ClamAV is crashing randomly after downloading updates

This forum is for all copfilter version 2 support related questions in English. (IPCop version 2)
Post Reply
Matthias030
Posts: 19
Joined: 01 Mar 2015 18:28

ClamAV is crashing randomly after downloading updates

Post by Matthias030 » 23 Nov 2015 20:50

Hi,

Every few days I have the problem that the clamav service is crashing after signature updates. I have enabled all of the third party providers (Sanesecurity, OTIC, SecuriteInfo,...). I can find the following output in the cronhourly.log. I have to restart my IPCop to get it working again. Have you any idea how to prevent it from crashing? I'm using a PC with Core-i5 CPU and 4 GB Ram and the latest Copfilter version, so I don't think that the hardware is too slow. (Sorry, the log is in german. I can translate if needed...)

Since SecuriteInfo has changed their update files to new file names, I'm using the ShelbyGT500-Patch for downloading these updates by adding them into the file freshclam.conf. Is there a progress to include changed updates of SecurityInfo in Copfilter web interface? I don't think that this is the reason that my clamav is crashing randomly because i think that similar problems occurs in the past. But maybe it's the reason. I'm not sure...

Any idea'? Help is always appreciated! :-)

Big Thanks,
Matthias



---
[CET] 2015-11-23 19:22:00

Erstelle Backup aktueller Datenbanken...fertig.

Suche nach Updates...

fcsT...... spearl.ndb
100%
64,056 Bytes

fcsT...... scamnailer.ndb
100%
13,474,041 Bytes

fcsT...... phish.ndb
100%
3,805,143 Bytes

fcsT...... jurlbla.ndb
100%
216,086 Bytes

fcsT...... jurlbl.ndb
100%
445,681 Bytes

fcsT...... blurl.ndb
100%
94,492 Bytes

fcsT...... crdfam.clamav.hdb
100%
427,999 Bytes

fcsT...... foxhole_filename.cdb
100%
6,805 Bytes

fcsT...... porcupine.ndb
100%
278,524 Bytes

fcsT...... phishtank.ndb
100%
2,906,678 Bytes

Updates heruntergeladen.

Prüfe auf beschädigte Datenbanken...fertig.

Lade Datenbanken neu...
Fehler: Could not lookup 127.0.0.1: Servname not supported for ai_socktype
Fehler: ClamD konnte die Datenbanken nicht laden! Vielleicht läuft er nicht!
10 Dateien kopiert in das HAVP LibClamAV Datenbank Verzeichnis /var/log/copfilter/default/opt/havp/virdb:
(spearl.ndb, scamnailer.ndb, phish.ndb, jurlbla.ndb,
jurlbl.ndb, blurl.ndb, crdfam.clamav.hdb, foxhole_filename.cdb,
porcupine.ndb, phishtank.ndb)

[CET] 2015-11-23 19:22:38
---

sanesecurity
Posts: 2
Joined: 28 Aug 2013 15:50

Re: ClamAV is crashing randomly after downloading updates

Post by sanesecurity » 24 Nov 2015 11:46

Hi Matthias,

When did it start to crash? Did it start after adding Securiteinfo database into freshclam config?

Btw, databases worth adding, once the current issue is solved...

badmacro.ndb
foxhole_generic.cdb
rogue.hdb

Cheers,

Steve
Sanesecurity.com

Matthias030
Posts: 19
Joined: 01 Mar 2015 18:28

Re: ClamAV is crashing randomly after downloading updates

Post by Matthias030 » 24 Nov 2015 19:36

Hi,

I can't say if the crash was there before adding the SecuritInfo files to freshclam.conf. The ClamAV crashes are appearing around 2 times each week. I have not the feeling that the freshclam files are the reason for a ClamAV crash. I think these crashes was there before, but I'm unsure. Maybe I could test it by removing these files for a week.

Are there any other logs I can look? The log files provided by the web interface are not bringing light into the dark. Also email notifications for updates doesn't tell a reason for a failed restart of ClamAV during a signature reload.

these files are already available in CopFilter
foxhole_generic.cdb
rogue.hdb

badmacro.ndb - it looks interesting and important for me. I see that some office documents with bad macros in it are coming through occasionally. Is it possible to include it in Copfilter? Maybe with adding it to the freshclam.conf file? Unfortunately I can't find a valid URL for downloading this file.

