[clamav-users] clamd server '/var/run/clamd.amavisd/clamd.sock' gave '' response

Alex mysqlstudent at gmail.com
Sun Feb 21 23:40:43 UTC 2016 

Hi,

I have a clamav-0.99-2 installation on fedora23 and periodically I
receive a message when running clamav-notify-servers after having run
freshclam that reports:

# clamav-notify-servers
clamd server '/var/run/clamd.amavisd/clamd.sock' gave '' response

I have a script that periodically rsyncs the malwarepatrol db to the
/var/lib/clamav directory then runs the clamav-notify-servers. I
believe the problem is related to this occurring at the same time as
the regular freshclam-sleep script running clamav-notify-servers.

Is this the intended behavior for clamd?

I have about 9M signatures now, so it appears to take a long time to
reload the database every time the clamav-notify-servers signal is
sent.

Can someone provide some advice on the best way to do this? I don't
think I can control the timing of the clamav-notify-servers to make
sure it doesn't happen while another instance occurs. Should I just
redirect the output to /dev/null?

Is it common to have 9M entries?

It looks to take about 30s to reload the database:
Feb 21 03:22:15 mail03 clamd[1006]: Reading databases from /var/lib/clamav
Feb 21 03:22:46 mail03 clamd[1006]: Database correctly reloaded
(8888331 signatures)
Feb 21 03:22:46 mail03 clamd[1006]: Client disconnected (FD 23)

This is on a six-core 3Ghz system on SSD disks.

[root at mail03 clamav]# ls
badmacro.ndb                 foxhole_filename.cdb  phishtank.ndb
   spamattach.hdb
blurl.ndb                    foxhole_generic.cdb   porcupine.hsb
   spamimg.hdb
bofhland_cracked_URL.ndb     hackingteam.hsb       porcupine.ndb
   spam.ldb
bofhland_malware_attach.hdb  javascript.ndb        rogue.hdb
   spearl.ndb
bofhland_malware_URL.ndb     junk.ndb              safebrowsing.cvd
   spear.ndb
bofhland_phishing_URL.ndb    jurlbla.ndb           sanesecurity.ftm
   winnow.attachments.hdb
my_sigwhitelist.gdb         jurlbl.ndb            scamnailer.ndb
  winnow_bad_cw.hdb
my_sigwhitelist.ign2        lott.ndb              scam.ndb
  winnow.complex.patterns.ldb
my_sigwhitelist.wdb         main.cvd
securiteinfoascii.hdb  winnow_extended_malware.hdb
bytecode.cld                 malwarehash.hsb       securiteinfo.hdb
   winnow_malware.hdb
crdfam.clamav.hdb            malwarepatrol.ndb
securiteinfohtml.hdb   winnow_malware_links.ndb
create_sig.txt               mirrors.dat           securiteinfo.ign2
   winnow_phish_complete_url.ndb
daily.cld                    phish.ndb             sigwhitelist.ign2
   winnow_spam_complete.ndb

I think the commercial securiteinfo databases are entirely too large
and don't perform very well.

Of course I could cut down on the databases, but I'm more interested
in finding out why clamd produces the error message when multiple
signals are sent.

Thanks,
Alex

More information about the clamav-users mailing list