> From: David Raynor [mailto:dray...@sourcefire.com] > Sent: 07 November 2012 14:54 > > On Wed, Nov 7, 2012 at 3:20 AM, Philipp Schwaha <phil...@schwaha.net> > wrote: > > > hi everybody! > > > > I recently set up a combination of exim and clamav which was working > > very nicely until clamav seemingly started to choke. Switching > > debugging on I obtained the following: > > > > Wed Nov 7 01:52:06 2012 -> Received POLLIN|POLLHUP on fd 4 Wed Nov > 7 > > 01:52:06 2012 -> Got new connection, FD 9 Wed Nov 7 01:52:06 2012 -> > > Received POLLIN|POLLHUP on fd 5 Wed Nov 7 01:52:06 2012 -> > > fds_poll_recv: timeout after 5 seconds Wed Nov 7 01:52:06 2012 -> > > Received POLLIN|POLLHUP on fd 9 Wed Nov 7 01:52:06 2012 -> got > > command SCAN > > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml (63, 5), > > argument: /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml > > Wed Nov 7 01:52:06 2012 -> mode -> MODE_WAITREPLY Wed Nov 7 > 01:52:06 > > 2012 -> Breaking command loop, mode is no longer MODE_COMMAND Wed Nov > > 7 01:52:06 2012 -> Consumed entire command Wed Nov 7 01:52:06 2012 - > > > > THRMGR: queue (single) crossed low threshold -> signaling Wed Nov 7 > > 01:52:06 2012 -> THRMGR: queue (bulk) crossed low threshold > > -> signaling > > Wed Nov 7 01:52:06 2012 -> Number of file descriptors polled: 1 fds > > Wed Nov 7 01:52:06 2012 -> fds_poll_recv: timeout after 600 seconds > > Wed Nov 7 01:52:06 2012 -> > > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't > > create temporary directory ERROR Wed Nov 7 01:52:06 2012 -> Finished > > scanthread Wed Nov 7 01:52:06 2012 -> Scanthread: connection shut > > down (FD 9) Wed Nov 7 01:52:06 2012 -> THRMGR: queue (single) > crossed > > low threshold -> signaling Wed Nov 7 01:52:06 2012 -> THRMGR: queue > > (bulk) crossed low threshold > > -> signaling > > > > This seems very odd, since it seems that it wants to create a > > temporary file which has exactly the same name as the input file and > > hence little probability of success. Am I interpreting the error > > message incorrectly? > > Or is this maybe some other issue? > > > > I have now tried with clamav versions 0.97.4, 0.97.5 and 0.97.6. Exim > > is at version 4.80. Its log file contains the corresponding message: > > > > 1TVtsE-0006lJ-9m malware acl condition: clamd: ClamAV returned: > > /var/spool/exim/scan/1TVtsE-0006lJ-9m/1TVtsE-0006lJ-9m.eml: Can't > > create temporary directory ERROR > > > > Of note is that it happens for all mails, even the most simplistic > > ones (e.g., generated by swaks), where there is nothing to unpack. > The > > description I found here: > > http://lurker.clamav.net/message/20120618.182545.25960b6a.en.html > lets > > me think that the error message might not be quite ok? > > > > I have also tried with different settings of 'TemporaryDirectory' > > going through several useful settings such as /tmp or /var/tmp and > > also obviously broken directories, just in order to see if anything > > changes. So far I have not had any luck to change clamav's behaviour > > at all. > > > > Do you have any suggestions how to further track down and hopefully > > fix this issue? > > > > cheers > > Philipp > > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit > > http://wiki.clamav.net http://www.clamav.net/support/ml > > > > This a result message. It is starting with the file it was asked to > scan, not the directory it is trying to create. The message it is > printing is because the scanning result has a value of CL_ETMPDIR > somewhere within the scanning attempt and that bubbled up to be the > final result. One of the first things ClamAV does within the mail > scanning is create a folder to dump attachments to as temporary files > for scanning. That is probably where it is happening. > > But it looks as if you only have debug level logging for the server > thread and not for the actual scanning thread. The scanning library > should be printing out a line that will tell you what directory it > failed to create. > Everywhere that the CL_ETMPDIR return code is initially returned, it is > printing a message (frequently at debug level) to say what directory it > could not create. In the case of the mail message related failure I am > guessing above [inside function cli_scanmail()] it will look like this: > Mail: Can't create temporary directory /dir/name/goes/here > > That would tell you what folder it failed to create. So you need to get > that message printed, which means checking the config. Can you share > your clamd.conf file? > > Dave R. > > -- > --- > Dave Raynor > Sourcefire Vulnerability Research Team > dray...@sourcefire.com >
Alternative approach: use "df" and "df -i" to check free disk space and inodes respectively. If you are on an SELinux system, try "setenforce 0". If that makes it work, use "aureport --avc -ts recent" to show what was being denied. Note: if it's an SELinux problem, you're supposed to fix it properly and set "setenforce 1", not leave it in permissive mode. You say it used to work. Ye Olde Reliable Debugging Questiones are: "When did it last work? When did it break? What changed in between?" Moray. "To err is human; to purr, feline." _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
