On Thu, 5 Mar 2009, Bill Landry wrote: > * Cross-posted to the SaneSecurity And ClamAV-Users lists. > > Folks, I disabled clamd's "SelfCheck" (SelfCheck 0) a few weeks ago and > have not seen any crashed since. However, I went back this morning and > parsed some of my old clamd.log files to see when clamd SelfCheck's were > happening. > > I didn't think I would find any forced reloads from SelfCheck since > freshclam and my script were both set to signal clamd to reload > databases when an update was detected. > > However, that was not the case. If fact, every SelfCheck forced reload > came either within the same time interval as my scripts pause-run > time-frame or at the same time as a freshclam update happened. I had > SelfCheck configured to check ever 10 minutes, and it appears that at > random times this SelfCheck would just happen to run either while a > script update or a freshclam update was happening. > > If you have SelfCheck enabled in your clamd.conf, you can check and > possibly confirm this by parsing your clamd.log files with: > > grep "SelfCheck.*Forcing reload" /your/path/to/clamd.log > > Check the time-frames and see if they coordinate with your script's > run-times or your freshclam updates (see frashclam.log).
That's not what I see on my server. Here's an extract from my log. The self-checks occur at intervals of approximately 30 minutes and they usually don't force a reload: Wed Mar 4 03:10:43 2009 -> SelfCheck: Database status OK. Wed Mar 4 03:42:02 2009 -> SelfCheck: Database status OK. Wed Mar 4 04:01:01 2009 -> /tmp/vtemp1J7Og.com: Eicar-Test-Signature FOUND Wed Mar 4 04:12:13 2009 -> SelfCheck: Database status OK. Wed Mar 4 04:27:19 2009 -> Reading databases from /var/clamav Wed Mar 4 04:27:22 2009 -> Database correctly reloaded (514127 signatures) Wed Mar 4 04:45:45 2009 -> SelfCheck: Database status OK. Wed Mar 4 05:01:02 2009 -> /tmp/vtempJDpIl.com: Eicar-Test-Signature FOUND Wed Mar 4 05:16:02 2009 -> SelfCheck: Database status OK. Wed Mar 4 05:46:13 2009 -> SelfCheck: Database status OK. Here freshclam ran at 4:27:18. On one occasion the selfcheck did happen to run at the same time as freshclam. Here's what happened: Thu Mar 5 04:27:17 2009 -> SelfCheck: Database modification detected. Forcing reload. Thu Mar 5 04:27:17 2009 -> Reading databases from /var/clamav Thu Mar 5 04:27:21 2009 -> Database correctly reloaded (514203 signatures) Alan Stern _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
