Mailing List Archive: ClamAV: users

Re: ClamAV-clamd av-scanner FAILED and ClamAV-clamscanav-scanner FAILED

Index | Next | Previous | View Threaded

rruizf at gmail

Aug 18, 2009, 1:31 PM

Post #1 of 5 (1077 views)
Permalink

Re: ClamAV-clamd av-scanner FAILED and ClamAV-clamscanav-scanner FAILED

On 2009-08-17 15:15, Federico Giovannini wrote:
> Hi all,
>
> I'm new in this mailing-list and also as clamav-user so sorry for my
elementary questions.
> With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new
(2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails
with attachments, clamd stops working and also clamscan dies as
indicated in the following amavis logs:
>
> Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]:
(10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL
VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434)
Too many retries to talk to /var/amavis/clamd.sock (Can't connect to
UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67)
line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED:
/usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511.
>
> I took a look also to clamd.log but there are not FATAL evidence.
>
> After this trouble, the crashing emails remain in my postqueue and i
cannot restart clamd until I delete them.
>
> How can I find where is the problem and how can I solve it?
>
> Please Help Me
>
> F.
>
>

Hi everybody,
I have the same problem with clamav with Postfix.
Some settings and version software are:

postfix version 2.5.7
amavisd-new version 2.6.1-r1
|
|mail ~ # |uname -mrsp|
Linux 2.6.29-gentoo-r5 x86_64 Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz

mail ~ # clamconf -n
Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
LogClean = "yes"
LogVerbose = "yes"
PidFile = "/var/run/clamav/clamd.pid"
LocalSocket = "/var/run/clamav/clamd.sock"
Debug = "yes"
User = "clamav"
AllowSupplementaryGroups = "yes"

Config file: freshclam.conf
---------------------------
PidFile = "/var/run/clamav/freshclam.pid"
AllowSupplementaryGroups = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.95.2
Optional features supported: MEMPOOL CLAMUKO AUTOIT_EA06 BZIP2 RAR
Database directory: /var/lib/clamav
main.cvd: version 51, sigs: 545035, built on Thu May 14 10:28:45 2009
daily.cld: version 9712, sigs: 64769, built on Tue Aug 18 13:56:37 2009

Thanks in advance for your help.-

--
RODRIGO RUIZ FUENTES

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ohnobinki at ohnopublishing

Aug 18, 2009, 7:11 PM

Post #2 of 5 (1020 views)
Permalink

Re: amavisd can't connect to clamd on Gentoo [In reply to]

> On 2009-08-17 15:15, Federico Giovannini wrote:
> > Hi all,
> >
> > I'm new in this mailing-list and also as clamav-user so sorry for my
> elementary questions.
> > With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new
> (2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails
> with attachments, clamd stops working and also clamscan dies as
> indicated in the following amavis logs:
If you expect clamav + amavisd + postfix to essentially work out of the
box in gentoo, you should file a bug at https://bugs.gentoo.org/ (and CC
me, for my benefit ;-)). Personally, I use clamav-milter to scan emails,
so all my advice for your use of amavisd is primarily guessing based on
the information you have posted.
> >
> > Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]:
> (10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL
> VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434)
> Too many retries to talk to /var/amavis/clamd.sock (Can't connect to
> UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67)
> line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED:
> /usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511.
> >
Could you check if /var/amavis/clamd.sock exists after clamd has been
started? Please also give the permissions of the file. You can get this
information by running:

stat /var/amavis/clamd.sock

Of course, you should tell amavisd to look for the clamd socket in
/var/run/clamav/clamd.sock instead. If you still have trouble after
updating amavisd's configuration, please also give the output of:

stat /var/run/clamav/clamd.sock

Also, why is /usr/bin/clamscan being run when a connection is being made
to clamd? wouldn't it be better to run clamdscan?
> > I took a look also to clamd.log but there are not FATAL evidence.
This is because amavisd was unable to connect to the clamd. So clamd
should have heard nothing, AFAICT

> postfix version 2.5.7
> amavisd-new version 2.6.1-r1
Please note that non-Gentooers do not understand what ``-r1'' means ;-).

