Konrad, These debug messages reflect the clamd socket events, such as connection setup, reading data from the socket, and connection close.
I get a similar set of events: Received POLLIN|POLLHUP on fd 4 Got new connection, FD 9 Received POLLIN|POLLHUP on fd 5 fds_poll_recv: timeout after 15 seconds ...here, give clamd the input... Received POLLIN|POLLHUP on fd 9 got command a (1, 0), argument: Receive thread: closing conn (FD 9), group finished Consumed entire command Number of file descriptors polled: 1 fds fds_poll_recv: timeout after 600 seconds The difference is in the "Number of file descriptors polled" message, 1 fd vs. 0 fd. Your clamd is no longer accepting (or not responding to) connection requests, so we need to find out if that is what this debug message is indicating. What debug messages do you get with 0.95? On Mon, Mar 18, 2013 at 3:01 PM, Konrad <[email protected]> wrote: > Hi Steven, > > Thanks for this hint. Did not know about that debug switch... Got more > messages but IÄm not sure what this means: > > +++ Started at Mon Mar 18 19:02:02 2013 > > clamd daemon 0.97.7 (OS: win32, ARCH: i386, CPU: i386) > Log file size limited to 1048576 bytes. > Reading databases from c:\Programme\Tools\ClamAV_0.**97.7\data > Not loading PUA signatures. > > Bytecode: Security mode set to "TrustSigned". > Loaded 2005376 signatures. > TCP: Bound to address 127.0.0.1 on port 3311 > > TCP: Setting connection queue length to 200 > Limits: Global size limit set to 104857600 bytes. > Limits: File size limit set to 26214400 bytes. > Limits: Recursion level limit set to 16. > Limits: Files limit set to 10000. > Archive support enabled. > Algorithmic detection enabled. > Portable Executable support enabled. > ELF support enabled. > > Detection of broken executables enabled. > Mail files support enabled. > OLE2 support enabled. > PDF support enabled. > HTML support enabled. > > Self checking every 600 seconds. > Listening daemon: PID: 1848 > MaxQueue set to: 100 > fds_poll_recv: timeout after 600 seconds(Last message after startup) > Received POLLIN|POLLHUP on fd 836 (The following messages appeared after > the first telnet connection) > Got new connection, FD 648 > fds_poll_recv: timeout after 5 seconds > Received POLLIN|POLLHUP on fd 648 > got command d (1, 0), argument: > Receive thread: closing conn (FD 648), group finished > Consumed entire command > Number of file descriptors polled: 0 fds > fds_poll_recv: timeout after 600 seconds > > After the first telnet connection, nothing happens anymore and no more > debug lines are printed. > > Any idea? > > Thx > > Konrad > Am 18.03.2013 17:47, schrieb Steven Morgan: > >> Hi Konrad, >> >> Have you tried setting "Debug yes" in your clamd.conf? >> >> Steven Morgan >> >> On Sun, Mar 17, 2013 at 5:57 AM, Konrad<[email protected]> wrote: >> >> Hi All, >>> >>> I'm new to this forum and I know that this is a UNIX only mailing list. >>> My >>> problem is related to a Win XP installation but I was hoping that you can >>> at least give me some hints on how to debug clamd or increase the log >>> level >>> so that I will see what is going on! The Windows mailing list seems to be >>> "dead" so I guess that I will not get any help from there. If you are not >>> willing to answer Windows related questions, just let me know... >>> >>> My problem: >>> >>> I'm using ClamAV together with my mail server (Mercury) on a Windows XP >>> box and v 0.95 works great so far. Now I wanted to upgrade to 0.97.7 but >>> I >>> can't get it working. If I start clamd manually in a shell, I can see >>> that >>> it is coming up "normal" and the process is visible in the task manager. >>> The first