Hi
Has anybody else noticed this.
When running clamd with the ScanArchive config option set to yes, after a
couple of minutes of running cpu usage will look like this:
last pid: 2470; load averages: 6.43, 4.06, 2.71
12:16:16
77 processes: 75 sleeping, 2 on cpu
CPU states: 2.6% idle, 85.0% user, 12.4% kernel, 0.0% iowait, 0.0% swap
Memory: 1536M real, 1128M free, 147M swap in use, 2026M swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
833 popuser 11 59 0 43M 40M cpu/2 8:50 91.13% clamd
234 root 9 59 0 47M 15M sleep 14:15 0.22% java
2220 root 1 59 0 2888K 1776K cpu/1 0:00 0.20% top
2381 popuser 1 59 0 3968K 2784K sleep 0:00 0.09% exim-4.52-1
1405 popuser 1 59 0 3464K 2664K sleep 0:00 0.09% exim-4.52-1
A truss -p 833 reveals
/6: lwp_park(0x00000000, 0) = 0
/10: lwp_park(0x00000000, 0) = 0
/3: lwp_unpark(10, 1) = 0
/4: lwp_park(0x00000000, 0) = 0
/6: lwp_park(0x00000000, 0) = 0
/2: lwp_park(0x00000000, 0) = 0
/3: lwp_unpark(4, 1) = 0
/4: lwp_park(0x00000000, 0) = 0
/8: lwp_unpark(6, 1) = 0
/6: lwp_park(0x00000000, 0) = 0
/2: lwp_park(0x00000000, 0) = 0
/4: lwp_unpark(6, 1) = 0
/6: lwp_park(0x00000000, 0) = 0
/3: lwp_unpark(2, 1) = 0
/8: lwp_unpark(4, 1) = 0
/2: lwp_park(0x00000000, 0) = 0
/6: lwp_unpark(2, 1) = 0
/3: lwp_park(0x00000000, 0) = 0
/8: lwp_unpark(3, 1) = 0
/3: lwp_park(0x00000000, 0) = 0
/2: lwp_unpark(3, 1) = 0
/6: lwp_unpark(3, 1) = 0
/3: lwp_park(0x00000000, 0) = 0
/8: lwp_unpark(2, 1) = 0
/2: lwp_park(0x00000000, 0) = 0
/8: lwp_unpark(6, 1) = 0
/3: lwp_unpark(2, 1) = 0
/2: lwp_park(0x00000000, 0) = 0
/6: lwp_park(0x00000000, 0) = 0
/3: lwp_unpark(8, 1) = 0
/8: lwp_park(0x00000000, 0) = 0
/6: lwp_park(0x00000000, 0) = 0
^C/2: lwp_unpark(8, 1) = 0
/10: lwp_unpark(6, 1) = 0
/4: lwp_park(0x00000000, 0) = 0
/8: lwp_park(0x00000000, 0) = 0
/5: lwp_park(0x00000000, 0) = 0
/9: lwp_park(0x00000000, 0) = 0
/3: lwp_unpark(6, 1) = 0
/11: lwp_unpark(5, 1) = 0
/7: lwp_unpark(2, 1) = 0
and that's all that seems to be happening - seems to be in an endless loop.
The clamd log file has the following entries
Wed Apr 11 12:11:30 2007 -> +++ Started at Wed Apr 11 12:11:30 2007
Wed Apr 11 12:11:30 2007 -> clamd daemon 0.90.1 (OS: solaris2.9, ARCH:
sparc, CPU: sparc)
Wed Apr 11 12:11:30 2007 -> Log file size limit disabled.
Wed Apr 11 12:11:30 2007 -> Reading databases from /usr/local/share/clamav
Wed Apr 11 12:11:46 2007 -> Loaded 107793 signatures.
Wed Apr 11 12:11:46 2007 -> Unix socket file
/usr/local/share/clamav/clamd.socket
Wed Apr 11 12:11:46 2007 -> Setting connection queue length to 30
Wed Apr 11 12:11:46 2007 -> Archive: Archived file size limit set to
7340032 bytes.
Wed Apr 11 12:11:46 2007 -> Archive: Recursion level limit set to 5.
Wed Apr 11 12:11:46 2007 -> Archive: Files limit set to 250.
Wed Apr 11 12:11:46 2007 -> Archive: Compression ratio limit set to 250.
Wed Apr 11 12:11:46 2007 -> Archive support enabled.
