Re: [clamav-users] reduce memory footprint by removing some virusdefinitions on a low memory server
hi this is what i did on my mail server cd /var/lib/clamav mv daily.cld daily.cld.BAK mv main.cld main.cld.BAK mv bytecode.cld bytecode.cld.BAK mv mirrors.dat mirrors.dat.BAK kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad attachments / macros. also have spam-assassin with oledb macro plugin. things seem to work now rajesh - Original Message - From: Sophie Loewenthal [mailto:sop...@klunky.co.uk] To: clamav-users@lists.clamav.net Sent: Fri, 26 Jan 2018 09:41:38 +0100 Subject: Hi everybody, Would removing some of the virus definitions on a memory sparse server still leave a semi-usable clamav scanner? e.g if I just left main.cvd bytecode.cvd and dropped daily.cvd? Or some other config. e.g just kept the unoffical sigs and the bytecode. I realize this is reducing clamav’s effectiveness, but my other option is to remove clamav. Kind regards, Sophie ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server
Am 26.01.2018 um 09:41 schrieb Sophie Loewenthal: Hi everybody, Would removing some of the virus definitions on a memory sparse server still leave a semi-usable clamav scanner? e.g if I just left main.cvd bytecode.cvd and dropped daily.cvd? Or some other config. e.g just kept the unoffical sigs and the bytecode. I realize this is reducing clamav’s effectiveness, but my other option is to remove clamav that's exactly what we doing for month 30 MB clamd /var/lib/clamav 481 MB /var/lib/clamav-spam we run two instances and the large using /var/lib/clamav-spam includes "safebrowsing" and freshcalm itself is running on a admin-server pushing the selected signatures with rsync to the inbound mailserver [root@mail-gw:~]$ ls /var/lib/clamav insgesamt 1,6M -rw-r--r-- 1 clamupdate clamupdate 107K 2018-01-24 17:07 foxhole_filename.cdb -rw-r--r-- 1 clamupdate clamupdate 46K 2017-12-14 11:11 foxhole_generic.cdb -rw-r--r-- 1 clamupdate clamupdate 3,8K 2017-08-18 19:56 foxhole_js.cdb -rw-r--r-- 1 clamupdate clamupdate 4,2K 2017-02-16 21:12 thelounge_blocked_extensions.cdb -rw-r--r-- 1 clamupdate clamupdate 11K 2016-10-18 15:56 sanesecurity.ftm -rw-r--r-- 1 clamupdate clamupdate 104K 2018-01-26 09:05 bofhland_malware_attach.hdb -rw-r--r-- 1 clamupdate clamupdate 82 2016-07-13 21:44 crdfam.clamav.hdb -rw-r--r-- 1 clamupdate clamupdate 62K 2018-01-24 10:07 rogue.hdb -rw-r--r-- 1 clamupdate clamupdate 29K 2018-01-26 09:00 winnow_extended_malware.hdb -rw-r--r-- 1 clamupdate clamupdate 36K 2018-01-26 09:00 winnow_malware.hdb -rw-r--r-- 1 clamupdate clamupdate 48K 2015-08-05 09:24 hackingteam.hsb -rw-r--r-- 1 clamupdate clamupdate 73K 2017-06-29 08:54 malwarehash.hsb -rw-r--r-- 1 clamupdate clamupdate 22K 2018-01-26 09:01 porcupine.hsb -rw-r--r-- 1 clamupdate clamupdate 7,5K 2017-11-17 19:56 sigwhitelist.ign2 -rw-r--r-- 1 clamupdate clamupdate 261 2017-03-23 15:09 thelounge_whitelist.ign2 -rw-r--r-- 1 clamupdate clamupdate 74K 2018-01-18 11:16 badmacro.ndb -rw-r--r-- 1 clamupdate clamupdate 115K 2018-01-26 09:09 blurl.ndb -rw-r--r-- 1 clamupdate clamupdate 654 2018-01-26 09:05 bofhland_malware_URL.ndb -rw-r--r-- 1 clamupdate clamupdate 230 2016-11-21 09:55 foxhole_js.ndb -rw-r--r-- 1 clamupdate clamupdate 237K 2018-01-26 09:01 porcupine.ndb -rw-r--r-- 1 clamupdate clamupdate 61 2017-02-16 21:12 thelounge_custom_sigs.ndb -rw-r--r-- 1 clamupdate clamupdate 523K 2018-01-26 09:00 winnow_malware_links.ndb oot@mail-gw:~]$ ls /var/lib/clamav-spam insgesamt 158M -rw-r--r-- 1 clamupdate clamupdate 9,2K 2018-01-24 17:07 foxhole_all.cdb -rw-r--r-- 1 clamupdate clamupdate 1,2K 2017-09-13 10:51 foxhole_mail.cdb -rw-r--r-- 1 clamupdate clamupdate 5,5K 2017-02-16 21:12 thelounge_tagged_extensions.cdb -rw-r--r-- 1 clamupdate clamupdate 122M 2018-01-26 07:55 safebrowsing.cld -rw-r--r-- 1 clamupdate clamupdate 2,1K 2018-01-26 09:09 malware.expert.fp -rw-r--r-- 1 clamupdate clamupdate 11K 2016-10-18 15:56 sanesecurity.ftm -rw-r--r-- 1 clamupdate clamupdate 25K 2018-01-26 09:09 malware.expert.hdb -rw-r--r-- 1 clamupdate clamupdate 1,4K 2017-04-28 09:56 spamattach.hdb -rw-r--r-- 1 clamupdate clamupdate 14K 2017-11-28 12:03 spamimg.hdb -rw-r--r-- 1 clamupdate clamupdate 515K 2018-01-26 09:00 winnow.attachments.hdb -rw-r--r-- 1 clamupdate clamupdate 66 2018-01-26 09:00 winnow_bad_cw.hdb -rw-r--r-- 1 clamupdate clamupdate 7,5K 2017-11-17 19:56 sigwhitelist.ign2 -rw-r--r-- 1 clamupdate clamupdate 261 2017-03-23 15:09 thelounge_whitelist.ign2 -rw-r--r-- 1 clamupdate clamupdate 21K 2018-01-26 09:09 malware.expert.ldb -rw-r--r-- 1 clamupdate clamupdate 487K 2018-01-26 09:09 MiscreantPunch099-Low.ldb -rw-r--r-- 1 clamupdate clamupdate 2,2K 2017-05-03 10:56 shelter.ldb -rw-r--r-- 1 clamupdate clamupdate 556 2017-05-05 11:56 spam.ldb -rw-r--r-- 1 clamupdate clamupdate 660 2018-01-26 09:00 winnow.complex.patterns.ldb -rw-r--r-- 1 clamupdate clamupdate 115K 2018-01-26 09:09 blurl.ndb -rw-r--r-- 1 clamupdate clamupdate 170 2018-01-26 09:05 bofhland_cracked_URL.ndb -rw-r--r-- 1 clamupdate clamupdate 654 2018-01-26 09:05 bofhland_malware_URL.ndb -rw-r--r-- 1 clamupdate clamupdate 3,5K 2018-01-26 09:05 bofhland_phishing_URL.ndb -rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-11-21 09:55 foxhole_all.ndb -rw-r--r-- 1 clamupdate clamupdate 6,8M 2018-01-16 16:09 junk.ndb -rw-r--r-- 1 clamupdate clamupdate 182K 2018-01-18 11:08 jurlbla.ndb -rw-r--r-- 1 clamupdate clamupdate 477K 2018-01-18 00:07 jurlbl.ndb -rw-r--r-- 1 clamupdate clamupdate 240K 2017-08-04 16:53 lott.ndb -rw-r--r-- 1 clamupdate clamupdate 96K 2018-01-26 09:09 malware.expert.ndb -rw-r--r-- 1 clamupdate clamupdate 3,9M 2018-01-16 16:21 phish.ndb -rw-r--r-- 1 clamupdate clamupdate 3,6M 2018-01-26 09:01 phishtank.ndb -rw-r--r-- 1 clamupdate clamupdate 14M 2018-01-26 09:00 scamnailer.ndb -rw-r--r-- 1 clamupdate clamupdate 1,9M 2018-01-05 10:11 scam.ndb -rw-r--r-- 1 clamupdate clamupdate 37K 2017-12-28 18:09 spearl.ndb -rw-r--r-- 1
[clamav-users] reduce memory footprint by removing some virus definitions on a low memory server
Hi everybody, Would removing some of the virus definitions on a memory sparse server still leave a semi-usable clamav scanner? e.g if I just left main.cvd bytecode.cvd and dropped daily.cvd? Or some other config. e.g just kept the unoffical sigs and the bytecode. I realize this is reducing clamav’s effectiveness, but my other option is to remove clamav. Kind regards, Sophie ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
yes all our servers are stuck disabled official signatures we have sanesecurity foxhole foxhole_all.cdb -- customized for our use which blocks all bad attachments it seems to work now. rajesh - Original Message - From: Reindl Harald [mailto:h.rei...@thelounge.net] To: clamav-users@lists.clamav.net Sent: Fri, 26 Jan 2018 09:22:14 +0100 Subject: Am 26.01.2018 um 09:19 schrieb Marco: > Il 26/01/2018 09:00, Reindl Harald ha scritto: >> freshclam and a custom script downloads anything to >> /var/lib/clamav-download and then for the two "/var/lib/clamav" and >> "/var/lib/clamav-sa" basend on file-lists hardlinks are set - from the >> official only "safebrowsing" is active > > We have the same problem: I confirm that without official signature > Clamav works! looks like "freshclam" needs something like a downgrade option when bad signatures can lead to such a massive fuckup ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
