For clamdscan --version $Received POLLIN|POLLHUP on fd 5 $Got new connection, FD 10 $Received POLLIN|POLLHUP on fd 6 $fds_poll_recv: timeout after 5 seconds $Received POLLIN|POLLHUP on fd 10 $got command VERSION (8, 8), argument: $Receive thread: closing conn (FD 10), group finished $Consumed entire command $Number of file descriptors polled: 1 fds $fds_poll_recv: timeout after 600 seconds
This is a "virus" (EICAR) mail sent from my mail received by amavisd and normally passed to clamd : $Received POLLIN|POLLHUP on fd 5 $Got new connection, FD 10 $Received POLLIN|POLLHUP on fd 6 $fds_poll_recv: timeout after 5 seconds $Received POLLIN|POLLHUP on fd 10 $got command CONTSCAN /var/amavis/tmp/amavis-20100902T170831-90578/parts (59, 7), argument: /var/amavis/tmp/amavis-20100902T170831-90578/parts $mode -> MODE_WAITREPLY $Breaking command loop, mode is no longer MODE_COMMAND $Consumed entire command $THRMGR: queue (single) crossed low threshold -> signaling $THRMGR: queue (bulk) crossed low threshold -> signaling $Number of file descriptors polled: 1 fds $fds_poll_recv: timeout after 600 seconds LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: cache_check: bb7109238045ea91a393045349938b07 is negative LibClamAV debug: Recognized Raw mail file LibClamAV debug: Starting cli_scanmail(), recursion = 1 LibClamAV debug: in mbox() LibClamAV debug: parseEmailFile LibClamAV debug: parseEmailFile: check 'Received: from [192.168.2.21] (me.todoo.biz [82.66.93.242])' fullline 0x0 LibClamAV debug: parseEmailFile: check ' (using TLSv1 with cipher AES128-SHA (128/128 bits))' fullline 0x0 LibClamAV debug: parseEmailFile: check ' (No client certificate requested)' fullline 0x0 LibClamAV debug: parseEmailFile: check ' (Authenticated sender: gregober)' fullline 0x0 LibClamAV debug: parseEmailFile: check ' by mail.reg.it.ao (Postfix) with ESMTPSA id C00921FA01D' fullline 0x0 LibClamAV debug: parseEmailFile: check ' for <[email protected]>; Thu, 2 Sep 2010 17:08:31 +0100 (WAT)' fullline 0x0 LibClamAV debug: parseEmailFile: check 'From: "Reg.it.ao hostmaster" <[email protected]>' fullline 0x0 LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed; boundary=Apple-Mail-7727-193832950' fullline 0x0 LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed; boundary=Apple-Mail-7727-193832950' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed; boundary=Apple-Mail-7727-193832950' LibClamAV debug: messageSetMimeType: 'multipart' LibClamAV debug: mimeArgs = ' boundary=Apple-Mail-7727-193832950' LibClamAV debug: Add arguments ' boundary=Apple-Mail-7727-193832950' LibClamAV debug: messageAddArgument, arg='boundary=Apple-Mail-7727-193832950' LibClamAV debug: parseEmailFile: check 'Subject: Test AV' fullline 0x0 LibClamAV debug: parseEmailFile: check 'Date: Thu, 2 Sep 2010 18:08:30 +0200' fullline 0x0 LibClamAV debug: parseEmailFile: check 'Message-Id: <[email protected]>' fullline 0x0 LibClamAV debug: parseEmailFile: check 'To: [email protected]' fullline 0x0 LibClamAV debug: parseEmailFile: check 'Mime-Version: 1.0 (Apple Message framework v1081)' fullline 0x0 LibClamAV debug: parseEmailFile: check 'X-Mailer: Apple Mail (2.1081)' fullline 0x0 LibClamAV debug: parseEmailFile: check '' fullline 0x0 LibClamAV debug: End of header information LibClamAV debug: newline_in_header, check "--Apple-Mail-7727-193832950" LibClamAV debug: Ignoring consecutive blank lines in the body LibClamAV debug: Ignoring consecutive blank lines in the body LibClamAV debug: getline_from_mbox: fmap need failed LibClamAV debug: parseEmailFile: return LibClamAV debug: in parseEmailBody, 0 files saved so far LibClamAV debug: Parsing mail file LibClamAV debug: mimeType = 5 LibClamAV debug: Content-type 'multipart' handler LibClamAV debug: boundaryStart: found Apple-Mail-7727-193832950 in --Apple-Mail-7727-193832950 LibClamAV debug: Now read in part 0 LibClamAV debug: Multipart 0: About to parse folded header 'Content-Disposition: attachment; filename=eicar.com' LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; filename=eicar.com' LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; filename=eicar.com' LibClamAV debug: messageAddArgument, arg='filename=eicar.com' LibClamAV debug: Force mime encoding to application LibClamAV debug: messageSetMimeType: 