[clamav-users] Problem with Max Open desciptor Files limit
David Shrimpton
d.shrimpton at its.uq.edu.au
Fri Jan 26 15:18:10 UTC 2018
I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and restarting clamd fixed the problem.
This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem began a few minutes later
clamd run out of file descriptors.
I also had to clean out TemporaryDirectory before restarting.
Not sure what the exact reason for problem is.
There is an EOF-15 in a subsig. Perhaps this causes a performance hit on large text files as end
of file must be seeked to and this is sufficient on busy system to cause demand to exceed supply.
sigtool --find Vbs.Downloader.Generic-6431223-0
Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274
sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
VIRUS NAME: Vbs.Downloader.Generic-6431223-0
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: (0|1)&2&3
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
public sub
* SUBSIG ID 1
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
sub
* SUBSIG ID 2
+-> OFFSET: EOF-15
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
= "re" end if
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
exe /c start
David Shrimpton
________________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Carlos García Gómez <carlos.garcia at f-integra.org>
Sent: Saturday, January 27, 2018 12:03:32 AM
To: clamav-users at lists.clamav.net
Subject: [clamav-users] Problem with Max Open desciptor Files limit
Hi,
We have a problem with ClamAV due to Max Open desciptor Files limit
It’s seems like delete temp files are not freeded
When the soft is reached the clamav proccess responses with an ERROR
THe problem has begined Today with 0.99.2 clamav version
We have updated to the last release 0.99.3 but then problem again be here.
[root at mx2 tmp]# ps -ef |grep clamav
clamav 22927 1 0 13:50 ? 00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d
root 23128 21677 0 15:01 pts/1 00:00:00 grep clamav
clamav 23137 1 2 13:51 ? 00:01:39 /home/vmail/antivirus/clamav/sbin/clamd
[root at mx2 tmp]# lsof -p 23137
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
clamd 23137 clamav cwd DIR 8,1 4096 2 /
clamd 23137 clamav rtd DIR 8,1 4096 2 /
clamd 23137 clamav txt REG 8,2 330823 1507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd
clamd 23137 clamav 11u REG 8,2 46 1540613 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp (deleted)
clamd 23137 clamav 12u REG 8,2 119 1540264 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp (deleted)
clamd 23137 clamav 13u REG 8,2 119 1540266 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted)
clamd 23137 clamav 14u REG 8,2 36 1540265 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp (deleted)
clamd 23137 clamav 15u REG 8,2 4793 1540268 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted)
clamd 23137 clamav 16u REG 8,2 4793 1540267 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted)
clamd 23137 clamav 17u REG 8,2 58 1540270 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp (deleted)
clamd 23137 clamav 18u REG 8,2 183 1540272 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted)
clamd 23137 clamav 19u REG 8,2 293 1540273 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted)
clamd 23137 clamav 20u REG 8,2 183 1540271 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted)
clamd 23137 clamav 21u REG 8,2 3137 1540274 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp (deleted)
clamd 23137 clamav 22u REG 8,2 3137 1540276 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted)
clamd 23137 clamav 23u REG 8,2 42 1540275 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp (deleted)
clamd 23137 clamav 24u REG 8,2 44 1540277 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp (deleted)
clamd 23137 clamav 25u REG 8,2 677 1540279 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-2b9716c6173771c795a3b1c3bef56470.tmp (deleted)
clamd 23137 clamav 26u REG 8,2 155 1540280 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-e63b9a7454908ebb5f47657898bdb2c5.tmp (deleted)
clamd 23137 clamav 27u REG 8,2 1681 1540281 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ba047ebfc0396a5b38b595eeec0f7437.tmp (deleted)
clamd 23137 clamav 28u REG 8,2 46 1540278 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-49dbcc76c3c8b14d279a9d0aa74310a1.tmp (deleted)
clamd 23137 clamav 29u REG 8,2 1681 1540283 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-46898158d350efefbe01636215301fad.tmp (deleted)
clamd 23137 clamav 30u REG 8,2 48 1540282 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fdc1f1fdaca0933e22778c22bf4306c2.tmp (deleted)
clamd 23137 clamav 31u REG 8,2 1235 1540285 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-3849f6d05e67f2ad565d668e9a925158.tmp (deleted)
clamd 23137 clamav 32u REG 8,2 38 1540284 /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-9428301ea35432270076585aad066354.tmp (deleted)
When there are 1024 FD => ClamAV crash
Any Ideas?
Regards.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list