RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Robert Blayzor
Sent: maandag 7 maart 2005 15:39
To: ClamAV users ML
Subject: Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
I'll give it a whirl, and yes, I seem to have it trapping error
conditions. (unless something changed, this always worked)
eval {
local $SIG{ALRM} = sub { die Stream timeout; };
alarm $sc{TIME_OUT};
while($csock) {
if (/(\S+)\ FOUND$/) {
$vs = $1 unless ($vs);
$vf++;
}
$err = $1 if ($r =~ /^ERROR\:(.*)/);
}
alarm 0;
};
$err = $@ if($@);
Perl signals are not always as local as they may seem. :) You really might
want to reset the alarm after the eval {} loop as well (in case you
break out uncleanly from it). Consider the following:
---
#!/usr/local/bin/perl
sub clam_test {
eval {
local $SIG{ALRM} = sub { die Timeout\n };
alarm 2;
};
}
clam_test ();
print Back!\n;
sleep 4;
print Made it past the signal!\n;
exit 0;
---
You'll never get past the signal here (Perl 5.8.6). Nor here:
---
#!/usr/local/bin/perl
sub clam_test {
eval {
local $SIG{ALRM} = sub { die Timeout\n };
alarm 2;
die Oops!\n;
};
}
clam_test ();
print Back!\n;
sleep 4;
print Made it past the signal!\n;
exit 0;
---
- Mark
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Lyons Sent: dinsdag 8 maart 2005 0:23 To: 'ClamAV users ML' Subject: Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout Mark wanted us to know: Yesterday, I subjected ClamAV to a very rigorous, final stress test. I let it scan roughly 20,000 news spool files, and opened an individual connection for each file (not very efficient, of course, but good to get massive concurrency; especially since I ran 5 simultaneous instances of the test-script). Needless to say, ClamAV was quite busy. :) But passed the test What did you use to do this test? Homegrown scripts? Yes. Nothing fancy, though; just a 'quick-and-dirty' Perl job. Did you have a local news spool? Yes. Testing this over NFS, or something, would serve no purpose. Can you offer up some info and possibly code? I'd love such a beast for testing on our systems here. Well, I attached the test script. Like I said, I ran 5 concurrent instances of this script, just to see how ClamAV would handle threads (or whether it would buckle, even). This test was typical for my machine, where there may be a sudden spike in connections (from the news queue-runner, for instance, or SMTP). - Mark clamavtest.pl Description: Binary data ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Fri, 2005-03-04 at 11:59 -0500, Robert Blayzor wrote: Trog wrote: What software are you using to do stream scanning? It is switched off by default in clamav-milter 0.83 I'm using a PERL script that is taking the messages and stream scanning them with clamd. It's been running fine for many months with various versions of clamd. I've just only recently noticed this twice while using clamd 0.83... In the script's log it shows it connecting to clamd, sending the STREAM command but then clamd never responds. The script times out after 20 seconds and continues. It seems to be sparked by sending about half a dozen scan requests all at the same time. I thought maybe it was load related, but the box goes for several minutes with no load while waiting for clamd to respond. You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply etc. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
[EMAIL PROTECTED] said: I can also not say I understand why ClamAV would hang on STREAM, and not on SCAN Your STREAM problem may be different of course. The messages that gave our clamd a hard time would do exactly the same for clamscan ( of course ). I just wanted you to check that you weren't suffering from the same problem that we were, especially as it was relatively easy to use a recent snapshot tar-ball to avoid the problem. [EMAIL PROTECTED] said: I cannot say this makes me happy We have to find a way to be vigilant and happy at the same time. :-) Steve PS I'm very happy with what ClamAV has done for us, even in my fumbling fists. However, it seems to me that there will always be dangers in running potentially recursive checks in real time on incoming mail. I turned off the ScanMail option to avoid future recurrences but am aware this may be letting some viruses in (eg in bounce messages). I am still not convinced that I understand what happened in our Solaris-based, Exim/exiscan+clamd setup in the minutes/hours after the first dodgy email arrived. In the end, exim quit and we had no mail system. Shortly before that we had a clamd process with many threads, only one of which was doing anything. Calls to clamd were stacking up correctly but none were being processed (it seemed). I don't understand why that happens. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply What's pause supposed to mean? ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Mon, 2005-03-07 at 13:08 +0100, Julian Mehnle wrote: Trog wrote: You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply What's pause supposed to mean? pause n. 1. A temporary cessation. 2. A delay or suspended reaction, as from uncertainty; a hesitation: After a pause the audience broke into cheers. 3. A break, stop, or rest, often for a calculated purpose or effect: After a dramatic pause, the lawyer finished her summation. signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Monday 07 Mar 2005 12:08, Julian Mehnle wrote: Trog wrote: send: SESSION pause What's pause supposed to mean? From my dictionary: pause: interval of inaction or silence; break made in speech or reading. Mind you my dictionary was written before the days of the Internet. