[clamav-users] ScanOnAccess: ... (null) FOUND

Fri Sep 7 15:16:34 UTC 2018

Hi Jens,

Sorry I have not yet found time to investigate the source of the "(null) FOUND" issue.  Thank-you for the reminder.

It would be helpful if you submitted a bug report to track the issue.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Sep 5, 2018, at 10:44 AM, Kretschmer, Jens <kretschmer.jens at siemens.com<mailto:kretschmer.jens at siemens.com>> wrote:

Hi Micah,

did you have time to investigate those issues?

Should I create bug reports for them or are those issues being tracked already? Do you need any more information from my side?

Kr,
Jens

From: Micah Snyder (micasnyd) <micasnyd at cisco.com<mailto:micasnyd at cisco.com>>
Sent: Thursday, August 9, 2018 2:39 PM
To: ClamAV users ML <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>>
Subject: Re: [clamav-users] ScanOnAccess: ... (null) FOUND

I've been running clamd with OnAccess on a box using Firefox and just yesterday saw the (null) FOUND as well.  I haven't had a chance to take the file in question and debug with clamscan to reproduce it and figure out what's causing it but I will do so soon.

Regarding your second issue, I believe there is a memory leak with the OnAccessExtraScanning feature because the threads that process the extra scanning work aren't being join()'d.
I have a feeling that may be why you're seeing "Unable to kick off extra scanning".  We're getting near the end of our development cycle for 0.101 and still have some tough work left, but we'll try to find a solution to the OnAccessExtraScanning thread joining issue if time permits.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Aug 9, 2018, at 4:03 AM, Kretschmer, Jens <kretschmer.jens at siemens.com<mailto:kretschmer.jens at siemens.com>> wrote:

Do you have the OnAccessExtraScanning option on by chance?

Yes, OnAccessExtraScanning is turned on.

I was able to reproduce this behavior on a different machine. It uses the same configuration as the first machine (the clamconf output can be found in my previous E-Mail).
I rebooted the machine yesterday at 13:45 and left it untouched. I did not even log in. Today I logged in via ssh and the first ScanOnAccess message since the reboot in the journal was:

Aug 09 09:36:47 hostname2 clamd[8888]: SelfCheck: Database status OK.
Aug 09 09:37:24 hostname2 clamd[8888]: ScanOnAccess: Performing additional scanning on file '/home/user1/.sh_histdir/hostname2.0'
Aug 09 09:37:24 hostname2 clamd[8888]: ScanOnAccess: /home/user1/.sh_histdir/hostname2.0: (null) FOUND
Aug 09 09:39:34 hostname2 clamd[8888]: ScanOnAccess: Performing additional scanning on file '/home/user1/test2'
Aug 09 09:39:34 hostname2 clamd[8888]: ScanOnAccess: /home/user1/test2: (null) FOUND

On the first machine I restarted clamd at scan yesterday 13:32:05 and ran the following script

#!/bin/ksh
file="testfile.txt"
while true; do
 echo "test123" > $file
 sync
 rm $file
done

after about 13 hours clamd starts to show only the messages: "ScanOnAccess: Unable to kick off extra scanning."

Aug 09 02:40:37 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt'
Aug 09 02:40:38 hostname1 clamd[15866]: ScanOnAccess: Performing additional scanning on file '/home/user1/test/testfile.txt'
Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning.
Aug 09 02:40:39 hostname1 clamd[15866]: ScanOnAccess: Unable to kick off extra scanning.

Best regards,
Jens
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180907/1f4497e6/attachment.htm>