[clamav-users] Trying to track down bug using lsof & clamscan/clamdscan.. odd behavior

Shawn Webb lattera at gmail.com
Fri Aug 28 13:25:04 EDT 2015


Would it be possible to share that knowledge so that others who may have the 
same experience can draw from yours?

On Friday, 28 August 2015 05:22:16 PM Alexander Urcioli wrote:
> I'm happy to report we located the bug which was not at all due to clamav.
> However knowledge gained! Thanks everyone.
> 
> On Fri, Aug 28, 2015, 12:31 Shawn Webb <lattera at gmail.com> wrote:
> > On Thursday, 27 August 2015 01:48:00 PM Charles Swiger wrote:
> > > On Aug 27, 2015, at 1:13 PM, Alexander Urcioli <alexurc at gmail.com>
> > 
> > wrote:
> > > > We were running into an issue where larger files were not able to be
> > 
> > moved
> > 
> > > > after scanning with ClamAV. Our hypothesis was that perhaps the
> > > > process
> > > > has
> > > > not released access to the file and we were experiencing a race
> > 
> > condition.
> > 
> > > > Upon investigating I attempted to monitor the file we were scanning
> > 
> > using
> > 
> > > > lsof on repeat mode. To my suprise, upon scanning a 900MB file with
> > > > clamscan and clamdscan, lsof never lists the file as being opened
> > > > by....anything...
> > > 
> > > It's not unusual for programs to read file data via mmap() rather than
> > > open().
> > > 
> > > That said, it's also quite possible that a 900 MB file is being skipped
> > > entirely due to MaxScanSize setting, which defaults to 100 MB unless you
> > > have changed it.
> > 
> > A file descriptor still has to be opened for mmap. lsof would show that
> > file as
> > being opened. Your thinking about ClamAV's scan size settings are likely
> > correct. What I'd do is scan that one archive with verbose debugging mode
> > enabled in clamscan. That will tell you if ClamAV skipped the file due to
> > scan
> > size limits.
> > 
> > Thanks,
> > 
> > Shawn_______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20150828/4b982b33/attachment.sig>


More information about the clamav-users mailing list