Re: [clamav-users] Problem with Max Open desciptor Files limit
On Fri, January 26, 2018 3:35 pm, Dianne Skoll wrote: > On Fri, 26 Jan 2018 15:18:10 + > David Shrimpton wrote: > > >> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and >> restarting clamd fixed the problem. > > Thank you! That was immensely helpful. Thanks! Dropped on the Sanesecurity mirrors using sigwhitelist.ign2. I'll remove tomorrow or when the sig is fixed. As 3rd party sigs are downloading hourly, it may fix it for some people quicker than their normal freshclam settings. -- Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with Max Open desciptor Files limit
On Fri, 26 Jan 2018 15:18:10 + David Shrimpton wrote: > I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and > restarting clamd fixed the problem. Thank you! That was immensely helpful. Regards, Dianne. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with Max Open desciptor Files limit
Good find David. Thank you very much. -J On Fri, Jan 26, 2018 at 7:18 AM, David Shrimpton wrote: > I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and > restarting clamd fixed the problem. > > This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem > began a few minutes later > clamd run out of file descriptors. > > I also had to clean out TemporaryDirectory before restarting. > > Not sure what the exact reason for problem is. > > There is an EOF-15 in a subsig. Perhaps this causes a performance hit on > large text files as end > of file must be seeked to and this is sufficient on busy system to cause > demand to exceed supply. > > sigtool --find Vbs.Downloader.Generic-6431223-0 > Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0: > 207075626c69632073756220;0:2073756220;EOF-15: > 203d202272652220656e6420696620;657865202f63207374617274 > > sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs > VIRUS NAME: Vbs.Downloader.Generic-6431223-0 > TDB: Engine:51-255,Target:7 > LOGICAL EXPRESSION: (0|1)&2&3 > * SUBSIG ID 0 > +-> OFFSET: 0 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > public sub > * SUBSIG ID 1 > +-> OFFSET: 0 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > sub > * SUBSIG ID 2 > +-> OFFSET: EOF-15 > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > = "re" end if > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > exe /c start > > > > > David Shrimpton > > ________________ > From: clamav-users on behalf of > Carlos García Gómez > Sent: Saturday, January 27, 2018 12:03:32 AM > To: clamav-users@lists.clamav.net > Subject: [clamav-users] Problem with Max Open desciptor Files limit > > Hi, > > We have a problem with ClamAV due to Max Open desciptor Files limit > It’s seems like delete temp files are not freeded > When the soft is reached the clamav proccess responses with an ERROR > > THe problem has begined Today with 0.99.2 clamav version > We have updated to the last release 0.99.3 but then problem again be here. > > > > [root@mx2 tmp]# ps -ef |grep clamav > clamav 22927 1 0 13:50 ?00:00:00 > /home/vmail/antivirus/clamav/bin/freshclam -d > root 23128 21677 0 15:01 pts/100:00:00 grep clamav > clamav 23137 1 2 13:51 ?00:01:39 > /home/vmail/antivirus/clamav/sbin/clamd > > > [root@mx2 tmp]# lsof -p 23137 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > clamd 23137 clamav cwdDIR8,1 4096 2 / > clamd 23137 clamav rtdDIR8,1 4096 2 / > clamd 23137 clamav txtREG8,2 3308231507346 > /home/vmail/antivirus/clamav-0.99.3/sbin/clamd > clamd 23137 clamav 11u REG8,2 461540613 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 40e1c3eb5c91506cd8029a626d44e430.tmp (deleted) > clamd 23137 clamav 12u REG8,2 1191540264 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 6191bbf55622fa150f6a562fedaa96bf.tmp (deleted) > clamd 23137 clamav 13u REG8,2 1191540266 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted) > clamd 23137 clamav 14u REG8,2 361540265 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 0323a84d6821a592bccefde5a36c0bb4.tmp (deleted) > clamd 23137 clamav 15u REG8,2 47931540268 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted) > clamd 23137 clamav 16u REG8,2 47931540267 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted) > clamd 23137 clamav 17u REG8,2 581540270 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 8106966405936ecc207ceb37377b2be5.tmp (deleted) > clamd 23137 clamav 18u REG8,2 1831540272 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted) > clamd 23137 clamav 19u REG8,2 2931540273 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > 4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted) > clamd 23137 clamav 20u REG8,2 1831540271 > /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav- > d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted) > clamd 23137 clamav 21u REG8,2 31371540274 > /home/vmail/antivirus/clamav-0.99.
