On 22 mrt. 2013, at 18:29, David Raynor <[email protected]> wrote:
> On Fri, Mar 22, 2013 at 1:11 PM, Ben Stuyts <[email protected]> wrote: > >> Hi, >> >> I was using clamscan for daily scanning of our user's home directories, >> but it was getting too slow with scan times of up to 6 hours. Therefor I'm >> testing clamdscan and using multiple threads to scan. (cmd line is >> /usr/local/bin/clamdscan -m --fdpass /home) >> >> I am getting the following error messages from clamd while scanning, and >> it's missing a lot of files. If put the Eicar test file at various spots >> and it's being missed by the scan. >> >> Thu Mar 21 22:00:01 2013 -> SelfCheck: Database status OK. >> Thu Mar 21 22:10:01 2013 -> SelfCheck: Database status OK. >> Thu Mar 21 22:13:48 2013 -> Client disconnected while scanjob was active >> Thu Mar 21 22:13:48 2013 -> Client disconnected while scanjob was active >> (repeat...) >> Thu Mar 21 22:14:06 2013 -> Client disconnected while scanjob was active >> Thu Mar 21 22:17:29 2013 -> Reading databases from /var/db/clamav >> Thu Mar 21 22:17:36 2013 -> Database correctly reloaded (2019434 >> signatures) >> >> Output from clamdscan, no errors: >> >> ----------- SCAN SUMMARY ----------- >> Infected files: 0 >> Time: 3846.032 sec (64 m 6 s) >> >> This is on FreeBSD 7.4-stable, clamav-0.97.7 (clamav-0.97.6 had the same >> problem). The home directories are all zfs based. clamd runs as user >> clamav, clamdscan as user root. >> >> What could be causing this? >> >> Kind regards, >> Ben >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > > Ben, > > The "Client disconnected while scanjob was active" lines can also show up > when the scanning threads are being told to shutdown. Did freshclam run and > update your signatures during this scan? > > Dave R. > > -- > --- > Dave Raynor > Sourcefire Vulnerability Research Team > [email protected] > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > Yes it ran, but at the end at 22:17, not at 22:13 when the first errors appeared. From freshclam.log: -------------------------------------- Received signal: wake up ClamAV update process started at Thu Mar 21 20:17:17 2013 ... and then the next entry: -------------------------------------- Received signal: wake up ClamAV update process started at Thu Mar 21 22:17:23 2013 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) WARNING: getfile: daily-16881.cdiff not found on remote server (IP: 217.19.16.188) WARNING: getpatch: Can't download daily-16881.cdiff from database.clamav.net Downloading daily-16881.cdiff [100%] daily.cld updated (version: 16881, sigs: 980411, f-level: 63, builder: guitar) bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, builder: neo) Database updated (2024839 signatures) from database.clamav.net (IP: 145.58.29.83) Clamd successfully notified about the update. ... and the next: -------------------------------------- Received signal: wake up ClamAV update process started at Fri Mar 22 00:17:29 2013 There were also a few incoming e-mails during that time which were scanned via clamav-milter and clamd. Could that have an effect? Ben _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
