> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12,
> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12,
> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12,
> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12,
> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12,
> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12,
> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096
> brk(0x4f23000)                          = 0x4f23000
> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12,
> "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12,
> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12,
> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12,
> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12,
> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12,
> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12,
> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12,
> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12,
> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12,
> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12,
> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12,
> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12,
> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12,
> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12,
> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12,
> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096
>
> 2. Strangely enough, if I start just MailScanner it works fine (with
> sendmail not running)
>
> 3. If I start MailScanner with sendmail to, it will just hang there as
> described. If I stop it, the master process dies for MailScanner, but
> the children hang.
>
> 4. I did have this problem, but I resolved it quickly by changing the
> option in MailScanner.conf to look for *.inc files.
>
> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by
> the "Monitors For ClamAV Updates" patterns exist!
> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by
> the "Monitors For ClamAV Updates" patterns exist!
>
> Any ideas? I'm banging my head.
>
> David Gottschalk
> david.gottschalk at emory.edu <mailto:david.gottschalk at emory.edu>
>
What version of ClamAV? 0.90 takes a very long time to load signatures.
I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list