Re: [clamav-users] Problem with Max Open desciptor Files limit
I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and restarting clamd fixed the problem. This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem began a few minutes later clamd run out of file descriptors. I also had to clean out TemporaryDirectory before restarting. Not sure what the exact reason for problem is. There is an EOF-15 in a subsig. Perhaps this causes a performance hit on large text files as end of file must be seeked to and this is sufficient on busy system to cause demand to exceed supply. sigtool --find Vbs.Downloader.Generic-6431223-0 Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274 sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs VIRUS NAME: Vbs.Downloader.Generic-6431223-0 TDB: Engine:51-255,Target:7 LOGICAL EXPRESSION: (0|1)&2&3 * SUBSIG ID 0 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: public sub * SUBSIG ID 1 +-> OFFSET: 0 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: sub * SUBSIG ID 2 +-> OFFSET: EOF-15 +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: = "re" end if * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: exe /c start David Shrimpton From: clamav-users on behalf of Carlos García Gómez Sent: Saturday, January 27, 2018 12:03:32 AM To: clamav-users@lists.clamav.net Subject: [clamav-users] Problem with Max Open desciptor Files limit Hi, We have a problem with ClamAV due to Max Open desciptor Files limit It’s seems like delete temp files are not freeded When the soft is reached the clamav proccess responses with an ERROR THe problem has begined Today with 0.99.2 clamav version We have updated to the last release 0.99.3 but then problem again be here. [root@mx2 tmp]# ps -ef |grep clamav clamav 22927 1 0 13:50 ?00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d root 23128 21677 0 15:01 pts/100:00:00 grep clamav clamav 23137 1 2 13:51 ?00:01:39 /home/vmail/antivirus/clamav/sbin/clamd [root@mx2 tmp]# lsof -p 23137 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME clamd 23137 clamav cwdDIR8,1 4096 2 / clamd 23137 clamav rtdDIR8,1 4096 2 / clamd 23137 clamav txtREG8,2 3308231507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd clamd 23137 clamav 11u REG8,2 461540613 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp (deleted) clamd 23137 clamav 12u REG8,2 1191540264 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp (deleted) clamd 23137 clamav 13u REG8,2 1191540266 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted) clamd 23137 clamav 14u REG8,2 361540265 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp (deleted) clamd 23137 clamav 15u REG8,2 47931540268 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted) clamd 23137 clamav 16u REG8,2 47931540267 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted) clamd 23137 clamav 17u REG8,2 581540270 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp (deleted) clamd 23137 clamav 18u REG8,2 1831540272 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted) clamd 23137 clamav 19u REG8,2 2931540273 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted) clamd 23137 clamav 20u REG8,2 1831540271 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted) clamd 23137 clamav 21u REG8,2 31371540274 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp (deleted) clamd 23137 clamav 22u REG8,2 31371540276 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted) clamd 23137 clamav 23u REG8,2 421540275 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp (deleted) clamd 23137 clamav 24u REG8,2 441540277 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp (deleted) clamd 23137 clamav 25u REG8,2 677
[clamav-users] Problem with Max Open desciptor Files limit
Hi, We have a problem with ClamAV due to Max Open desciptor Files limit It’s seems like delete temp files are not freeded When the soft is reached the clamav proccess responses with an ERROR THe problem has begined Today with 0.99.2 clamav version We have updated to the last release 0.99.3 but then problem again be here. [root@mx2 tmp]# ps -ef |grep clamav clamav 22927 1 0 13:50 ?00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d root 23128 21677 0 15:01 pts/100:00:00 grep clamav clamav 23137 1 2 13:51 ?00:01:39 /home/vmail/antivirus/clamav/sbin/clamd [root@mx2 tmp]# lsof -p 23137 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME clamd 23137 clamav cwdDIR8,1 4096 2 / clamd 23137 clamav rtdDIR8,1 4096 2 / clamd 23137 clamav txtREG8,2 3308231507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd clamd 23137 clamav 11u REG8,2 461540613 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp (deleted) clamd 23137 clamav 12u REG8,2 1191540264 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp (deleted) clamd 23137 clamav 13u REG8,2 1191540266 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted) clamd 23137 clamav 14u REG8,2 361540265 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp (deleted) clamd 23137 clamav 15u REG8,2 47931540268 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted) clamd 23137 clamav 16u REG8,2 47931540267 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted) clamd 23137 clamav 17u REG8,2 581540270 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp (deleted) clamd 23137 clamav 18u REG8,2 1831540272 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted) clamd 23137 clamav 19u REG8,2 2931540273 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted) clamd 23137 clamav 20u REG8,2 1831540271 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted) clamd 23137 clamav 21u REG8,2 31371540274 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp (deleted) clamd 23137 clamav 22u REG8,2 31371540276 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted) clamd 23137 clamav 23u REG8,2 421540275 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp (deleted) clamd 23137 clamav 24u REG8,2 441540277 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp (deleted) clamd 23137 clamav 25u REG8,2 6771540279 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-2b9716c6173771c795a3b1c3bef56470.tmp (deleted) clamd 23137 clamav 26u REG8,2 1551540280 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-e63b9a7454908ebb5f47657898bdb2c5.tmp (deleted) clamd 23137 clamav 27u REG8,2 16811540281 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ba047ebfc0396a5b38b595eeec0f7437.tmp (deleted) clamd 23137 clamav 28u REG8,2 461540278 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-49dbcc76c3c8b14d279a9d0aa74310a1.tmp (deleted) clamd 23137 clamav 29u REG8,2 16811540283 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-46898158d350efefbe01636215301fad.tmp (deleted) clamd 23137 clamav 30u REG8,2 481540282 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fdc1f1fdaca0933e22778c22bf4306c2.tmp (deleted) clamd 23137 clamav 31u REG8,2 12351540285 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-3849f6d05e67f2ad565d668e9a925158.tmp (deleted) clamd 23137 clamav 32u REG8,2 381540284 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-9428301ea35432270076585aad066354.tmp (deleted) When there are 1024 FD => ClamAV crash Any Ideas? Regards. ___ clamav-users mailing list
