On one particular email, clamscan would segfault with no actual error, so I isolated the file it was segfaulting on, and tried it again.
Sure enough, that was the email causing the segfault. I emailed that same email to myself, and watched it cause clamd to stop responding (the socket exists, the pids are all there, but after that email passes through the system clamd stops responding, forcing amavis to carry on without further virus checking).
After restarting the needed services I ran an strace of that same process, and emailed myself the strace.
Then I attempted to email myself the core dump, and got to see this:
eb 15 22:19:39 mail2 amavis[2913]: (02913-03) INFECTED (Trojan.MiniCommander.dr), <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, quarantine virus-20040215-221937-02913-03, Message-ID: <[EMAIL PROTECTED]>, Hits: -
So I ran clamscan against the core dump, and sure enough:
[EMAIL PROTECTED] paul.tietjens]# clamscan core.5791 core.5791: Trojan.MiniCommander.dr FOUND
----------- SCAN SUMMARY ----------- Known viruses: 41374 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 9.38 MB I/O buffer size: 131072 bytes Time: 12.903 sec (0 m 12 s)
I ran clamscan -m against the offending email on a Debian box running the latest packages from apt, and also clamscanned the core dump, and while clamscan -m did not segfault on the email, it did detect the same virus in the core dump. Very odd. To me that would indicate that I've built my clamav from source incorrectly, but I'm not sure how I would find out how, or where - since I get only a segfault message, and am not skilled enough to glean much from the strace.
I'm sure my limited understanding of the whole process is clouding my vision, here, but it seems to me that if I can send a single email, purportedly infected with a Trojan (I imagine that's suspect - perhaps the core dump contains the fingerprint which would make clamscan think that virus exists in there, but it doesn't, actually) and segfault my email gateway's virus scanner... Well, "the horror".
So I beg someone more clueful than I to give me some tips as to what I might have gotten wrong in my setup, or my build of clamav 0.66.
Or perhaps this is a bug. I'm lost. :)
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
