[clamav-users] Trying to track down bug using lsof & clamscan/clamdscan.. odd behavior

Shawn Webb lattera at gmail.com
Fri Aug 28 12:31:04 EDT 2015


On Thursday, 27 August 2015 01:48:00 PM Charles Swiger wrote:
> On Aug 27, 2015, at 1:13 PM, Alexander Urcioli <alexurc at gmail.com> wrote:
> > We were running into an issue where larger files were not able to be moved
> > after scanning with ClamAV. Our hypothesis was that perhaps the process
> > has
> > not released access to the file and we were experiencing a race condition.
> > 
> > Upon investigating I attempted to monitor the file we were scanning using
> > lsof on repeat mode. To my suprise, upon scanning a 900MB file with
> > clamscan and clamdscan, lsof never lists the file as being opened
> > by....anything...
> 
> It's not unusual for programs to read file data via mmap() rather than
> open().
> 
> That said, it's also quite possible that a 900 MB file is being skipped
> entirely due to MaxScanSize setting, which defaults to 100 MB unless you
> have changed it.

A file descriptor still has to be opened for mmap. lsof would show that file as 
being opened. Your thinking about ClamAV's scan size settings are likely 
correct. What I'd do is scan that one archive with verbose debugging mode 
enabled in clamscan. That will tell you if ClamAV skipped the file due to scan 
size limits.

Thanks,

Shawn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20150828/835a1cf0/attachment.sig>


More information about the clamav-users mailing list