[clamav-users] clamd.exe becomes unresponsive

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Aug 14 09:42:27 EDT 2019


Thanks Dave, I'll try to run some extended tests on my own regardless to see if anything comes up.  If anyone else has seen similar behavior - please chime in. 
Dave, can you keep an eye on clamd process memory and/or CPU usage as you test?  Maybe you'll see something telling.

Have a great weekend,
Micah

On 8/14/19, 9:36 AM, "clamav-users on behalf of David Miller via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    Morning:
    
    Thanks for the response, Micah (i just missed it before sending my
    update). No worries on things being quiet.  I'm sure people read and
    thought about it, but I suppose no solid ideas yet.
    
    I just enabled NotifyClamd only yesterday or the day before, so I'm
    not too optimistic that's our culprit. In fact, the unresponsiveness
    was apparent before I was even running freshclam daily. I went several
    days without running freshclam during initial implementation and the
    unresponsiveness was already there.
    
    Have a great day!
    
    Thanks,
    -Dave
    
    On Wed, Aug 14, 2019 at 8:23 AM David Miller <davesgoogliemail at gmail.com> wrote:
    >
    > Optimism was short lived.  Clamd.exe went unresponsive right after my
    > last email.
    > It lasted about 12 hours, but the next run only lasted barely over 4
    > hours before
    > becoming unresponsive... so, no rhyme or reason that I see. Nothing telling in
    > clamd.log file that I can see.
    >
    > Thoughts/suggestions/etc. very appreciated!
    >
    >   Tue Aug 13 23:14:11 2019 -> SelfCheck: Database status OK.
    >   Tue Aug 13 23:34:41 2019 -> SelfCheck: Database status OK.
    > **Tue Aug 13 23:55:11 2019 -> SelfCheck: Database status OK.   <<<<
    > -----  This was the last entry before becoming unresponsive.
    >   Tue Aug 13 23:55:21 2019 -> +++ Started at Tue Aug 13 23:55:21 2019
    >  <<< ---- Restarted once monitoring application detected
    > unresponsiveness.
    >   Tue Aug 13 23:55:21 2019 -> Received 0 file descriptor(s) from systemd.
    >   Tue Aug 13 23:55:21 2019 -> clamd daemon 0.101.3 (OS: win32, ARCH:
    > x86_64, CPU: x86_64)
    >   Tue Aug 13 23:55:21 2019 -> Log file size limited to 2097152 bytes.
    >   Tue Aug 13 23:55:21 2019 -> Reading databases from
    > C:\MyStuff\Tools\ClamAv\clamav-0.101.3-win-x64-portable\database
    >   Tue Aug 13 23:55:21 2019 -> Not loading PUA signatures.
    >   Tue Aug 13 23:55:21 2019 -> Bytecode: Security mode set to "TrustSigned".
    >   Tue Aug 13 23:55:54 2019 -> Loaded 6269854 signatures.
    >   Tue Aug 13 23:55:56 2019 -> TCP: Bound to [127.0.0.1]:3310
    >   Tue Aug 13 23:55:56 2019 -> TCP: Setting connection queue length to 200
    >   Tue Aug 13 23:55:56 2019 -> Limits: Global size limit set to 104857600 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: File size limit set to 26214400 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: Recursion level limit set to 16.
    >   Tue Aug 13 23:55:56 2019 -> Limits: Files limit set to 10000.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxHTMLNormalize limit set to
    > 10485760 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxScriptNormalize limit set to
    > 5242880 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxPartitions limit set to 50.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxIconsPE limit set to 100.
