MailScanner broken suddenly?!?!

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 20 20:41:50 IST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Upgrade to the latest version of ClamAV and this (temporary) problem 
will go away. If you leave the machine alone for 5 minutes and then come 
back and look, you'll find it is working. It's just the 0.90 version of 
ClamAV taking ages to load its signatures. All fixed in the latest version.

Gottschalk, David wrote:
> I have 5 MailScanner machines.
>  
> I had to do some configuration changes, so I restarted them. One of 
> them now appears to be completely hosed. I've checked my 
> configuration, and can't figure out what is going on. I don't see 
> anything wrong at all.
>  
> -sh-3.00$ sudo /usr/sbin/MailScanner --lint
> Checking version numbers...
> Version installed (4.60.8) does not match version stated in
> MailScanner.conf file (4.57.6), you may want to run 
> upgrade_MailScanner_conf
> to ensure your MailScanner.conf file contains all the latest settings.
>  
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> Using locktype = posix
> Creating hardcoded struct_flock subroutine for linux (Linux-type)
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: bitdefender, clamavmodule
>  
> Here is what is going on:
>  
> 1. MailScanner starts, but just sits there does nothing:
>  
> root     22553     1  0 13:58 ?        00:00:00 MailScanner: master 
> waiting for children, sleeping
> root     22554 22553 70 13:58 ?        00:00:35 MailScanner: starting 
> children
> root     22624 22553 69 13:58 ?        00:00:31 MailScanner: starting 
> children
> root     22680 22553 67 13:58 ?        00:00:27 MailScanner: starting 
> children
> root     22733 22553 73 13:58 ?        00:00:26 MailScanner: starting 
> children
> root     22780 22553 44 13:58 ?        00:00:13 MailScanner: starting 
> children
> root     22831 22553 42 13:58 ?        00:00:10 MailScanner: starting 
> children
> root     22884 22553 47 13:58 ?        00:00:09 MailScanner: starting 
> children
> root     22957 22553 44 13:59 ?        00:00:07 MailScanner: starting 
> children
> root     23005 22553 31 13:59 ?        00:00:03 MailScanner: starting 
> children
> root     23054 22553 49 13:59 ?        00:00:02 MailScanner: starting 
> children
> If I trace a childre process, here is what it is doing over and over:
>  
> sudo strace -p 19920
> Process 19920 attached - interrupt to quit
> read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096
> read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096
> read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096
> read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096
> read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096
> read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096
> read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096
> brk(0x4f23000)                          = 0x4f23000
> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096
> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096
> read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096
> read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096
> read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096
> read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096
> read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096
> read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096
> read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096
> read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096
> read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096
> read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096
> read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096
> read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096
> read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096
> read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096
> read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096
>  
> 2. Strangely enough, if I start just MailScanner it works fine (with 
> sendmail not running)
>  
> 3. If I start MailScanner with sendmail to, it will just hang there as 
> described. If I stop it, the master process dies for MailScanner, but 
> the children hang.
>  
> 4. I did have this problem, but I resolved it quickly by changing the 
> option in MailScanner.conf to look for *.inc files.
>  
> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by 
> the "Monitors For ClamAV Updates" patterns exist!
> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by 
> the "Monitors For ClamAV Updates" patterns exist!
>  
> Any ideas? I'm banging my head.
>  
> David Gottschalk
> david.gottschalk at emory.edu <mailto:david.gottschalk at emory.edu>
>  

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)
Charset: ISO-8859-1

wj8DBQFGoQ//EfZZRxQVtlQRAv0nAKCreDXFCVXrsOIyq2K/vCZQleN0iQCePVIj
O62Opt0RnfM+g4P3fLEqboc=
=XSQw
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list