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: On Mon, 2005-03-07 at 13:08 +0100, Julian Mehnle wrote: Trog wrote: You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply What's pause supposed to mean? pause n. 1. A temporary cessation. 2. A delay or suspended reaction, as from uncertainty; a hesitation: After a pause the audience broke into cheers. 3. A break, stop, or rest, often for a calculated purpose or effect: After a dramatic pause, the lawyer finished her summation. I should have expected nothing less from this mailing list, but I guess I'm not enough of a misanthrope yet. So let me specify my question: How is one supposed to implement pause? ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply No, not in the same connection, one scan per connection, multiple connections. ie: connect 1: send: STREAM\n waitfor: PORT \d+ connect 2: localhost:(port) dump message wait for response close connect 2: close connect 1: repeat Multiple simultaneous connections with one scan session each. -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 I'm sorry a pentium won't do, you need an SGI to connect with us. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Platt Sent: maandag 7 maart 2005 12:00 To: ClamAV users ML Subject: Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout [EMAIL PROTECTED] said: I can also not say I understand why ClamAV would hang on STREAM, and not on SCAN Your STREAM problem may be different of course. Probably. :) PS I'm very happy with what ClamAV has done for us, even in my fumbling fists. Yesterday, I subjected ClamAV to a very rigorous, final stress test. I let it scan roughly 20,000 news spool files, and opened an individual connection for each file (not very efficient, of course, but good to get massive concurrency; especially since I ran 5 simultaneous instances of the test-script). Needless to say, ClamAV was quite busy. :) But passed the test with flying colors (AVP would tend to lock up on many concurrent connections). Mighty impressive. ClamAV only lost 2 MB of memory in the process. Reason enough for me to bring ClamAV online on the production server. I turned off the ScanMail option to avoid future recurrences but am aware this may be letting some viruses in (eg in bounce messages). I wrap the ClamAV check in an alarm breakout eval call. I give it 5 minutes. If it is not done by then, then I figure something is wrong. Trust is good; being prepared is better. :) So far, I have not witnessed a hung process yet. - Mark ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Mon, 2005-03-07 at 08:23 -0500, Robert Blayzor wrote: No, not in the same connection, one scan per connection, multiple connections. ie: connect 1: send: STREAM\n waitfor: PORT \d+ connect 2: localhost:(port) dump message wait for response close connect 2: close connect 1: repeat In that case it should be: connect 1: send: STREAM\n waitfor: PORT \d+ connect 2: localhost:(port) dump message close connect 2: wait for response close connect 1: (notice the close connect 2 moved up) -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: On Mon, 2005-03-07 at 13:08 +0100, Julian Mehnle wrote: Trog wrote: You can't send multiple commands. You *must* follow the following sequence: send: SESSION pause send: SCAN /my/file read reply send: SCAN /my/file2 read reply What's pause supposed to mean? pause n. 1. A temporary cessation. Seemed like a pretty legitimate question to me. The PDF manual says close to nothing about SESSION/END, and certainly does not speak of a pause. In fact, if pause is really meant, in the manner you quote, then this would be a horridly silly programming implementation. :) Unless it is to mean something like Wait for it to return OK. Otherwise, I can do nothing with pause. - Mark ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Mon, 2005-03-07 at 13:36 +, Mark wrote: Seemed like a pretty legitimate question to me. The PDF manual says close to nothing about SESSION/END, and certainly does not speak of a pause. In fact, if pause is really meant, in the manner you quote, then this would be a horridly silly programming implementation. :) Quite. Which is why clamav-milter defaults to not using sessions. It needs a new protocol defining, be it ICAP or something else. It's not high on my personal TODO list at the moment. Another developer may make it a higher priority though. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: In that case it should be: connect 1: send: STREAM\n waitfor: PORT \d+ connect 2: localhost:(port) dump message close connect 2: wait for response close connect 1: (notice the close connect 2 moved up) Ahh you are correct, that's what it does. Regardless, I know it's working correctly as it has worked fine for over a year now. Like I said, recently in 0.83 we've seen it hang up a few times. Both times I've been able to check the clamd logs and the script logs it looks like it's hanging after sending the STREAM command. ie: The script sends the stream, but then clamd never sends a response, ie: port to connect to. So the script just times out. -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 SELECT * FROM users WHERE clue 0 0 rows returned ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Mon, 2005-03-07 at 08:48 -0500, Robert Blayzor wrote:
Ahh you are correct, that's what it does. Regardless, I know it's
working correctly as it has worked fine for over a year now. Like I
said, recently in 0.83 we've seen it hang up a few times. Both times
I've been able to check the clamd logs and the script logs it looks like
it's hanging after sending the STREAM command. ie: The script sends
the stream, but then clamd never sends a response, ie: port to connect
to. So the script just times out.