Am 26.01.2018 um 09:19 schrieb Marco: Il 26/01/2018 09:00, Reindl Harald ha scritto: freshclam and a custom script downloads anything to /var/lib/clamav-download and then for the two "/var/lib/clamav" and "/var/lib/clamav-sa" basend on file-lists hardlinks are set - from the official only "safebrowsing" is active We have the same problem: I confirm that without official signature Clamav works! looks like "freshclam" needs something like a downgrade option when bad signatures can lead to such a massive fuckup ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?
On Fri, 2018-01-26 at 08:11 +0100, lukn wrote: > Same on a machine with clamav-milter: > > clamav-milter[8241]: Failed to initiate streaming/fdpassing > clamav-milter[8241]: Unknown reply from clamd > clamd[11895]: instream(127.0.0.1@49958): Can't open file or directory > ERROR > clamav-milter[8241]: send failed: Broken pipe > clamav-milter[8241]: Streaming failed > clamd[11895]: accept() failed: > > I suspect a toxic signature keeps killing clamd as a side-effect of the issue clamd keeps filling up /tmp/ with clamav- x.tmp and an empty 'rfc2397' folder and so running out of filedescriptors. > > > > On 26.01.2018 07:47, lukn wrote: > > Good morning list > > > > same here, since about 4am CET we see permanent crashes of clamd. > > Process indeed disappears, but logging is minimal. All I see is: > > > > clamd[25989]: instream(127.0.0.1@58142): Can't open file or > > directory ERROR > > clamd[25989]: accept() failed: > > > > the second line repeats several dozen times. > > > > I use clamd to scan mail with fuglu (fuglu.org) which talks to > > clamd via > > TCP socket. > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
Il 26/01/2018 09:00, Reindl Harald ha scritto: freshclam and a custom script downloads anything to /var/lib/clamav-download and then for the two "/var/lib/clamav" and "/var/lib/clamav-sa" basend on file-lists hardlinks are set - from the official only "safebrowsing" is active We have the same problem: I confirm that without official signature Clamav works! Regards Marco ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
Am 26.01.2018 um 08:32 schrieb Dianne Skoll:
Something went badly wrong with clamd recently; it's stuck with
hundreds/thousands of open files per process and interrupting mail flow.
When a scanning thread finishes, I see this in the strace output.
(I ran clamdscan /etc/hosts as a test):
[pid 3707] 02:11:01 sendto(295, "/etc/hosts: OK\n", 15, 0, NULL, 0) = 15
[pid 3707] 02:11:01 shutdown(295, SHUT_RDWR) = 0
[pid 3707] 02:11:01 close(295) = 0
[pid 3707] 02:11:01 futex(0x1933c3c,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 387, {1516950691, 0}, )
= -1 ETIMEDOUT (Connection timed out)
[pid 3707] 02:11:31 futex(0x1933c10, FUTEX_WAKE_PRIVATE, 1) = 0
[pid 3707] 02:11:31 madvise(0x7fae6affe000, 8368128, MADV_DONTNEED) = 0
[pid 3707] 02:11:31 _exit(0) = ?
[pid 3707] 02:11:31 +++ exited with 0 +++
So it scans the file, says it's OK. and then hangs in the futex for 30
seconds.
HELP! This is causing major outages for many of our customers
sounds like an issue with the official signatures given that you are not
the first reporter and that we don't use them and have no problems
freshclam and a custom script downloads anything to
/var/lib/clamav-download and then for the two "/var/lib/clamav" and
"/var/lib/clamav-sa" basend on file-lists hardlinks are set - from the
official only "safebrowsing" is active
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
