[clamav-users] Help with debugging clam that is crashing
Fabrizio Mazzoni
fabrizio at fsm.co.tz
Mon Jun 19 05:56:07 UTC 2017
Hi all,
I’m still having an issue with Clamav which is stopping randomly. I think it’s because there is an excessive amount of spam with attachments coming in, but I’m not really 100% sure about it.
I have checked the logs after enabling Debug True in clamd/conf and I am finding the following lines in the syslog:
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22902132307\sINV\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Nota\sde\sremessa.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22SALES\sCONTRACT\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PO\-220217ED\.exe\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22SOA\#.{0,5}[\d]{3,8}\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22INV2631GRS041707827\.rar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Order\sList\.uue\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Evaluation\sand\sQuote\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PENDING_PAYMENT_A10543610\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Inv_Nova\sHK2017\'\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Purchase\sOrder\.uue\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22SURAT[\W_]SWIFT\.ARJ\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22April\sPO\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PIC[\d]{5,10}\.JPE?G\.zip\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PIC[\d]{5,10}\.GIF\.zip\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PIC[\d]{5,10}\.TIFF\.zip\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Tittle\sBill\.uue\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22TT\sCOPY\.Arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22SCAN\.1004868\.PR\.03232017\.ARJ\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Draft\sBL,\sPacking\slist\s28032017PDF\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Invoice\sfor\sReference\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22[\d]{2}%\sTT\spayment\sdetails\.uue\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Estrato\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22TJL[\d]{5,10}\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Modified_PO_[\d]{15,20}_PDF\.ARJ\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22LATEST\sMP4\sWIKILEAKS\sEXPOSES\sTRUMP\.exe\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22HSBC_REMI_17036789173922O\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22RFQ\s[\d]{4,16}\#\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22PO_QIT\-052\-17\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Swift\sCopy\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Shipping\sdocuments\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22ORDER\#19[\d]{2}\.UUE\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Re\sCv\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x226388649\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22NEW\sOFFER_16032017\-Korangi\sKarachi\.7z\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22shipping\sinfo\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22FAVR01\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Doc\s8372\-Outsanding\sDue\sA\sMarine\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22SC\sDraft\.\sPS\-Quotation\s2017\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Payment_Advise\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22TTUSD\-04192017\.rar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22payment\sadvice\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Offer\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22New\sOrder\s23098\s&\sCatalogue\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22AWB\sRef[\d]{11}\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22TT\-EUR[0-9]{5},[0-9]{2}\.jar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22RFQ\-17[\d]{4}\.xz\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Quotation8385303214\.rar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22AcroRd32.exe\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22DHL[\d]{2,6}\-2017[A-Z]{1,2}\.rar\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22REQUISITIONS[0-9]{6}[\W_][0-9]{8}[\W_][0-9]{2,4}pdf\.arj\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22Payment[\W_]Invoice[\W_][\d]{6,8}\.ARJ\x22/
Jun 19 05:08:30 merzariotz clamd[6994]: LibClamAV debug: cli_pcre_scanbuf: checking 0; running regex /filename[\s\t]*=[\s\t]*\x22[A-Z]{2,4}\.[A-Z]{1,3}[0-9]{3,5}\-[0-9]{3,5}\-[0-9]{1,3}\.jar\x22/
These are just a part of them, there are actually more. I also have the tmp directory which I have set to /clamptmp which is full of .tmp files.
Seeking assistance.
Thanks to all.
Fabrizio Mazzoni - ICT Consultant
+255 755 46 88 26 <tel:+255 755 46 88> mazzofab.tz <skype:mazzofab.tz?call> www.fsm.co.tz <https://fsm.co.tz/>
More information about the clamav-users
mailing list