search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.4k stars 705 forks source link

clamonacc and stat() #857

Open blackjack65 opened 1 year ago

blackjack65 commented 1 year ago

I want to use clamd and clamonacc on a fileserver (Debian 11) for samba directories. Usually it works fine. But when a MS-Office-file or document (esp. in excel) is opend for more then 1 hour (from a Windows-Client) with out any changes and then works with this MS-Office-file goes on clamd causes errors (clamav 1.0.1 and with clamav stable version of Debian 11).

clamd.log:

Tue Mar 7 17:06:25 2023 -> WARNING: File path check failure for: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/02 EB mit neuen Anlagen.xlsx Tue Mar 7 17:06:25 2023 -> WARNING: File path check failure on: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/02 EB mit neuen Anlagen.xlsx Tue Mar 7 17:06:25 2023 -> WARNING: File path check failure for: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/02 EB mit neuen Anlagen.xlsx Tue Mar 7 17:06:25 2023 -> WARNING: File path check failure on: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/02 EB mit neuen Anlagen.xlsx . . . later on Tue Mar 7 17:06:26 2023 -> WARNING: File path check failure for: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/77EF24F1.tmp Tue Mar 7 17:06:26 2023 -> WARNING: File path check failure on: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/77EF24F1.tmp Tue Mar 7 17:06:26 2023 -> WARNING: File path check failure for: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/77EF24F1.tmp Tue Mar 7 17:06:26 2023 -> WARNING: File path check failure on: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/77EF24F1.tmp . . . clamd produces log-files till clamd is stopped with (or no place left on harddisk) pkill -SIGTERM clamd

clamonacc can not be stopped with -SIGTERM only be killed but I got onetime a "warning" in clamonacc.log

clamonacc.log: /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/7C895913.tmp: stat() failed with No such file or directory, clamd may not be responding /home/data/01_PROJEKTE/01_Projekte/Firma/1_Projektdokumentation/Standort-W-Konzept 2022/Energiebilanzen/7C895913.tmp: stat() failed with No such file or directory, clamd may not be responding ERROR: ClamClient: Connection to clamd failed, Couldn't connect to server.

What do I wrong? I can't find any issues here or at the mailing-list...

Checking configuration files in /etc/clamav

Config file: clamd.conf

LogFile = "/var/log/clamav/clamd.log" LogFileMaxSize = "2097152" LogTime = "yes" LogRotate = "yes" LocalSocket = "/tmp/clamd.socket" LocalSocketMode = "660" MaxThreads = "20" ReadTimeout = "300" MaxQueue = "200" MaxDirectoryRecursion = "12" ExitOnOOM = "yes" DetectPUA = "yes" ScanHTML disabled MaxScanSize = "4194304000" MaxFileSize = "1572864000" MaxFiles = "20000" MaxEmbeddedPE = "104857600" PCREMaxFileSize = "419430400" OnAccessIncludePath = "/home" OnAccessExcludePath = "/home/data/03_VERWALTUNG/10_Sicherung" OnAccessExcludeRootUID = "yes" OnAccessExcludeUname = "root" OnAccessMaxFileSize = "52428800" OnAccessMaxThreads = "15" OnAccessRetryAttempts = "3"

Config file: freshclam.conf

LogFileMaxSize = "4294967295" LogTime = "yes" LogRotate = "yes" UpdateLogFile = "/var/log/clamav/freshclam.log" Checks = "24" DatabaseMirror = "db.local.clamav.net", "database.clamav.net" MaxAttempts = "5"

clamav-milter.conf not found

Software settings

Version: 0.103.8 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav daily.cld: version 26835, sigs: 2025005, built on Wed Mar 8 09:35:43 2023 main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021 bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 22:33:21 2023 [3rd Party] mywhitelist.ign2: 2 sigs Total number of signatures: 8672525

Platform information

uname: Linux 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 Full OS version: Debian GNU/Linux 11 (bullseye) zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a21818108000000000a0201

Build information

GNU C: 10.2.1 20210110 (10.2.1) CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2 CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-XPIT9Z/clamav-0.103.8+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-XPIT9Z/clamav-0.103.8+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-XPIT9Z/clamav-0.103.8+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-XPIT9Z/clamav-0.103.8+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-XPIT9Z/clamav-0.103.8+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security' sizeof(void*) = 8 Engine flevel: 129, dconf: 129

ragusaa commented 1 year ago

Hi,

I am not sure at this point what would cause this. Have you tried decreasing your LogFileMaxSize in clamd.conf to determine if it will still crash?

Thanks, Andy

blackjack65 commented 1 year ago

Hi Andy, thank you for your e-mail and sorry for my bad english…

I decreased the LogFileMaxSize but nothing realy changed. After clamd and clamonacc are started both works as i expect. Opening the eicar-testfile clamonacc and clamd will log this event. If i afterwards „open“ a MS-office-file on samba-directory for half a hour and save this file clamd produces log-files (see figur) with the described errors and warnings and clamonacc doesn’t work correctly anymore. When now the eicar-testfile is opened whether clamonacc nor clamd will recognise it. Reducing LogFileMaxSize reduces only „the number of logfiles“.

Because of your hint I use in clamd.conf only the defaults now and it seems that both clamd and clamonacc works fine. Now clamd logs only once the „File path check failure…“ when a MS-Office-file is opened. Clanonacc continues to work normally…

I have to addmit, that I changend the defaults in clamd.conf because I didn’t get started clamd and clamonacc. But the reason for the troubles was that max_user_watches in inotify was set wrong. The number of files in the samba-directory is apparently to large for the default max_user_watches (1024?) in inotify so clamd and clamonacc can’t start. Please excuse the circumstances I suspected.

@.***

Thanks you for hint, Gerhard

Von: ragusaa @.> Gesendet: Montag, 13. März 2023 19:10 An: Cisco-Talos/clamav @.> Cc: Saller, Gerhard @.>; Author @.> Betreff: Re: [Cisco-Talos/clamav] clamonacc and stat() (Issue #857)

Hi,

I am not sure at this point what would cause this. Have you tried decreasing your LogFileMaxSize in clamd.conf to determine if it will still crash?

Thanks, Andy

— Reply to this email directly, view it on GitHubhttps://github.com/Cisco-Talos/clamav/issues/857#issuecomment-1466657674, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASUNKFEI2D5QWQRGDYAWY6LW35PFXANCNFSM6AAAAAAVUZMYZM. You are receiving this because you authored the thread.Message ID: @.**@.>>

ragusaa commented 1 year ago

Hi Gerhard,

Your English is fine, don't worry about it :)

I believe this is a bug, and I will create a ticket internally, so that we can track it, but unfortunately I don't know when it will be scheduled. I appreciate you reporting this, and I will let you know when we have time to work on it.

Thanks, Andy