    >   Tue Aug 13 23:55:56 2019 -> Limits: MaxRecHWP3 limit set to 16.
    >   Tue Aug 13 23:55:56 2019 -> Limits: PCREMatchLimit limit set to 100000.
    >   Tue Aug 13 23:55:56 2019 -> Limits: PCRERecMatchLimit limit set to 2000.
    >   Tue Aug 13 23:55:56 2019 -> Limits: PCREMaxFileSize limit set to 26214400.
    >   Tue Aug 13 23:55:56 2019 -> Archive support enabled.
    >   Tue Aug 13 23:55:56 2019 -> AlertExceedsMax heuristic detection disabled.
    >   Tue Aug 13 23:55:56 2019 -> Heuristic alerts enabled.
    >   Tue Aug 13 23:55:56 2019 -> Portable Executable support enabled.
    >   Tue Aug 13 23:55:56 2019 -> ELF support enabled.
    >   Tue Aug 13 23:55:56 2019 -> Mail files support enabled.
    >   Tue Aug 13 23:55:56 2019 -> OLE2 support enabled.
    >   Tue Aug 13 23:55:56 2019 -> PDF support enabled.
    >   Tue Aug 13 23:55:56 2019 -> SWF support enabled.
    >   Tue Aug 13 23:55:56 2019 -> HTML support enabled.
    >   Tue Aug 13 23:55:56 2019 -> XMLDOCS support enabled.
    >   Tue Aug 13 23:55:56 2019 -> HWP3 support enabled.
    >   Tue Aug 13 23:55:56 2019 -> Self checking every 1200 seconds.
    >   Tue Aug 13 23:55:56 2019 -> Listening daemon: PID: 7132
    >   Tue Aug 13 23:55:56 2019 -> MaxQueue set to: 100
    >   Wed Aug 14 00:16:50 2019 -> SelfCheck: Database status OK.
    >   Wed Aug 14 00:37:20 2019 -> SelfCheck: Database status OK.
    >
    > Thanks,
    > -Dave
    >
    > On Tue, Aug 13, 2019 at 10:37 PM David Miller
    > <davesgoogliemail at gmail.com> wrote:
    > >
    > > Hi, All:
    > >
    > > Good news update: Clamd.exe is running longer than ever so far...
    > > nearly 12 hours.  I had just switched the SelfCheck value from the
    > > default 600 to 1200 to see if that made a difference.  I also enabled
    > > LogVerbose.  Those are the only 2 updates to the clamd.config.  One
    > > other change I made is to call PING less often to see if clamd.exe is
    > > still responsive.  Right now, it checks once per minute... previously,
    > > it checked every 15 seconds. I don't believe this change had anything
    > > to do with tonight's improved result because initially, I wasn't
    > > calling PING at all - the PINGs were added as a result of the
    > > unresponsiveness.  I'm optimistic, but still stumped.  I suspect the
    > > change relates to the less frequent SelfCheck calls.
    > > Thoughts/suggestions/etc. very appreciated!
    > >
    > > Thanks,
    > > -Dave
    > >
    > > On Tue, Aug 13, 2019 at 1:15 PM David Miller <davesgoogliemail at gmail.com> wrote:
    > > >
    > > > Hello, All:
    > > >
    > > > clamav-0.101.2-win-x64-portable
    > > > clamav-0.101.3-win-x64-portable
    > > >
    > > > After clamd.exe runs successfully for several hours, it becomes unresponsive.
    > > > Hosted on 2 Windows 2016 Servers and a Windows 10 - all respond the same.
    > > > Last log entry for clamd shows: "SelfCheck: Database status OK."  An example
    > > > of the unresponsive timelines from one of the deployments is pasted below.
    > > >
    > > > Restarted                     Unresponsive:              Timespan:
    > > > 8/10/19 01:30:30 a.m.   8/10/19 06:06:29 a.m.   4:35:59
    > > > 8/10/19 06:06:30 a.m.   8/10/19 12:34:12 p.m.   6:27:42
    > > > 8/10/19 12:34:13 p.m.   8/10/19 07:01:55 p.m.   5:32:18
    > > > 8/10/19 07:01:56 p.m.   8/11/19 01:29:37 a.m.   5:32:19