'application' LibClamAV debug: Multipart 0: About to parse folded header 'Content-Type: application/octet-stream; x-unix-mode=0755; name="eicar.com"' LibClamAV debug: parseEmailHeader 'Content-Type: application/octet-stream; x-unix-mode=0755; name="eicar.com"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' application/octet-stream; x-unix-mode=0755; name="eicar.com"' LibClamAV debug: messageSetMimeType: 'application' LibClamAV debug: mimeArgs = ' x-unix-mode=0755' LibClamAV debug: Add arguments ' x-unix-mode=0755' LibClamAV debug: messageAddArgument, arg='x-unix-mode=0755' LibClamAV debug: Discarding unwanted argument 'x-unix-mode=0755' LibClamAV debug: mimeArgs = ' name="eicar.com"' LibClamAV debug: Add arguments ' name="eicar.com"' LibClamAV debug: messageAddArgument, arg='name=eicar.com' LibClamAV debug: Multipart 0: About to parse folded header 'Content-Transfer-Encoding: 7bit' LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit' LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit' LibClamAV debug: messageSetEncoding: '7bit' LibClamAV debug: Encoding type 1 is "7bit" LibClamAV debug: Multipart 0: End of header information LibClamAV debug: boundaryStart: found Apple-Mail-7727-193832950 in --Apple-Mail-7727-193832950 LibClamAV debug: Part 0 has 1 lines, rc = 1 LibClamAV debug: Mixed message part 0 is of type 1 LibClamAV debug: messageToFileblob LibClamAV debug: messageExport: numberOfEncTypes == 1 LibClamAV debug: messageExport: enctype 0 is 0 LibClamAV debug: messageSetEncoding: 'base64' LibClamAV debug: Encoding type 2 is "base64" LibClamAV debug: blobSetFilename: eicar.com LibClamAV debug: fileblobSetFilename: file eicar.com saved to /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-968eae9e38f344ee1b6d128e4b1e5e62 LibClamAV debug: textToFileBlob to eicar.com, destroy = 0 LibClamAV debug: fileblobDestroy: /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-968eae9e38f344ee1b6d128e4b1e5e62 LibClamAV debug: messageExport: enctype 1 is 2 LibClamAV debug: blobSetFilename: eicar.com LibClamAV debug: fileblobSetFilename: file eicar.com saved to /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-0019f68c5b9bb724421c23112792ca56 LibClamAV debug: sanitiseBase64 'x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' LibClamAV debug: Exported 36 bytes using enctype 2 LibClamAV debug: 2 trailing bytes to export LibClamAV debug: base64chars = 2 (@ @ @) LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: cache_check: c822647af5de46731e269684929e505c is negative LibClamAV debug: Recognized UTF-16BE character data LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: in cli_scanscript() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cache_add: c822647af5de46731e269684929e505c (level 0) LibClamAV debug: cli_magic_scandesc: returning 0 at line 2381 LibClamAV debug: /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-0019f68c5b9bb724421c23112792ca56 is clean LibClamAV debug: fileblobDestructiveDestroy: /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-0019f68c5b9bb724421c23112792ca56 LibClamAV debug: Now read in part 0 LibClamAV debug: Multipart 0: About to parse folded header 'Content-Transfer-Encoding: 7bit' LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: 7bit' LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' 7bit' LibClamAV debug: messageSetEncoding: '7bit' LibClamAV debug: Encoding type 1 is "7bit" LibClamAV debug: Multipart 0: About to parse folded header 'Content-Type: text/plain; charset=us-ascii' LibClamAV debug: parseEmailHeader 'Content-Type: text/plain; charset=us-ascii' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' text/plain; charset=us-ascii' LibClamAV debug: messageSetMimeType: 'text' LibClamAV debug: mimeArgs = ' charset=us-ascii' LibClamAV debug: Add arguments ' charset=us-ascii' LibClamAV debug: messageAddArgument, arg='charset=us-ascii' LibClamAV debug: Discarding unwanted argument 'charset=us-ascii' LibClamAV debug: Multipart 0: End of header information LibClamAV debug: boundaryEnd: found Apple-Mail-7727-193832950 in - LibClamAV debug: Part 0 has 4 lines, rc = 1 LibClamAV debug: Mixed message part 0 is of type 6 LibClamAV debug: Mixed message text part disposition "" LibClamAV debug: Mime subtype "plain" LibClamAV