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: ClamAV is crashing randomly after downloading updates

Post by ShelbyGT500 » 27 Nov 2015 21:19

Hi,
Matthias030 wrote:Lade Datenbanken neu...
Fehler: Could not lookup 127.0.0.1: Servname not supported for ai_socktype
Fehler: ClamD konnte die Datenbanken nicht laden! Vielleicht läuft er nicht!
10 Dateien kopiert in das HAVP LibClamAV Datenbank Verzeichnis /var/log/copfilter/default/opt/havp/virdb:
(spearl.ndb, scamnailer.ndb, phish.ndb, jurlbla.ndb,
jurlbl.ndb, blurl.ndb, crdfam.clamav.hdb, foxhole_filename.cdb,
porcupine.ndb, phishtank.ndb)
Please, what are youre settings for clamav ?
Are you sure clamav is crashing ? Or is it only a report in this log ? Is clamav really enabled? library mode ?

Matthias030 wrote:badmacro.ndb - it looks interesting and important for me. I see that some office documents with bad macros in it are coming through occasionally. Is it possible to include it in Copfilter? Maybe with adding it to the freshclam.conf file? Unfortunately I can't find a valid URL for downloading this file.
Severus updated his mod, and these new database are present, but only for Copfilter V1 for now.
there are many changes (for example enter license key for malwarepatrol or securiteinfo with the GUI...).
But it is not ready for now for copfilter V2. Stay tuned... :D

Regards.

ShelbyGT500

Matthias030
Posts: 19
Joined: 01 Mar 2015 18:28

Re: ClamAV is crashing randomly after downloading updates

Post by Matthias030 » 05 Dec 2015 21:16

Hi,

no I don't know if clamAV is really crashing, but I got these mails around 3-4 times per week. Also the status page shows "off" for clamAV after receiving these mails:

Error: Could not lookup 127.0.0.1: Servname not supported for ai_socktype
Error: ClamD couldn't load databases. Maybe it's not running.

It mainly happens around midnight or at the weekend. How to check if clamAV is running? Is there some command like "./path.to.clamAV/clamAV status"?

I use many 3rd-party signatures, because I don't found a guide which signatures are the best for my needs. I mainly use CopFilter for E-Mail protection. But currently I also use HAVP for using it as protection for internet surfing. Our CopFilter filters mails for around 100 mailboxes and the internet traffic of around 100 user goes through the HAVP. Interesting is that these problems occurs only when nearly nothing happens at the copfilter. During the office days, the CopFilter is working well. But at midnight and weekends I got trouble and clamAV is dying. I'm thinking about disabling HAVP for some days to test if clamAV is more stable after that.

You said that Copfilter V1 has full support for the new signature files. I wonder why you still support V1. Is V2 not the better choice? Why are there still 2 versions? If you can tell that V1 is more stable, I will downgrade my ipCop installation... CopFilter is not my internet gateway. It is in between my Sonicwall internet firewall appliance and my local mail server. So the security aspects of using ipCop V2 as protective firewall is not very important here.

For now I have changed Monit configuration to make clamAV process restarting infinite. Usually clamAV is only restarting 3 times. Have changed the options for "Existence" and "Unix Socket". It seems to be more stable than before, but it is not stable for more than a week. After that I have to restart the Cop. Now I think to make a cronjob to restart Cop every midnight. But that's also no good solution.

This is the monit configuration:
Parameter Value
Name clamd
Pid file /var/log/copfilter/default/opt/clamav/var/run/clamd.pid
Status Running
Monitoring mode active
Monitoring status Monitored
Start program '/var/log/copfilter/default/opt/clamav/etc/init.d/copfilter_clamd start' timeout 30 second(s)
Stop program '/var/log/copfilter/default/opt/clamav/etc/init.d/copfilter_clamd stop' timeout 30 second(s)
Unix Socket Response time 0.000s to /var/log/copfilter/default/opt/clamav/var/run/clamd.socket [DEFAULT]
Process id 1716
Parent process id 1
UID 1001
Effective UID 1001
GID 1002
Process uptime 11h 18m
Children 0
CPU usage 0.0% (Usage / Number of CPUs)
Total CPU usage (incl. children) 0.0%
Memory usage 19.8% [682.2 MB]
Total memory usage (incl. children) 19.8% [682.2 MB]
Data collected Sat, 05 Dec 2015 20:07:26
Existence If doesn't exist for 3 cycles then restart
Unix Socket If failed [/var/log/copfilter/default/opt/clamav/var/run/clamd.socket [DEFAULT] with timeout 5s] for 3 cycles then restart

Ans this is the clamAV config you have asked for: Every set to on. It doesn't matter if library mode is set to on or off.

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: ClamAV is crashing randomly after downloading updates

Post by ShelbyGT500 » 06 Dec 2015 13:46

Hi Matthias,
Matthias030 wrote:How to check if clamAV is running? Is there some command like "./path.to.clamAV/clamAV status"?
Try this, for example:

Code: Select all

 ps -e | grep clamd
For your issue, have a try with last version of clamav 0.99 : see: viewtopic.php?f=9&t=1236

Regards.

ShelbyGT500

Post Reply