mail is scanned OK and if it contains a virus attachment, clamd >>> detects it. So far, so good. But from that moment on, it stops working >>> and >>> every next call is not processed anymore. No idea what is going on... I >>> tried to activate logs but the log does not say much. Is there is way to >>> increase the log level to get more information? >>> >>> I tried something else: >>> >>> I started clamd in one shell window and opened another shell to connect >>> with telnet and 127.0.0.1 3310 and it gets connected. Pressing any key, I >>> get UNKNOWN COMMAND and telnet exits. If I repeat this test, I can key in >>> as much as I like, the UNKNOWN COMMAND error message does not appear >>> anymore and telnet keeps running. If I do this with the OK working 0.95 >>> installation, I get UNKNOWN COMMAND every time and telnet always exits >>> after that. >>> >>> I think it is something secific to this windows machine because the >>> telnet >>> test shows the v0.95 behavior on every other machine I tested with. >>> >>> Log output: >>> >>> Sat Mar 16 23:12:35 2013 -> +++ Started at Sat Mar 16 23:12:35 2013 >>> Sat Mar 16 23:12:35 2013 -> clamd daemon 0.97.7 (OS: win32, ARCH: i386, >>> CPU: i386) >>> Sat Mar 16 23:12:35 2013 -> Log file size limited to 1048576 bytes. >>> Sat Mar 16 23:12:35 2013 -> Reading databases from >>> c:\Programme\Tools\ClamAV_0.****97.7\data >>> >>> Sat Mar 16 23:12:35 2013 -> Not loading PUA signatures. >>> Sat Mar 16 23:12:35 2013 -> Bytecode: Security mode set to "TrustSigned". >>> Sat Mar 16 23:12:42 2013 -> Loaded 2005376 signatures. >>> Sat Mar 16 23:12:43 2013 -> TCP: Bound to address 127.0.0.1 on port 3310 >>> Sat Mar 16 23:12:43 2013 -> TCP: Setting connection queue length to 200 >>> Sat Mar 16 23:12:43 2013 -> Limits: Global size limit set to 104857600 >>> bytes. >>> Sat Mar 16 23:12:43 2013 -> Limits: File size limit set to 26214400 >>> bytes. >>> Sat Mar 16 23:12:43 2013 -> Limits: Recursion level limit set to 16. >>> Sat Mar 16 23:12:43 2013 -> Limits: Files limit set to 10000. >>> Sat Mar 16 23:12:43 2013 -> Archive support enabled. >>> Sat Mar 16 23:12:43 2013 -> Algorithmic detection enabled. >>> Sat Mar 16 23:12:43 2013 -> Portable Executable support enabled. >>> Sat Mar 16 23:12:43 2013 -> ELF support enabled. >>> Sat Mar 16 23:12:43 2013 -> Detection of broken executables enabled. >>> Sat Mar 16 23:12:43 2013 -> Mail files support enabled. >>> Sat Mar 16 23:12:43 2013 -> OLE2 support enabled. >>> Sat Mar 16 23:12:43 2013 -> PDF support enabled. >>> Sat Mar 16 23:12:43 2013 -> HTML support enabled. >>> Sat Mar 16 23:12:43 2013 -> Self checking every 600 seconds. >>> Sat Mar 16 23:12:43 2013 -> Listening daemon: PID: 532 >>> Sat Mar 16 23:12:43 2013 -> MaxQueue set to: 100 >>> Sat Mar 16 23:13:24 2013 -> instream(127.0.0.1@27033): >>> Exploit.Fnstenv_mov-1 FOUND >>> >>> Any idea what this could be or how I can track this down? >>> >>> btw: Turning off Windows Firewall does not make any difference. >>> >>> Thanks a lot! >>> >>> Konrad >>> ______________________________****_________________ >>> >>> Help us build a comprehensive ClamAV guide: visithttp://wiki.clamav.net >>> http://www.clamav.net/support/****ml<http://www.clamav.net/support/**ml> < >>> http://www.clamav.net/**support/ml <http://www.clamav.net/support/ml>> >>> >>> ______________________________**_________________ >> Help us build a comprehensive ClamAV guide: visithttp://wiki.clamav.net >> http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml> >> > > ______________________________**_________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml> > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