Wed Apr 11 12:11:46 2007 -> Algorithmic detection enabled.
Wed Apr 11 12:11:46 2007 -> Portable Executable support enabled.
Wed Apr 11 12:11:46 2007 -> ELF support enabled.
Wed Apr 11 12:11:46 2007 -> Mail files support enabled.
Wed Apr 11 12:11:46 2007 -> Mail: Recursion level limit set to 64.
Wed Apr 11 12:11:46 2007 -> OLE2 support enabled.
Wed Apr 11 12:11:46 2007 -> PDF support disabled.
Wed Apr 11 12:11:46 2007 -> HTML support enabled.
Wed Apr 11 12:11:46 2007 -> Self checking every 1800 seconds.
Wed Apr 11 12:11:51 2007 ->
/var/spool/exim/scan/1HbZno-0000Fq-6x/1HbZno-0000Fq-6x.eml: OK
Wed Apr 11 12:11:51 2007 ->
/var/spool/exim/scan/1HbZno-0000Fq-6x/1HbZno-0000Fq-6x-00000: OK
Wed Apr 11 12:11:51 2007 ->
/var/spool/exim/scan/1HbZno-0000Fq-6x/1HbZno-0000Fq-6x-00001: OK
Wed Apr 11 12:11:51 2007 ->
/var/spool/exim/scan/1HbZno-0000Fq-6x/1HbZno-0000Fq-6x-00002: OK
Wed Apr 11 12:11:51 2007 ->
/var/spool/exim/scan/1HbZno-0000Fo-A2/1HbZno-0000Fo-A2.eml: OK
Wed Apr 11 12:11:52 2007 ->
/var/spool/exim/scan/1HbZno-0000Fo-A2/1HbZno-0000Fo-A2-00000: OK
Wed Apr 11 12:11:52 2007 ->
/var/spool/exim/scan/1HbZno-0000Fo-A2/1HbZno-0000Fo-A2-00001: OK
Wed Apr 11 12:11:52 2007 ->
/var/spool/exim/scan/1HbZno-0000Fo-A2/1HbZno-0000Fo-A2-00002: OK
Wed Apr 11 12:11:54 2007 ->
/var/spool/exim/scan/1HbZnu-0000GO-9T/1HbZnu-0000GO-9T.eml: OK
<cut>
</cut>
Wed Apr 11 12:20:04 2007 ->
/var/spool/exim/scan/1HbZrl-0000cP-LA/1HbZrl-0000cP-LA-00009: OK
Wed Apr 11 12:20:15 2007 ->
/var/spool/exim/scan/1HbZsX-0000fD-Oz/1HbZsX-0000fD-Oz.eml: OK
Wed Apr 11 12:20:16 2007 ->
/var/spool/exim/scan/1HbZrh-0000bo-4G/1HbZrh-0000bo-4G-00001: OK
Wed Apr 11 12:20:16 2007 -> +++ Started at Wed Apr 11 12:20:16 2007
Wed Apr 11 12:20:16 2007 -> clamd daemon 0.90.1 (OS: solaris2.9, ARCH:
sparc, CPU: sparc)
Wed Apr 11 12:20:16 2007 -> Log file size limit disabled.
Wed Apr 11 12:20:16 2007 -> Reading databases from /usr/local/share/clamav
Wed Apr 11 12:20:16 2007 ->
/var/spool/exim/scan/1HbZrh-0000bo-4G/1HbZrh-0000bo-4G-00002: OK
Wed Apr 11 12:20:18 2007 ->
/var/spool/exim/scan/1HbZsX-0000fD-Oz/1HbZsX-0000fD-Oz-00000: OK
Wed Apr 11 12:20:18 2007 ->
/var/spool/exim/scan/1HbZsb-0000gN-UU/1HbZsb-0000gN-UU.eml: OK
Wed Apr 11 12:20:22 2007 ->
/var/spool/exim/scan/1HbZsm-0000gw-0m/1HbZsm-0000gw-0m.eml: OK
Wed Apr 11 12:20:24 2007 ->
/var/spool/exim/scan/1HbZt0-0000fg-1r/1HbZt0-0000fg-1r.eml: OK
Wed Apr 11 12:20:26 2007 ->
/var/spool/exim/scan/1HbZqN-0000UU-Ub/1HbZqN-0000UU-Ub.eml: OK
Wed Apr 11 12:20:27 2007 ->
/var/spool/exim/scan/1HbZsm-0000gh-J5/1HbZsm-0000gh-J5.eml: OK
Wed Apr 11 12:20:31 2007 ->
/var/spool/exim/scan/1HbZrq-0000ck-0x/1HbZrq-0000ck-0x-00000: OK
Wed Apr 11 12:20:35 2007 -> Loaded 107793 signatures.
