Scalix Forums

Posted: **Fri Oct 27, 2006 3:29 pm**

No matter what I do, I can't get this ZIP file past ClamAV. It's just an archive of some app-server logs (ASCII text) and it's compressed down to about 4Mb. I have /etc/clamd.conf set to ignore pretty much everything about archives in general (compression ratio, depth, etc). The oddest thing is that I've tried uncompressing and recreating the file on both FC5 and Windows XP using a variety of different methods.

Nothing gets logged by the mapper if logging is set to level 2. Only debug logging shows anything worthwhile. Of note is the fact that clamd seems to respawn itself 60 seconds after the SCAN command is issued. Has anyone seen something like this?

Here's the debug log snippet:

Code: Select all

2006-10-27 14:38:34:PID=32303:[Command Received]:SCAN:/var/opt/scalix/data/00000ci/00prbng
2006-10-27 14:38:34:PID=32303:/usr/bin/clamdscan --stdout /var/opt/scalix/data/00000ci/00prbng > /var/opt/scalix/tmp/clamav.log.32303
2006-10-27 14:39:34:PID=794:############## /var/opt/scalix/tmp/omvscan_cfg.794
2006-10-27 14:39:34:PID=794:OMAV_LOGFILE=$(omrealpath '~/logs/omvscan.log')
2006-10-27 14:39:34:PID=794:OMAV_LOGLEVEL=3
2006-10-27 14:39:34:PID=794:CLAMAV_ENGINE=/usr/bin/clamdscan
2006-10-27 14:39:34:PID=794:CLAMAV_SCAN_OPTIONS='--stdout'
2006-10-27 14:39:34:PID=794:CLAMAV_CLEAN_OPTIONS='--stdout'
2006-10-27 14:39:34:PID=794:CLAMAV_LOGPGX=$(omrealpath '~/tmp/clamav.log')
2006-10-27 14:39:34:PID=794:CLAMAV_USE_LOCKING=no
2006-10-27 14:39:34:PID=794:CLAMAV_LOCK_FILE=clamav.lock
2006-10-27 14:39:34:PID=794:############## /var/opt/scalix/tmp/omvscan_cfg.794
2006-10-27 14:39:34:PID=794:/usr/bin/clamdscan --stdout /tmp/clamav_test.794 > /var/opt/scalix/tmp/clamav.log.794
2006-10-27 14:39:34:PID=794:[Reply]:220 Virus Scanning Client Ready
2006-10-27 14:39:34:PID=794:[Command Received]:HELO From Scalix Service Router, Version 1.0
2006-10-27 14:39:34:PID=794:[Reply]:250 Ok

Posted: **Fri Oct 27, 2006 5:25 pm**

Can you take that zip file and scan it from the command line with clamdscan ?

Cheers

Dave

Posted: **Mon Oct 30, 2006 9:35 am**

dkelly wrote:Can you take that zip file and scan it from the command line with clamdscan ?

Cheers

Dave

Here you go:

Code: Select all

# clamdscan badfile.zip 
/home/vlaurenz/tmp/badfile.zip: lstat() failed. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

Code: Select all

# /var/opt/scalix/rules/omvscan.map
220 Virus Scanning Client Ready
SCAN:badfile.zip
504 anti-virus engine "ClamAV" exhibits unexpected behavior
 lstat() failed. ERROR

QUIT
221 Virus Scanning Client Shutdown

Posted: **Mon Oct 30, 2006 11:21 am**

What user is clamd running as ?

The fact that this error occurs from the command line indicates that there is a problem outside of Scalix.

If other messages going through the service router are being processed correctly by ClamAV, that means clamd is running as expected for Scalix.

If you run strace against clamdscan, what does it show ?

Cheers

Dave

Posted: **Mon Oct 30, 2006 11:23 am**

Does a

Code: Select all

stat badfile.zip

work? If it does, and returns usable data, you may have found a bug in ClamAV.

Posted: **Mon Oct 30, 2006 11:27 am**

Valerion wrote:Does a
Code: Select all
stat badfile.zip
work? If it does, and returns usable data, you may have found a bug in ClamAV.

Code: Select all

# stat badfile.zip  File: `badfile.zip'
  Size: 3855953         Blocks: 7544       IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 82019       Links: 1
Access: (0640/-rw-r-----)  Uid: (  100/  scalix)   Gid: (  101/  scalix)
Access: 2006-10-27 15:20:18.000000000 -0400
Modify: 2006-10-27 14:08:12.000000000 -0400
Change: 2006-10-27 15:39:19.000000000 -0400

Code: Select all

# file badfile.zip
badfile.zip: Zip archive data, at least v2.0 to extract

Scalix Forums

ClamAV restarts while scanning zip

ClamAV restarts while scanning zip