MailScanner broken suddenly?!?!

Rob Poe rpoe at plattesheriff.org
Fri Jul 20 23:03:05 IST 2007 

ClamAV 0.90.3/3709/Fri Jul 20 14:59:01 2007


>>> "Gottschalk, David" <dgottsc at emory.edu> 07/20/07 2:26 PM >>>
Yeah, maybe it was a combination of factors. I don't know.

To anyone else who had the problem, what version of clamav are you running?

David Gottschalk

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard Frovarp
Sent: Friday, July 20, 2007 3:20 PM
To: MailScanner discussion
Subject: Re: MailScanner broken suddenly?!?!

Even before the update, 0.90.x had a known issue with loading the signatures taking an very very long time. I don't know that you can blame that on any update here.

I just ran a freshclam manually. I'm running the latest definitions as reported on clamav.net (44 and 3708). However, freshclam was not able to connect a minute ago, now it can. Restarting MailScanner was not an issue against clamav 0.91.0. What people might be seeing is the effect of the known issue in 0.90.x. It could have been a broken update, that made things even worse.

In short, latest sigs with 0.91 is not an issue.

Gottschalk, David wrote:
> So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed.
>
> I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time.
>
> Clamscan takes forever to scan messages now.
>
> sudo clamscan  -v mailertable.new
> Scanning mailertable.new
> mailertable.new: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 139329
> Engine version: 0.90.3
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Time: 37.524 sec (0 m 37 s)
> -sh-3.00$ du -sh mailertable.new
> 12K     mailertable.new
>
> All of my *.cvd directories in /usr/local/share/clamav are now gone.
>
> They are all renamed to *.inc at the time of the  breakage.  I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue.
>
> David Gottschalk
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Gottschalk, David
> Sent: Friday, July 20, 2007 2:41 PM
> To: MailScanner discussion
> Subject: RE: MailScanner broken suddenly?!?!
>
>
> ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007
>
> I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me.
>
> David Gottschalk
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> Richard Frovarp
> Sent: Friday, July 20, 2007 2:28 PM
> To: MailScanner discussion
> Subject: Re: MailScanner broken suddenly?!?!
>
> Gottschalk, David wrote:
>
>> I have 5 MailScanner machines.
>>
>> I had to do some configuration changes, so I restarted them. One of
>> them now appears to be completely hosed. I've checked my
>> configuration, and can't figure out what is going on. I don't see
>> anything wrong at all.
>>
>> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version
>> numbers...
>> Version installed (4.60.8) does not match version stated in
>> MailScanner.conf file (4.57.6), you may want to run
>> upgrade_MailScanner_conf to ensure your MailScanner.conf file
>> contains all the latest settings.
>>
>> Checking for SpamAssassin errors (if you use it)...
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database SpamAssassin reported no
>> errors.
>> Using locktype = posix
>> Creating hardcoded struct_flock subroutine for linux (Linux-type)
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: bitdefender, clamavmodule
>>
>> Here is what is going on:
>>
>> 1. MailScanner starts, but just sits there does nothing:
>>
>> root     22553     1  0 13:58 ?        00:00:00 MailScanner: master
>> waiting for children, sleeping
>> root     22554 22553 70 13:58 ?        00:00:35 MailScanner: starting
>> children
>> root     22624 22553 69 13:58 ?        00:00:31 MailScanner: starting
>> children
>> root     22680 22553 67 13:58 ?        00:00:27 MailScanner: starting
>> children
>> root     22733 22553 73 13:58 ?        00:00:26 MailScanner: starting
>> children
>> root     22780 22553 44 13:58 ?        00:00:13 MailScanner: starting
>> children
>> root     22831 22553 42 13:58 ?        00:00:10 MailScanner: starting
>> children
>> root     22884 22553 47 13:58 ?        00:00:09 MailScanner: starting
>> children
>> root     22957 22553 44 13:59 ?        00:00:07 MailScanner: starting
>> children
>> root     23005 22553 31 13:59 ?        00:00:03 MailScanner: starting
>> children
>> root     23054 22553 49 13:59 ?        00:00:02 MailScanner: starting
>> children
>> If I trace a childre process, here is what it is doing over and over:
>>
>> sudo strace -p 19920
>> Process 19920 attached - interrupt to quit read(12,
>> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12,
>> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12,
>> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12,
>> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12,
>> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12,
>> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12,
>> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096
>> brk(0x4f23000)                          = 0x4f23000
>> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096
>> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12,
>> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12,
>> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12,
>> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12,
>> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12,
>> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12,
>> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12,
>> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12,
>> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12,
>> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12,
>> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12,
>> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12,
>> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12,
>> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12,
>> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12,
>> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096
>>
>> 2. Strangely enough, if I start just MailScanner it works fine (with
>> sendmail not running)
>>
>> 3. If I start MailScanner with sendmail to, it will just hang there
>> as described. If I stop it, the master process dies for MailScanner,
>> but the children hang.
>>
>> 4. I did have this problem, but I resolved it quickly by changing the
>> option in MailScanner.conf to look for *.inc files.
>>
>> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by
>> the "Monitors For ClamAV Updates" patterns exist!
>> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by
>> the "Monitors For ClamAV Updates" patterns exist!
>>
>> Any ideas? I'm banging my head.
>>
>> David Gottschalk
>> david.gottschalk at emory.edu <mailto:david.gottschalk at emory.edu>
>>
>>
> What version of ClamAV? 0.90 takes a very long time to load signatures.
> I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that.
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>


--
Richard Frovarp
EduTech System Administrator
1-701-231-5127 or
1-800-774-1091

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list