Could you try this patch:
--- clamd/scanner.c 13 Feb 2005 23:01:50 - 1.44
+++ clamd/scanner.c 7 Mar 2005 14:09:09 -
@@ -325,7 +325,7 @@
max_port = 2048;
/* bind to a free port */
-while(!bound portscan--) {
+while(!bound --portscan) {
if(rnd_port_first) {
/* try a random port first */
port = min_port + cli_rndnum(max_port - min_port + 1);
I hope your script handles ERROR responses correctly :-)
-trog
signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote:
I hope your script handles ERROR responses correctly :-)
I'll give it a whirl, and yes, I seem to have it trapping error
conditions. (unless something changed, this always worked)
eval {
local $SIG{ALRM} = sub { die Stream timeout; };
alarm $sc{TIME_OUT};
while($csock) {
if (/(\S+)\ FOUND$/) {
$vs = $1 unless ($vs);
$vf++;
}
$err = $1 if ($r =~ /^ERROR\:(.*)/);
}
alarm 0;
};
$err = $@ if($@);
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0
A successful tool is used to do something undreamed of by its author. -
Johnson
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Mon, 2005-03-07 at 09:38 -0500, Robert Blayzor wrote: $err = $1 if ($r =~ /^ERROR\:(.*)/); Assuming I'm reading it right, I think it should be the other way around. Error strings look like: Reason ERROR -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Le Lun 7 mar 09:38:30 2005, Robert Blayzor écrit: $err = $1 if ($r =~ /^ERROR\:(.*)/); die $1\n if $r =~ /(.*) ERROR$/; You may also remove the starting stream: . ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: Assuming I'm reading it right, I think it should be the other way around. Error strings look like: Reason ERROR Ok, patched that in, thanks for pointing that out. I was basing it on old clamdscan error string output. -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 The computer is mightier than the pen, the sword, and usually, the programmer. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Mark wanted us to know: Yesterday, I subjected ClamAV to a very rigorous, final stress test. I let it scan roughly 20,000 news spool files, and opened an individual connection for each file (not very efficient, of course, but good to get massive concurrency; especially since I ran 5 simultaneous instances of the test-script). Needless to say, ClamAV was quite busy. :) But passed the test What did you use to do this test? Homegrown scripts? Did you have a local news spool? Can you offer up some info and possibly code? I'd love such a beast for testing on our systems here. -- Regards... Todd There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. --Ed Howdershelt Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.00, 0.00, 0.00 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Robert, Do your mail logs show what came in just before the problems occurred (twice)? It might just be that it falls into a class of email messages that cause clamav ( 0.81 ) to go into hyperspace, examining each bit individually from every point in five dimensions before giving the message the all clear. I paraphrase; but there was a problem in 0.82 and 0.83 which bit us. The mail server would take many hours to scan a mail digest message. Well it would have if we hadn't kicked it thinking it was looping. As I was told many times - its fixed in the CVS! You can just download the latest tarball instead if you prefer. Hope that helps, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
On Fri, 2005-03-04 at 09:05 -0500, Robert Blayzor wrote: We have some fairly busy mail servers that seem to run clamd fine for days, and sometimes weeks, but since we moved to ClamAV 0.83 twice now we've noticed that stream scanning, on rare occasions, starts to hold connections and timeout. What software are you using to do stream scanning? It is switched off by default in clamav-milter 0.83 -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
Trog wrote: What software are you using to do stream scanning? It is switched off by default in clamav-milter 0.83 I'm using a PERL script that is taking the messages and stream scanning them with clamd. It's been running fine for many months with various versions of clamd. I've just only recently noticed this twice while using clamd 0.83... In the script's log it shows it connecting to clamd, sending the STREAM command but then clamd never responds. The script times out after 20 seconds and continues. It seems to be sparked by sending about half a dozen scan requests all at the same time. I thought maybe it was load related, but the box goes for several minutes with no load while waiting for clamd to respond. -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Design: The activity of preparing for a design review. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV 0.83 - Stream scanning timeout
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Platt Sent: vrijdag 4 maart 2005 16:40 To: ClamAV users ML Subject: Re: [Clamav-users] ClamAV 0.83 - Stream scanning timeout I paraphrase; but there was a problem in 0.82 and 0.83 which bit us. The mail server would take many hours to scan a mail digest message. I cannot say this makes me happy. I can also not say I understand why ClamAV would hang on STREAM, and not on SCAN (I'll gladly atrribute the latter to my being new to ClamAV). The way I understood things, the effective difference between STREAM and SCAN is that, with STREAM, you feed ClamAV, well, a stream, lol, whereas with SCAN, ClamAV opens the file itself. Right? In that case, I would think it would behave similarly on both commands. As I was told many times - its fixed in the CVS! Maybe its time for a new release? :) - Mark ___ http://lurker.clamav.net/list/clamav-users.html
