Hello I can't seem to find a reference to this anywhere. I'm running exim- 4.24 with exiscan-acl patch revision 13 and clamav 0.65.
Clamd died on New Years Eve, causing all mail to be rejected with a 451. Simply restarting it resulted in its falling over regularly (apparently every time it encountered a virus). I recompiled clamav and since then it has stayed up for the past few days. However.. Checking the logs shows that for a few days before the catastrophe an error message started making a regular appearance in the mainlogs. > 1Aa1nL-0003sf-I9 malware acl condition: clamd: ClamAV returned > /opt/local/exim/spool/scan/1Aa1nL-0003sf-I9/1Aa1nL-0003sf-I9-00000.zip: > Zip module failure. ERROR until it fell over with a > 1AbePm-0005CX-6f malware acl condition: clamd: unable to rea > d from socket (Bad file number) After bringing it back up, and also after recompiling, I haven't seen the Zip module failure yet, but I've started to get > 1AdoXU-0006Yq-Hc malware acl condition: clamd: buffer too small written both to the main and the paniclogs, which I'm not aware of ever having seen before. I'm a bit nervous... Everything was fine before, since the first installation of exiscan/clamav in July, and through the various exim/exiscan upgrades :-) One extra note/question: I've always had ScanMail uncommented in my clamav.conf, and I remember a thread on the exim list in early November (Subject: [Exim] ClamAV + exiscan missing virus) about certain archives not being properly unpacked without it. But I see the following in the Clamav faq at number 3 > A rogue mail locks up clamd when scanned and stops it from responding. > What can I do? > Disable the ScanMail directive in clamav.conf. Our internal > mail scanner is still in high development. You'd better rely upon the mime > handling function of an external program (like qmail-scanner, exiscan, > etc.) Can I ask for opinions/enlightenment from the gurus out there? Thanks in advance for any responses! I paste my clamav.conf below. __ # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running the daemon. # Full path is required. LogFile /tmp/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). That's why you shouldn't uncomment # this option. #LogFileUnlock # Maximal size of the log file. Default is 1 Mb. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. #LogFileMaxSize 2M # Log time with an each message. #LogTime # Use system logger (can work together with LogFile). #LogSyslog # Enable verbose logging. #LogVerbose # This option allows you to save the process identifier of the listening # daemon (main thread). PidFile /var/run/clamd.pid # Path to a directory containing .db files. # Default is the hardcoded directory (mostly /usr/local/share/clamav, # it depends on installation options). #DataDirectory /var/lib/clamav # The daemon works in local or network mode. Currently the local mode is # recommended for security reasons. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /tmp/clamd # TCP port address. #TCPSocket 3310 # Maximum length the queue of pending connections may grow to. # Default is 15. MaxConnectionQueueLength 30 # When activated, input stream (see STREAM command) will be saved to disk before # scanning - this allows scanning within archives. StreamSaveToDisk # Close the connection if this limit is exceeded. StreamMaxLength 10M # Maximal number of a threads running at the same time. # Default is 5, and it should be sufficient for a typical workstation. # You may need to increase threads number for a server machine. MaxThreads 30 # Thread (scanner - single task) will be stopped after this time (seconds). # Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the # timeout instead of disabling it. #ThreadTimeout 500 # Maximal depth the directories are scanned at. MaxDirectoryRecursion 15 # Follow a directory symlinks. # SECURITY HINT: You should have enabled directory recursion limit to # avoid potential problems. FollowDirectorySymlinks # Follow regular file symlinks. FollowFileSymlinks # Do internal checks (eg. check the integrity of the database structures) # By default clamd checks itself every 3600 seconds (1 hour). #SelfCheck 600 # Run as selected user (clamd must be started by root). # By default it doesn't drop privileges. # User clamav # Initialize the supplementary group access (for all groups in /etc/group # user is added in. clamd must be started by root). #AllowSupplementaryGroups # Don't fork into background. Useful in debugging. #Foreground ## ## Mail support ## # Uncomment this option if you are planning to scan mail files. ScanMail ## ## Archive support ## # Comment this line to disable scanning of the archives. ScanArchive # Options below protect your system against Denial of Service attacks # with archive bombs. # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR # archives are decompressed to the memory. That's why never disable # this limit (but you may increase it of course!) ArchiveMaxFileSize 30M # Archives are scanned recursively - e.g. if Zip archive contains RAR file, # the RAR file will be decompressed, too (but only if recursion limit is set # at least to 1). With this option you may set the recursion level. # Value of 0 disables the limit. ArchiveMaxRecursion 5 # Number of files to be scanned within archive. # Value of 0 disables the limit. ArchiveMaxFiles 1000 # Use slower decompression algorithm which uses less memory. This option # affects bzip2 decompressor only. #ArchiveLimitMemoryUsage ## ## Clamuko settings ## WARNING: This is experimental software. It is very likely it will hang ## up your system !!! ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. #ClamukoScanOnLine # Set access mask for Clamuko. # ClamukoScanOnOpen # ClamukoScanOnClose # ClamukoScanOnExec # Set the include paths (all files in them will be scanned). You can have # multiple ClamukoIncludePath options, but each directory must be added # in a seperate option. All subdirectories are scanned, too. # ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. #ClamukoExcludePath /home/guru # Limit the file size to be scanned (probably you don't want to scan your movie # files ;)) # Value of 0 disables the limit. 1 Mb should be fine. # ClamukoMaxFileSize 1M # Enable archive support. It uses the limits from clamd section. # (This option doesn't depend on ScanArchive, you can have archive support # in clamd disabled). # ClamukoScanArchive -- Mark Douglas Postmaster Network Section IT Department School of Oriental and African Studies University of London London WC1H 0XG ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
