No, it isn't "obviously the scan that caused the segmentation fault". That's a wholly unfounded assumption on your part.
This server processes between 30 and 100 thousand emails per day, calling clamdscan on every one. It will find 2 to 5 hundred Klez viruses per day. In your expert opinion, what would be the reason for this segmentation fault that occurred at the exact second it scanned this Klez virus?
Thats unknown. Most likely, one of the other messages being scanned caused a problem.
Hello,
According to my MailScanner logs, the MailScanner processes were scanning only one mail:
May 4 16:08:12 MailScanner[16448]: New Batch: Scanning 1 messages, 150725 bytes
May 4 16:08:13 MailScanner[16448]: Virus and Content Scanning: Starting
May 4 16:08:13 MailScanner[16448]: /var/spool/MailScanner/incoming/16448/./i44K7gOj020343/%nTips.exe: Worm.Klez.H FOUND
May 4 16:08:13 MailScanner[16448]: Virus Scanning: ClamAV found 1 infections
May 4 16:08:13 MailScanner[16448]: Infected message i44K7gOj020343 came from xxx.xxx.xxx.xxx
May 4 16:08:13 MailScanner[16448]: Virus Scanning: Found 1 viruses
etc etc.
MailScanner calls a wrapper each time and logs the beggining and end of the scans. Logs show that this was the only message being scanned.
However, since you have been so objective in your replies as to the filename being the possible cause, I have ceased using clamd and am calling clamscan each time since the server easily handles the minor additional load. So if you don't wish to contemplate possible filename handling issues, I will not lose any sleep over it.
This being said, I tested this theory by sending myself the eicar.com test signature virus with filename "%nTips.exe".
What do you think about this?
Wed May 5 10:33:25 2004 -> Segmentation fault :-( Bye..
May 5 10:33:25 MailScanner[31779]: /var/spool/MailScanner/incoming/31779/./i45EXMfl013601/%nTips.exe: Eicar-Test-Signature FOUND
Therefore, there are some strange coincidences going on, don't you think?
Good day,
Chris
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
