[clamav-users] Trying to track down bug using lsof & clamscan/clamdscan.. odd behavior
alexurc at gmail.com
Fri Aug 28 13:22:16 EDT 2015
I'm happy to report we located the bug which was not at all due to clamav.
However knowledge gained! Thanks everyone.
On Fri, Aug 28, 2015, 12:31 Shawn Webb <lattera at gmail.com> wrote:
> On Thursday, 27 August 2015 01:48:00 PM Charles Swiger wrote:
> > On Aug 27, 2015, at 1:13 PM, Alexander Urcioli <alexurc at gmail.com>
> > > We were running into an issue where larger files were not able to be
> > > after scanning with ClamAV. Our hypothesis was that perhaps the process
> > > has
> > > not released access to the file and we were experiencing a race
> > >
> > > Upon investigating I attempted to monitor the file we were scanning
> > > lsof on repeat mode. To my suprise, upon scanning a 900MB file with
> > > clamscan and clamdscan, lsof never lists the file as being opened
> > > by....anything...
> > It's not unusual for programs to read file data via mmap() rather than
> > open().
> > That said, it's also quite possible that a 900 MB file is being skipped
> > entirely due to MaxScanSize setting, which defaults to 100 MB unless you
> > have changed it.
> A file descriptor still has to be opened for mmap. lsof would show that
> file as
> being opened. Your thinking about ClamAV's scan size settings are likely
> correct. What I'd do is scan that one archive with verbose debugging mode
> enabled in clamscan. That will tell you if ClamAV skipped the file due to
> size limits.
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users