sophossavi not work after the sophos update the engine libsavi.so.3.2.07.391
stef at aoc-uk.com
Fri Feb 7 16:56:01 GMT 2014
On 06 February 2014 10:03 Eric Yiu wrote:
> I having been using mailscanner with several machines for years with
> sophossavi. After the monthly auto update from Sophos and installed
> libsavi.so.3.2.07.391, I found that the sophos engine does not exit
> even after the email can be scanned out virus, it just hold and
> finally return:
> Virus Scanning: Denial Of Service attack detected!
> Commercial scanner sophossavi timed out!
I think I may well be seeing the same problem (my libsavi version matches at least).
At around 4am, my system ran a Sophos Engine update, as it does on the 7th of every month called by cron. I'm using the MajorSophos script to log into Sophos and download the latest engine, which then calls the Sophos installation script included with MS.
Along with the normally scheduled definition updates downloaded by Sophos-autoupdate, this left me with the following:
Current Sophos version information follows:
Product version : 4.96.1 Engine version : 3.50.1 Virus data version : 4.97 Released : 15 January 2014
Prior to this, all was running perfectly well. I am configured to use clam and sophossavi (SAVI 0.30) as my scanners.
>From my logs it's clear that at this point MailScanner (4.84.5-3) gave up and died.
I've tried running test batches, but there's no error. I get the message about meaningless output to keep SAVI happy, but that's all. Meantime in my mail.log I can see Clam performed its scans successfully, but then it just appears to hang. No other information appears in any logs that I can find.
I have tried manually running sweep from the MS sophos-wrapper script - this works fine.
I have tried running example perl script included with SAVI - this works fine.
I have tried switching from sophossavi to sophos - same problem.
I have tried removing Sophos altogether and running just with ClamAV - MS performs as expected.
I didn't see Eric's email until recently, having been processing a massive email queue, using just Clam, so I've not left it alone long enough to potentially see his timeout message. (In hindsight I should probably have checked online list archives, but anyway).
Hitting Sophos with a SIGKILL per Eric's suggestion seems a bit extreme. Has anyone else seen this problem and have an alternate solution, or can point me at where to look for some more useful diagnostics, as I presently have next to nothing to go on.
More information about the MailScanner