> mail ~ # clamconf -n
> Checking configuration files in /etc
>
> Config file: clamd.conf
> -----------------------
> LogFile = "/var/log/clamav/clamd.log"
> LogTime = "yes"
> LogClean = "yes"
> LogVerbose = "yes"
> PidFile = "/var/run/clamav/clamd.pid"
> LocalSocket = "/var/run/clamav/clamd.sock"
Try setting this option to the file that amavis is looking for:
/var/amavis/clamd.sock. Or tell amavis to look in
/var/run/clamav/clamd.sock instead of /var/amavis/clamd.sock . The
latter option is probably preferable because applications other than
amavisd are able to make use of clamd.
> Debug = "yes"
> User = "clamav"
> AllowSupplementaryGroups = "yes"
>
--
binki
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

michael at orlitzky

Aug 18, 2009, 8:10 PM

Post #3 of 5 (1017 views)
Permalink

Re: amavisd can't connect to clamd on Gentoo [In reply to]

Nathan Phillip Brink wrote:
>
>> On 2009-08-17 15:15, Federico Giovannini wrote:
>> > Hi all,
>> >
>> > I'm new in this mailing-list and also as clamav-user so sorry for my
>> elementary questions.
>> > With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new
>> (2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails
>> with attachments, clamd stops working and also clamscan dies as
>> indicated in the following amavis logs:
> If you expect clamav + amavisd + postfix to essentially work out of the
> box in gentoo, you should file a bug at https://bugs.gentoo.org/ (and CC
> me, for my benefit ;-)). Personally, I use clamav-milter to scan emails,
> so all my advice for your use of amavisd is primarily guessing based on
> the information you have posted.
>> >
>> > Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]:
>> (10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL
>> VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434)
>> Too many retries to talk to /var/amavis/clamd.sock (Can't connect to
>> UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67)
>> line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED:
>> /usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511.
>> >
> Could you check if /var/amavis/clamd.sock exists after clamd has been
> started? Please also give the permissions of the file. You can get this
> information by running:
>
> stat /var/amavis/clamd.sock
>
> Of course, you should tell amavisd to look for the clamd socket in
> /var/run/clamav/clamd.sock instead. If you still have trouble after
> updating amavisd's configuration, please also give the output of:
>
> stat /var/run/clamav/clamd.sock
>
> Also, why is /usr/bin/clamscan being run when a connection is being made
> to clamd? wouldn't it be better to run clamdscan?

I posted a reply to the other thread about this, but my message has been
stuck in the hold queue for a couple of days.

In all of these cases, clamd/clamscan are either segfaulting, or being
killed off by PaX. At first, I suspected a (possibly exploitable) bug in
LibClamAV, but it would seem that this is not the case. I now believe
the bug is actually in our particular version of GCC, which is why only
Gentoo users have noticed.

For example, with my default,

CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"

I get the crash (PaX is killing off an execution attempt at NULL):

mx1 test-cases # clamscan postcard.zip
LibClamAV Error: cli_checkfp(): lseek() failed
Killed

But with,

CFLAGS="-pipe -fomit-frame-pointer"

Everything works as expected:

mx1 ~ # clamscan postcard.zip
postcard.zip: Trojan.Delf-5385 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1358189
Engine version: 0.95.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.08 MB
Data read: 0.08 MB (ratio 1.00:1)
Time: 9.645 sec (0 m 9 s)

I haven't filed a Gentoo bug yet, but I plan to if nobody beats me to it.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

lists-general at cappella

Aug 18, 2009, 8:12 PM

Post #4 of 5 (1030 views)
Permalink

Re: amavisd can't connect to clamd on Gentoo [In reply to]

>> On 2009-08-17 15:15, Federico Giovannini wrote:
>> Hi all,
>>
>> I'm new in this mailing-list and also as clamav-user so sorry for my
>> elementary questions.
>> > With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new
>> (2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails
>> with attachments, clamd stops working and also clamscan dies as
>> indicated in the following amavis logs:
>>
>> Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]:
>> (10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL
>> VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434)
>> Too many retries to talk to /var/amavis/clamd.sock (Can't connect to
>> UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67)
>> line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED:
>> /usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511.
>> >

The focus here should be on why clamd is croaking. Amavis can't talk to
the dead or unborn.

Determine which attachments are causing the trouble. Could be a
mailbomb. Use a MIME unpacking tool (eg. ripmime) if necessary to
extract the parts, and clamdscan each part, looking for the culprit.
Amavis will leaves evidence in its tmp directories, so have a look at
your log for PRESERVING EVIDENCE in your logs. Look for other amavis
log lines around the log line shown above with pid 10531.

