[clamav-users] Problem with Max Open desciptor Files limit

Jason J. W. Williams jasonjwwilliams at gmail.com
Fri Jan 26 15:22:03 UTC 2018 

Good find David. Thank you very much.

-J

On Fri, Jan 26, 2018 at 7:18 AM, David Shrimpton <d.shrimpton at its.uq.edu.au>
wrote:

> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
> restarting clamd fixed the problem.
>
> This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem
> began  a few minutes later
> clamd run out of file descriptors.
>
> I also had to clean out TemporaryDirectory before restarting.
>
> Not sure what the exact reason for problem is.
>
> There is an EOF-15 in a subsig.  Perhaps this causes a performance hit on
> large text files as end
> of file must be seeked to and this is sufficient on busy system to cause
> demand to exceed supply.
>
> sigtool --find Vbs.Downloader.Generic-6431223-0
> Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:
> 207075626c69632073756220;0:2073756220;EOF-15:
> 203d202272652220656e6420696620;657865202f63207374617274
>
> sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
> VIRUS NAME: Vbs.Downloader.Generic-6431223-0
> TDB: Engine:51-255,Target:7
> LOGICAL EXPRESSION: (0|1)&2&3
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  public sub
>  * SUBSIG ID 1
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  sub
>  * SUBSIG ID 2
>  +-> OFFSET: EOF-15
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  = "re" end if
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> exe /c start
>
>
>
>
> David Shrimpton
>
> ________________________________________
> From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of
> Carlos García Gómez <carlos.garcia at f-integra.org>
> Sent: Saturday, January 27, 2018 12:03:32 AM
> To: clamav-users at lists.clamav.net
> Subject: [clamav-users] Problem with Max Open desciptor Files limit
>
> Hi,
>
> We have a problem with ClamAV due to Max Open desciptor Files limit
> It’s seems like delete temp files are not freeded
> When the soft is reached the clamav proccess responses with an ERROR
>
> THe problem has begined Today with 0.99.2 clamav version
> We have updated to the last release 0.99.3 but then problem again be here.
>
>
>
>   [root at mx2 tmp]# ps -ef |grep clamav
>   clamav   22927     1  0 13:50 ?        00:00:00
> /home/vmail/antivirus/clamav/bin/freshclam -d
>   root     23128 21677  0 15:01 pts/1    00:00:00 grep clamav
>   clamav   23137     1  2 13:51 ?        00:01:39
> /home/vmail/antivirus/clamav/sbin/clamd
>
>
>   [root at mx2 tmp]# lsof -p 23137
>   COMMAND   PID   USER   FD   TYPE     DEVICE     SIZE       NODE NAME
>   clamd   23137 clamav  cwd    DIR        8,1     4096          2 /
>   clamd   23137 clamav  rtd    DIR        8,1     4096          2 /
>   clamd   23137 clamav  txt    REG        8,2   330823    1507346
> /home/vmail/antivirus/clamav-0.99.3/sbin/clamd
>   clamd   23137 clamav   11u   REG        8,2       46    1540613
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 40e1c3eb5c91506cd8029a626d44e430.tmp (deleted)
>   clamd   23137 clamav   12u   REG        8,2      119    1540264
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6191bbf55622fa150f6a562fedaa96bf.tmp (deleted)
>   clamd   23137 clamav   13u   REG        8,2      119    1540266
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted)
>   clamd   23137 clamav   14u   REG        8,2       36    1540265
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 0323a84d6821a592bccefde5a36c0bb4.tmp (deleted)
>   clamd   23137 clamav   15u   REG        8,2     4793    1540268
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted)
>   clamd   23137 clamav   16u   REG        8,2     4793    1540267
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted)
>   clamd   23137 clamav   17u   REG        8,2       58    1540270
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8106966405936ecc207ceb37377b2be5.tmp (deleted)
>   clamd   23137 clamav   18u   REG        8,2      183    1540272
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted)
>   clamd   23137 clamav   19u   REG        8,2      293    1540273
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted)
>   clamd   23137 clamav   20u   REG        8,2      183    1540271
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted)
>   clamd   23137 clamav   21u   REG        8,2     3137    1540274
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 61ead91328b1a1fb2eed66e0092fab37.tmp (deleted)
>   clamd   23137 clamav   22u   REG        8,2     3137    1540276
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted)
>   clamd   23137 clamav   23u   REG        8,2       42    1540275
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6dc27ea80d232f5cf3354a7a3c8ec58d.tmp (deleted)
>   clamd   23137 clamav   24u   REG        8,2       44    1540277
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> fee6d1b3d366eda4e15f5ff8416bc606.tmp (deleted)
>   clamd   23137 clamav   25u   REG        8,2      677    1540279
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 2b9716c6173771c795a3b1c3bef56470.tmp (deleted)
>   clamd   23137 clamav   26u   REG        8,2      155    1540280
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> e63b9a7454908ebb5f47657898bdb2c5.tmp (deleted)
>   clamd   23137 clamav   27u   REG        8,2     1681    1540281
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> ba047ebfc0396a5b38b595eeec0f7437.tmp (deleted)
>   clamd   23137 clamav   28u   REG        8,2       46    1540278
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 49dbcc76c3c8b14d279a9d0aa74310a1.tmp (deleted)
>   clamd   23137 clamav   29u   REG        8,2     1681    1540283
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 46898158d350efefbe01636215301fad.tmp (deleted)
>   clamd   23137 clamav   30u   REG        8,2       48    1540282
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> fdc1f1fdaca0933e22778c22bf4306c2.tmp (deleted)
>   clamd   23137 clamav   31u   REG        8,2     1235    1540285
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 3849f6d05e67f2ad565d668e9a925158.tmp (deleted)
>   clamd   23137 clamav   32u   REG        8,2       38    1540284
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 9428301ea35432270076585aad066354.tmp (deleted)
>
> When there are 1024 FD => ClamAV crash
>
> Any Ideas?
>
> Regards.
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list