Re: [Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Mar 22, 2006 at 09:06:05PM +0200, Panagiotis Christias wrote:

 we tried to run clamav-milter without the quarantine option:
clamav-milter -enNqd -m 150 -U /var/tmp/clamav
 Now some of the messages that exceed the StreamMaxLength linger around
 in the TemporaryDirectory (/var/tmp/clamav-tmp as defined in
 Turning on debug mode makes it leave the temp files.  Turning off debug
 mode makes it delete the temp files after finished processing.
It is not turned on (no -D option) or am I wrong?

You know, when I wrote that I was thinking clamav, not clamav-milter.
Make sure that it's commented out in the clamav config file:

smtp1 root # grep Debug /etc/clamd.conf 
#Debug

- -- 
Regards...  Todd
OS X: We've been fighting the It's a mac syndrome with upper management
for  years  now.  Lately  we've  taken  to  just  referring  to  new  mac 
installations  as  Unix  installations  when  presenting proposals  and 
updates.  For some reason, they have no problem with that.  -- /.
Linux kernel 2.6.12-15mdksmp   3 users,  load average: 0.14, 0.15, 0.16
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD4DBQFEItp3Y2VBGxIDMLwRAtB6AJirjltYyzJwPVpl0Ib2NT2BOzyWAJ9NTLG/
Pz+VPXZjfMg/2QRPVN4oWQ==
=IbeG
-END PGP SIGNATURE-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, Mar 21, 2006 at 02:25:11AM +0200, Panagiotis Christias wrote:

we tried to run clamav-milter without the quarantine option:
   clamav-milter -enNqd -m 150 -U /var/tmp/clamav
Now some of the messages that exceed the StreamMaxLength linger around
in the TemporaryDirectory (/var/tmp/clamav-tmp as defined in

Turning on debug mode makes it leave the temp files.  Turning off debug
mode makes it delete the temp files after finished processing.

- -- 
Regards...  Todd
  We should not be building surveillance technology into standards.
  Law enforcement was not supposed to be easy.  Where it is easy, 
  it's called a police state. -- Jeff Schiller on NANOG
Linux kernel 2.6.12-15mdksmp   3 users,  load average: 0.00, 0.01, 0.00
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFEICdeY2VBGxIDMLwRAvM8AJ9nb4ukBdqGzkvB/r3tmRQQfwg6UQCggjdX
d1XCMgC6h1MzB2qGJuBrHgM=
=Uvn3
-END PGP SIGNATURE-
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: clamav-milter: stale files in quarantine directory and open file descriptors

[Panagiotis Christias]

On 3/18/06, Panagiotis Christias [EMAIL PROTECTED] wrote:
 Hello,

 we are observing the following behaviour with our clamd/clamav-milter setup:

 there some messages that exceed the StreamMaxLength remaining in the
 quarantine directory with filenames like msg.AuxBaE. Clamav-milter
 keeps around 17 open filedescriptors for each such file. These file
 descriptors are not released and over the time reach high numbers,
 around several thousands (~5000 or more). Eventually clamav-milter
 stops responding and gets restarted by the watchdog script
 (clmilter_watch).

 We have three mail gateways running the same setup and they have the
 same problem. All of them are running ClamAV version 0.88,
 clamav-milter version 0.87 on FreeBSD 5.3/5.4.

 Clamav-milter run as: clamav-milter -enNqd -m 150 -U /var/tmp/clamav

 Our clamd.conf contain:

 LogFile /var/log/clamav/clamd.log
 LogFileMaxSize 0
 LogTime
 LogSyslog
 LogFacility LOG_MAIL
 PidFile /var/run/clamav/clamd.pid
 TemporaryDirectory /var/tmp/clamav-tmp
 DatabaseDirectory /var/db/clamav
 LocalSocket /var/run/clamav/clamd
 FixStaleSocket
 TCPAddr 127.0.0.1
 MaxConnectionQueueLength 50
 StreamMaxLength 1M
 MaxThreads 100
 User clamav
 AllowSupplementaryGroups
 ScanPE
 DetectBrokenExecutables
 ScanOLE2
 ScanMail
 ScanHTML
 ScanArchive
 ArchiveMaxFileSize 1M
 ArchiveMaxCompressionRatio 1500

 Here is a sample of the quarantine directory followed by the output of
 lsof (I'm sorry about the formatting):

 % ls -lt /var/tmp/clamav | head
 total 5246994
 -rw---  1 clamav  wheel  1049604 Mar 18 19:46 msg.AuxBaE
 drwx--  2 clamav  wheel 5120 Mar 18 19:45 060318
 -rw---  1 clamav  wheel  105 Mar 18 19:43 msg.JxxvNF
 -rw---  1 clamav  wheel  1050797 Mar 18 19:31 msg.VHSVPJ
 -rw---  1 clamav  wheel  1050743 Mar 18 19:26 msg.Wbbvdw
 -rw---  1 clamav  wheel  1049604 Mar 18 19:25 msg.EwAggU
 -rw---  1 clamav  wheel  105 Mar 18 19:22 msg.jieLN6
 -rw---  1 clamav  wheel  1049500 Mar 18 18:54 msg.vHmpcn
 -rw---  1 clamav  wheel  1049496 Mar 18 18:41 msg.v02yjx

 % /usr/local/sbin/lsof -n -w -c clamav-milter | egrep msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE
 clamav-mi 65257 clamav  134u  VREG   4,18  1049604 10058197
 /var/tmp/clamav/msg.AuxBaE

 I can provide you with some of /var/tmp/clamav/msg.* files for debugging.

 Regards,
 Panagiotis

Hello,

we tried to run clamav-milter without the quarantine option:

   clamav-milter -enNqd -m 150 -U /var/tmp/clamav

Now some of the messages that exceed the StreamMaxLength linger around
in the TemporaryDirectory (/var/tmp/clamav-tmp as defined in
clamav.conf). Actually they are not whole messages just the first part
of them (until they reach StreamMaxLength, set to 1MB).

Here is the ls -lt output:

% ls -lt /var/tmp/clamav-tmp/clamav-c11d50658f95ce57
total 42240
-rw---  1 clamav  wheel  1049685 Mar 20 22:56 msg.PU9k1M
-rw---  1 clamav  wheel  1049407 Mar 20 20:32 msg.N3bV6C
-rw---  1 clamav  wheel  1049399 Mar 20 20:11 msg.UwRgAj
-rw---  1 clamav  wheel  1049404 Mar 20 19:43 msg.lQ8HVp
-rw---  1 clamav  wheel  1049386 Mar 20 19:16 msg.1bleQF
-rw---  1 clamav  wheel  1049421 Mar 20 19:03 msg.RrElJ2
-rw---  1 clamav  wheel  1049389 Mar 20 18:46 msg.PHLTDC
-rw---  1 clamav  wheel  1049360 Mar 20 18:11 msg.e39fVc
-rw---  1 clamav  wheel  1049361 Mar 20 17:55 msg.NviCyQ
-rw---  1 clamav  wheel  1049357 Mar 20 17:14 msg.4HCWK5
-rw---  1 clamav  wheel  1049500 Mar 20 16:58 msg.J6V4d6
-rw---  1 clamav  wheel