--
Mike
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

federico.giovannini at sestante

Aug 19, 2009, 1:36 AM

Post #5 of 5 (1018 views)
Permalink

Re: amavisd can't connect to clamd on Gentoo [In reply to]

Nathan Phillip Brink ha scritto:
>
>> On 2009-08-17 15:15, Federico Giovannini wrote:
>> > Hi all,
>> >
>> > I'm new in this mailing-list and also as clamav-user so sorry for my
>> elementary questions.
>> > With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new
>> (2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails
>> with attachments, clamd stops working and also clamscan dies as
>> indicated in the following amavis logs:
> If you expect clamav + amavisd + postfix to essentially work out of
> the box in gentoo, you should file a bug at https://bugs.gentoo.org/
> (and CC me, for my benefit ;-)). Personally, I use clamav-milter to
> scan emails, so all my advice for your use of amavisd is primarily
> guessing based on the information you have posted.
>> >
>> > Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]:
>> (10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL
>> VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434)
>> Too many retries to talk to /var/amavis/clamd.sock (Can't connect to
>> UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67)
>> line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED:
>> /usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511.
>> >
> Could you check if /var/amavis/clamd.sock exists after clamd has been
> started? Please also give the permissions of the file. You can get
> this information by running:
>
> stat /var/amavis/clamd.sock
stat /var/amavis/clamd.sock
File: `/var/amavis/clamd.sock'
Size: 0 Blocks: 0 IO Block: 131072 socket
Device: 902h/2306d Inode: 978391 Links: 1
Access: (0777/srwxrwxrwx) Uid: ( 102/ amavis) Gid: ( 408/ amavis)
Access: 2009-08-19 09:51:00.000000000 +0200
Modify: 2009-08-19 09:51:00.000000000 +0200
Change: 2009-08-19 09:51:00.000000000 +0200
>
> Of course, you should tell amavisd to look for the clamd socket in
> /var/run/clamav/clamd.sock instead. If you still have trouble after
> updating amavisd's configuration, please also give the output of:
My amavisd configuration looks for /var/amavis/clamd.sock!
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/amavis/clamd.sock"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: run clamd under the same user as amavisd, or run it under its own
# uid such as clamav, add user clamav to the amavis group, and then add
# AllowSupplementaryGroups to clamd.conf;
# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

and also my clamd il looking for the same socket (as you can see):
clamconf -n
Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
LogVerbose = "yes"
PidFile = "/var/run/clamav/clamd.pid"
LocalSocket = "/var/amavis/clamd.sock"
MaxConnectionQueueLength = "30"
User = "amavis"
ScanArchive disabled

Config file: freshclam.conf
---------------------------
PidFile = "/var/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "amavis"
Checks = "24"
DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.95.2
Optional features supported: MEMPOOL CLAMUKO AUTOIT_EA06 RAR
Database directory: /var/lib/clamav
main.cvd: version 51, sigs: 545035, built on Thu May 14 16:28:45 2009
main.cld: version 51, sigs: 545035, built on Thu May 14 16:28:45 2009
daily.cld: version 9715, sigs: 64814, built on Wed Aug 19 09:21:15 2009

>
> stat /var/run/clamav/clamd.sock
> Also, why is /usr/bin/clamscan being run when a connection is being
> made to clamd? wouldn't it be better to run clamdscan?
>> > I took a look also to clamd.log but there are not FATAL evidence.
> This is because amavisd was unable to connect to the clamd. So clamd
> should have heard nothing, AFAICT
>
>> postfix version 2.5.7
>> amavisd-new version 2.6.1-r1
> Please note that non-Gentooers do not understand what ``-r1'' means ;-).
>
>> mail ~ # clamconf -n
>> Checking configuration files in /etc
>>
>> Config file: clamd.conf
>> -----------------------
>> LogFile = "/var/log/clamav/clamd.log"
>> LogTime = "yes"
>> LogClean = "yes"
>> LogVerbose = "yes"
>> PidFile = "/var/run/clamav/clamd.pid"
>> LocalSocket = "/var/run/clamav/clamd.sock"
> Try setting this option to the file that amavis is looking for:
> /var/amavis/clamd.sock. Or tell amavis to look in
> /var/run/clamav/clamd.sock instead of /var/amavis/clamd.sock . The
> latter option is probably preferable because applications other than
> amavisd are able to make use of clamd.
>> Debug = "yes"
>> User = "clamav"
>> AllowSupplementaryGroups = "yes"
>>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads