My two cents (I don't run ClamAV)... Observations:
- xxxx.vir directories are orphaned - xxxx.vir directories are locked by something and can not be deleted without stopping some service(s) - xxxx.vir directories are only created on Scott's system when ClamAV is run as a service and Sandy's runclamscan.exe is invoked by Declude My guess is that ClavAV is not finishing the processing of these messages, that Declude would then kill after 10 minutes* the only part it knows about, runclamscan.exe, leaving the ClamAV service still processing/locking the directory or files in that directory. The ClamAV service may be trying to contact the dead runclamscan.exe instance, and can't, and thus does not let go of whatever it's locking. Can anyone affected confirm the "killing the external app behaviour" by examining the name of a xxxx.vir directory, and look up the loglines in the appropriate decMMDD.log or virMMDD.log file with "find" or "grep"? That won't necessarily help resolve it, but it may help clarify the symptoms. If the client is being killed, there are at least two causes: 1) the ClamAV service or runclamscan.exe client are not getting enough CPU time because your mailserver is very busy and are unable to finish within 10 minutes*. 2) the ClamAV service is stalling as it tries to scan or decode a certain email or file and is a bug in ClamAV (there have been several, as with other antivirus software). This could be verified by stopping the service, and then trying to scan the same xxxx.vir folder again manually, invoking the ClamAV directly, as well as the service via runclamscan.exe and seeing if either method hangs reproducibly, and then report the samples as bad to the ClamAV development team. Andrew. * I think that 10 minutes is the correct timeout for an external app, after which Declude will kill the external app. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Scott Fisher > Sent: Thursday, March 01, 2007 12:05 PM > To: declude.virus@declude.com > Subject: Re: [Declude.Virus] Current Version of Clam AV > > I definitely still getting them with Clam .90 > > They only happen here when I run clamav as a service. When I > run it as a non-service (which is CPU foolish), I don't get these. > > I also use the clamscan wrapper (runclamscan.exe), so that > might be in the mix. > > ----- Original Message ----- > From: "Gary Steiner" <[EMAIL PROTECTED]> > To: <declude.virus@declude.com> > Sent: Thursday, March 01, 2007 11:57 AM > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > Does anyone want to comment on what might be causing the > error? Is this a > ClamAV problem or a Declude problem? It seems that the > normal mechanism for > deleting those files is somehow interrupted. Is there a way > in Declude to > increase the time allocated to each antivirus process? > > Though since I upgraded to SOSDG's version 0.90-1, I haven't seen any > leftover .vir directories. > > > -------- Original Message -------- > > From: "Brian T." <[EMAIL PROTECTED]> > > Sent: Thursday, March 01, 2007 11:53 AM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > Does anyone know of a way to fix this problem with the > leftover .vir > > directories? > > > > I was thinking about switching to ClamAV from F-Prot but > don't want to > > constantly be cleaning up leftover files. > > > > Thanks, > > > > Brian > > ----- Original Message ----- > > From: Darrell ([EMAIL PROTECTED]) > > To: declude.virus@declude.com > > Sent: Tuesday, February 27, 2007 11:44 AM > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > > > In my normal maintenance window (once a week) all > services are stopped > > and I clean out the work, error, proc, spool, and review > folders. Since I > > stop CLAMAV as well I am able to delete those directories. > > > > Darrell > > > > > -------------------------------------------------------------- > ---------- > > Check out http://www.invariantsystems.com for utilities > for Declude And > > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, > > MRTG Integration, and Log Parsers. > > ----- Original Message ----- > > From: Stephan > > To: declude.virus@declude.com > > Sent: Tuesday, February 27, 2007 11:22 AM > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > > > Thanks for responding. I can't delete them until I > restart the ClamAV > > service. Do you have a way of automatically deleting them, > or do you > > schedule a task to restart ClamAV and then delete them? I > tried using a > > schedule task but for some reason they still don't get > deleted (but it's > > possible to do it manually.) > > > > -----Original Message----- > > From: "Darrell ([EMAIL PROTECTED])" > > <[EMAIL PROTECTED]> > > Sent 2/27/2007 10:17:46 AM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > ? > > FWIW - I have always had left over directories from .84 on up. > > > > Darrell > > > -------------------------------------------------------------- > ---------- > > Check out http://www.invariantsystems.com for utilities > for Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, MRTG Integration, and Log Parsers. > > ----- Original Message ----- > > From: Stephan > > To: declude.virus@declude.com > > Sent: Tuesday, February 27, 2007 8:41 AM > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > > > I am also running the 0.90-1, and it's working fine, > except I still > > get leftover .vir directories inside the declude/proc dir. > The error in > > the clamav log shows: > > -> d:\imail\spool\proc\work\d716a0~1.vir\/0: Unable to create > > temporary directory ERROR > > I've tried checking permissions, and made sure I have > the clamav > > tmpdir variable set to my clamav tmp dir (which fixed a > similar error that > > stopped the clamav service from starting.) But I haven't > been able to fix > > this one. Anyone know how to fix this error? > > Thanks. > > > > -----Original Message----- > > From: "Darrell ([EMAIL PROTECTED])" > > <[EMAIL PROTECTED]> > > Sent 2/26/2007 1:30:43 PM > > To: declude.virus@declude.com > > Subject: Re: [Declude.Virus] Current Version of Clam AV > > > > > > Gary, > > > > I upgraded on Friday and have not ran into any issues. > > > > Darrell > > > > > -------------------------------------------------------------- > ---------- > > Check out http://www.invariantsystems.com for utilities for > Declude And > > Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > integration, > > MRTG > > Integration, and Log Parsers. > > > > ----- Original Message ----- > > From: "Gary Steiner" <[EMAIL PROTECTED]> > > To: <declude.virus@declude.com> > > Sent: Monday, February 26, 2007 1:01 PM > > Subject: RE: [Declude.Virus] Current Version of Clam AV > > > > > > I see that SOSDG released a new version (0.90-1) of their > Windows port of > > ClamAV on 02-22-2007. > > > > http://www.sosdg.org/clamav-win32/ > > > > Has anyone upgraded to it yet? Any problems? > > > > Gary Steiner > > > > > > > > -------- Original Message -------- > > > From: "Mark Reimer" <[EMAIL PROTECTED]> > > > Sent: Friday, February 16, 2007 2:04 PM > > > To: declude.virus@declude.com > > > Subject: RE: [Declude.Virus] Current Version of Clam AV > > > > > > Clam AV releases prior to 0.90 have Dos issues I believe. > Is their a > > > 0.90 > > > release for windows? > > > > > > > > > > > > Mark Reimer > > > > > > IT System Admin > > > > > > American CareSource > > > > > > 972-308-6887 > > > > > > > > > > > > _____ > > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Mark > > > Reimer > > > Sent: Friday, February 16, 2007 10:06 AM > > > To: declude.virus@declude.com > > > Subject: [Declude.Virus] Current Version of Clam AV > > > > > > > > > > > > What is the current release of Clam AV for windows? I saw > 0.90 stable is > > > out > > > now. > > > > > > > > > > > > Mark Reimer > > > > > > IT System Admin > > > > > > American CareSource > > > > > > 972-308-6887 > > > > > > > > > > > > > > > > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
