Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.36k stars 700 forks source link

freshclam stops downloading signatures after several days #166

Closed jendis closed 3 years ago

jendis commented 3 years ago

Describe the bug

Freshclam stops downloading (and updating clamav database) after ~20days of run. This happens on all our servers. Restart of freshclam has to be done. Freshclam runs as a daemon freshclam -d and /etc/clamd.conf has LocalSocket /tmp/clamd.sock. No error is logged, it just stops logging and updating the DB. strace -p <freshclam_pid> logs approx. each second

strace: Process 28424 attached restart_syscall(<... resuming interrupted read ...>) = 0 rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout) rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0 rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout) rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0 poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000^Cstrace: Process 28424 detached <detached ...>

How to reproduce the problem

Error occures after ~20 days periodically.

Checking configuration files in /etc

Config file: clamd.conf

TemporaryDirectory = "/tmp" LocalSocket = "/tmp/clamd.sock" TCPSocket = "3310" TCPAddr = "212.24.139.173", "2001:67c:15a0:4000::b" MaxConnectionQueueLength = "16000" StreamMaxLength = "25165824" MaxThreads = "64" ReadTimeout = "20" MaxQueue = "128" MaxDirectoryRecursion = "8" FollowFileSymlinks = "yes" Foreground = "yes" User = "clamav" BytecodeTimeout = "2000" DetectPUA = "yes" IncludePUA = "Spy", "Scanner", "RAT" PhishingScanURLs disabled AlertPhishingSSLMismatch = "yes" MaxScanSize = "25165824" MaxRecursion = "8" MaxFiles = "2000"

Config file: freshclam.conf

Foreground = "yes" Checks = "50" DatabaseMirror = "db.DE.ipv6.clamav.net", "database.clamav.net" DatabaseCustomURL = "http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm", "http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2", "http://ftp.swin.edu.au/sanesecurity/junk.ndb", "http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb", "http://ftp.swin.edu.au/sanesecurity/phish.ndb", "http://ftp.swin.edu.au/sanesecurity/rogue.hdb", "http://ftp.swin.edu.au/sanesecurity/scam.ndb", "http://ftp.swin.edu.au/sanesecurity/blurl.ndb", "http://ftp.swin.edu.au/sanesecurity/badmacro.ndb", "http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb", "http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb", "http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb", "http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb", "http://signatures.virusfree.cz/virusfree.ldb", "http://signatures.virusfree.cz/virusfree.cdb", "http://signatures.virusfree.cz/virusfree.ign2", "http://signatures.virusfree.cz/virusfree.virus.hsb", "http://signatures.virusfree.cz/virusfree.white.wdb"

clamav-milter.conf not found

Software settings

Version: 0.103.2 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /var/lib/clamav [3rd Party] sanesecurity.ftm: 170 sigs [3rd Party] sigwhitelist.ign2: 11 sigs [3rd Party] junk.ndb: 60306 sigs [3rd Party] jurlbl.ndb: 2600 sigs [3rd Party] phish.ndb: 28042 sigs [3rd Party] rogue.hdb: 478 sigs [3rd Party] scam.ndb: 12747 sigs [3rd Party] blurl.ndb: 4006 sigs [3rd Party] badmacro.ndb: 621 sigs [3rd Party] foxhole_generic.cdb: 212 sigs [3rd Party] foxhole_filename.cdb: 2613 sigs [3rd Party] winnow_malware.hdb: 293 sigs [3rd Party] winnow_malware_links.ndb: 133 sigs [3rd Party] bofhland_cracked_URL.ndb: 40 sigs [3rd Party] bofhland_malware_URL.ndb: 4 sigs [3rd Party] bofhland_phishing_URL.ndb: 72 sigs [3rd Party] bofhland_malware_attach.hdb: 1836 sigs [3rd Party] virusfree.virus.hsb: 1332 sigs [3rd Party] virusfree.white.wdb: 77 sigs [3rd Party] virusfree.ldb: 252 sigs [3rd Party] virusfree.cdb: 115 sigs [3rd Party] virusfree.ign2: 24 sigs daily.cld: version 26188, sigs: 3985498, built on Tue Jun 1 13:07:16 2021 bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021 main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019 Total number of signatures: 8666476

Platform information

uname: Linux 5.10.5-gentoo-x86_64 #1 SMP Thu Jan 7 12:38:46 CET 2021 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a217b7b0800000000090300

Build information

GNU C: 9.3.0 (9.3.0) CPPFLAGS: CFLAGS: -O2 -pipe -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -O2 -pipe LDFLAGS: -Wl,-O1 -Wl,--as-needed Configure: '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/clamav-0.103.2' '--htmldir=/usr/share/doc/clamav-0.103.2/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--enable-bzip2' '--disable-clamonacc' '--enable-clamdtop' '--enable-ipv6' '--disable-milter' '--disable-check' '--with-xml' '--with-iconv' '--with-libjson=/usr' '--disable-libclamav-only' '--with-libcurl' '--with-system-libmspack' '--cache-file=/var/tmp/portage/app-antivirus/clamav-0.103.2/work/clamav-0.103.2/config.cache' '--disable-experimental' '--disable-static' '--disable-zlib-vcheck' '--enable-id-check' '--with-dbdir=/var/lib/clamav' '--with-zlib' '--disable-llvm' '--enable-openrc' '--runstatedir=/run' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CXXFLAGS=-O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CFLAGS=-O2 -pipe' sizeof(void*) = 8 Engine flevel: 123, dconf: 123

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

micahsnyder commented 3 years ago

Hi @jendis thanks for the report. I'm unsure how to test this one outside of setting up a similar system and letting it run for a month, hoping it will reproduce the issue. Will have a think about it. I might just do that if I can't find any other way to accelerate reproducing the issue.

jendis commented 3 years ago

Well, if you provide me a patch or whatever else with some more debug log messages, I can compile it and run on our system. I'll provide you the whole log when a bug arises.

jendis commented 3 years ago

The problem haven't occurred since version ClamAV 0.103.3/26298/Mon Sep 20 06:51:09 2021