debug: Adding part to main message LibClamAV debug: messageToFileblob LibClamAV debug: messageExport: numberOfEncTypes == 1 LibClamAV debug: messageExport: enctype 0 is 0 LibClamAV debug: Attachment sent with no filename LibClamAV debug: messageAddArgument, arg='name=attachment' LibClamAV debug: blobSetFilename: attachment LibClamAV debug: fileblobSetFilename: file attachment saved to /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-5e37c71428d9ec2617cc657dde800d51 LibClamAV debug: textToFileBlob to attachment, destroy = 1 LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: cache_check: 302871497f250ce5d1ec37bb3932007a is negative LibClamAV debug: Recognized ASCII text LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: in cli_scanscript() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cache_add: 302871497f250ce5d1ec37bb3932007a (level 0) LibClamAV debug: cli_magic_scandesc: returning 0 at line 2381 LibClamAV debug: /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-5e37c71428d9ec2617cc657dde800d51 is clean LibClamAV debug: fileblobDestructiveDestroy: /var/tmp//clamav-28026699c12464d0e475d468266d445a/clamav-5e37c71428d9ec2617cc657dde800d51 LibClamAV debug: Now read in part 0 LibClamAV debug: Empty part LibClamAV debug: The message has 1 parts LibClamAV debug: Find out the multipart type (mixed) LibClamAV debug: Mixed message with 1 parts LibClamAV debug: Mixed message part 0 is of type 0 LibClamAV debug: No mime headers found in multipart part 0 LibClamAV debug: No plain text alternative LibClamAV debug: messageToFileblob LibClamAV debug: cli_mbox returning 0 LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: cache_check: 69630e4574ec6798239b091cda43dca0 is negative LibClamAV debug: Recognized ASCII text LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Eicar-Test-Signature found in descriptor 13 LibClamAV debug: FP SIGNATURE: 69630e4574ec6798239b091cda43dca0:69:Eicar-Test-Signature LibClamAV debug: cli_magic_scandesc: returning 1 at line 2334 LibClamAV debug: FP SIGNATURE: bb7109238045ea91a393045349938b07:1119:Eicar-Test-Signature LibClamAV debug: cli_magic_scandesc: returning 1 at line 2316 /var/amavis/tmp/amavis-20100902T170831-90578/parts/p004: Eicar-Test-Signature FOUND LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative LibClamAV debug: Recognized ASCII text LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Eicar-Test-Signature found in descriptor 11 LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature LibClamAV debug: cli_magic_scandesc: returning 1 at line 2334 /var/amavis/tmp/amavis-20100902T170831-90578/parts/p001: Eicar-Test-Signature FOUND LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: cache_check: 0db022a6f8071dcc953356df825f157b is negative LibClamAV debug: Recognized ASCII text LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: in cli_scanscript() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cache_add: 0db022a6f8071dcc953356df825f157b (level 0) LibClamAV debug: cli_magic_scandesc: returning 0 at line 2381 $Finished scanthread $Scanthread: connection shut down (FD 10) $THRMGR: queue (single) crossed low threshold -> signaling $THRMGR: queue (bulk) crossed low threshold -> signaling Le 2 sept. 2010 à 18:03, Török Edwin a écrit : > On Thu, 2 Sep 2010 17:59:36 +0200 > bsd <[email protected]> wrote: > >> mail 16:51:31 /var/amavis screen # ulimit -a >> socket buffer size (bytes, -b) unlimited >> core file size (blocks, -c) unlimited >> data seg size (kbytes, -d) 33554432 >> file size (blocks, -f) unlimited >> max locked memory (kbytes, -l) unlimited >> max memory size (kbytes, -m) unlimited >> open files (-n) 11095 >> pipe size (512 bytes, -p) 1 >> stack size (kbytes, -s) 524288 >> cpu time (seconds, -t) unlimited >> max user processes (-u) 5547 >> virtual memory (kbytes, -v) unlimited >> >> mail 16:58:27 /var/amavis screen # free >> bash: free: command not found > > Can you try connecting to the clamd your started in debug mode? > > clamdscan --version should do that and report version if working. > > Then tell amavis to scan something using this clamd. > Is it stuck, and does clamd output anything about the connection > attempt? > > Best regards, > --Edwin ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