    > > > 8/11/19 01:29:38 a.m.   8/11/19 06:05:35 a.m.   4:35:57
    > > > 8/11/19 06:05:37 a.m.   8/11/19 12:33:17 p.m.   6:27:40
    > > > 8/11/19 12:33:19 p.m.   8/11/19 07:01:00 p.m.   5:32:19
    > > > 8/11/19 07:01:01 p.m.   8/12/19 01:28:42 a.m.   6:27:41
    > > >
    > > > Clamd.exe remains responsive for the timespans listed above, but then
    > > > becomes unresponsive and I have to kill the process and start a new
    > > > instance of clamd.exe. (The outage time consistency is telling, but
    > > > what it's telling I still don't know.) FWIW: I run freshclam once an hour,
    > > > but it seems to have no impact on the unresponsiveness of clamd. Also, the
    > > > clamd.exe becomes unresponsive whether or not there are files being
    > > > scanned. I've tried a few .conf changes with no noticeable impact on the
    > > > unresponsiveness. Any pointers/tools/suggestions are greatly appreciated.
    > > >
    > > > I've appended my current .conf results to this email.
    > > >
    > > > Thanks for your time & have a great day!
    > > > -Dave,
    > > >
    > > >
    > > > clamconf -n
    > > >
    > > > Checking configuration files in
    > > > C:\MyStuff\Tools\ClamAv\clamav-0.101.3-win-x64-portable
    > > >
    > > > Config file: clamd.conf
    > > > -----------------------
    > > > LogFile = "C:\MyStuff\Tools\ClamAv\clamav-0.101.3-win-x64-portable\clamd.log"
    > > > LogFileMaxSize = "2097152"
    > > > LogTime = "yes"
    > > > LogVerbose = "yes"
    > > > TCPSocket = "3310"
    > > > TCPAddr = "127.0.0.1"
    > > > SendBufTimeout = "200"
    > > > IdleTimeout = "60"
    > > > SelfCheck = "1200"
    > > >
    > > > Config file: freshclam.conf
    > > > ---------------------------
    > > > LogFileMaxSize = "2097152"
    > > > LogTime = "yes"
    > > > UpdateLogFile =
    > > > "C:\MyStuff\Tools\ClamAv\clamav-0.101.3-win-x64-portable\freshclam.log"
    > > > DatabaseMirror = "database.clamav.net"
    > > >
    > > > clamav-milter.conf not found
    > > >
    > > > Software settings
    > > > -----------------
    > > > Version: 0.101.3
    > > > Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 RAR JIT
    > > >
    > > > Database information
    > > > --------------------
    > > > Database directory:
    > > > C:\MyStuff\Tools\ClamAv\clamav-0.101.3-win-x64-portable\database
    > > > bytecode.cvd: version 330, sigs: 94, built on Wed Jul 17 08:11:08 2019
    > > > daily.cld: version 25540, sigs: 1713558, built on Tue Aug 13 03:16:47 2019
    > > > main.cvd: version 58, sigs: 4566249, built on Wed Jun  7 16:38:10 2017
    > > > Total number of signatures: 6279901
    > > >
    > > > Platform information
    > > > --------------------
    > > > uname: Microsoft Windows 6.2 SP0.0 Build 9200
    > > > OS: win32, ARCH: x86_64, CPU: x86_64
    > > > zlib version: 1.2.11 (1.2.11), compile flags: 65
    > > > Triple: x86_64-pc-win32
    > > > CPU: i686, Little-endian
    > > > platform id: 0x102566660800077c0100077c
    > > >
    > > > Build information
    > > > -----------------
    > > > Microsoft Visual C++: (0.7.124)
    > > > Microsoft Visual C++ 1916
    > > > sizeof(void*) = 8
    > > > Engine flevel: 102, dconf: 102
    
    _______________________________________________
    
    clamav-users mailing list
    clamav-users at lists.clamav.net
    https://lists.clamav.net/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml
    



More information about the clamav-users mailing list