Wed Apr 11 12:20:35 2007 -> ERROR: Socket file
/usr/local/share/clamav/clamd.socket is in use by another process.
Wed Apr 11 12:20:40 2007 ->
/var/spool/exim/scan/1HbZsG-0000eH-2f/1HbZsG-0000eH-2f.eml: OK
Wed Apr 11 12:20:40 2007 ->
/var/spool/exim/scan/1HbZoe-0000Jk-6F/1HbZoe-0000Jk-6F.eml: OK
Wed Apr 11 12:20:41 2007 -> Socket file removed.
Wed Apr 11 12:20:41 2007 -> Pid file removed.
Wed Apr 11 12:20:41 2007 -> --- Stopped at Wed Apr 11 12:20:41 2007
Then you'd have to restart clamd and it will happen all over again.
What caused
>> Wed Apr 11 12:20:16 2007 -> +++ Started at Wed Apr 11 12:20:16 2007
I didn't try to start it again at that time?
If I disable the ScanArchive option in the config file and restart clamd
it will run happily without any problems.....
last pid: 8659; load averages: 0.56, 1.07, 2.12
12:32:06
87 processes: 83 sleeping, 1 zombie, 3 on cpu
CPU states: 76.0% idle, 18.8% user, 4.8% kernel, 0.4% iowait, 0.0% swap
Memory: 1536M real, 1139M free, 120M swap in use, 2053M swap free
PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND
6466 popuser 5 59 0 31M 29M sleep 1:17 7.95% clamd
8614 root 1 59 0 2888K 1776K cpu/1 0:00 0.43% top
A truss -p 6466 then looks more normal as well
/7: unlink("/tmp/clamav-b8db0dd7aa0a38d966b86d02aa2578e9/script.html")
= 0
/7: getdents64(12, 0x01F0E008, 8192) = 0
/7: llseek(12, 0, SEEK_CUR) = 2
/7: llseek(12, 0, SEEK_SET) = 0
/7: stat("/tmp/clamav-b8db0dd7aa0a38d966b86d02aa2578e9", 0xFECFAF50) = 0
/7: rmdir("/tmp/clamav-b8db0dd7aa0a38d966b86d02aa2578e9") = 0
/7: close(12) = 0
/7: lseek(9, 0, SEEK_SET) = 0
/7: read(9, " < h t m l >\n < h e a d".., 131072) = 13628
/7: read(9, 0x01B81F16, 117444) = 0
/7: read(9, 0x01B81F16, 117444) = 0
/7: lseek(9, 0, SEEK_SET) = 0
/7: close(9) = 0
/7: time() = 1176287680
/7: write(4, " W e d A p r 1 1 1".., 93) = 93
/7: write(1, " / v a r / s p o o l / e".., 65) = 65
/7: getdents64(8, 0x01AC5488, 8192) = 0
/7: close(8) = 0
/7: send(17, " / v a r / s p o o l / e".., 42, 0) = 42
/7: close(17) = 0
/7: time() = 1176287680
/10: read(11, " u u u v x u s j i 9 j a".., 131072) = 131072
/10: read(11, " u k y y s y b s w j w p".., 131072) = 131072
/1: accept(6, 0x00000000, 0x00000000, 1) (sleeping...)
/10: read(11, " 9 r b i u i j v g g l l".., 131072) = 131072
/10: read(11, " l 7 z l s b l 5 o o 3 a".., 131072) = 131072
/10: read(11, " y p h t a f o 2 k 2 x a".., 131072) = 131072
/7: lwp_park(0xFECFBE58, 0) (sleeping...)
/10: read(11, " r 2 z k y 6 r d 7 m l a".., 131072) = 131072
/10: read(11, " h i 9 q 6 c 1 l e r a p".., 131072) = 131072
/10: read(11, " / / / / / / / / / / /".., 131072) = 51416
/10: read(11, 0x01C0220A, 79656) = 0
/10: read(11, 0x01C0220A, 79656) = 0
/10: close(11)
Is anybody else having these problems, or is it just me???
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
