[clamav-users] error files in /

G.W. Haywood clamav at jubileegroup.co.uk
Wed May 4 12:46:26 UTC 2022 

Hi there,

On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> I am getting these strange files in the root file system "/" on my linux servers.
>
> -rw-r-----.   1 root root    98 Apr 13 08:00 @??E?U
> -rw-r-----.   1 root root    75 Apr 26 08:00 @g6??U
> -rw-r-----.   1 root root    75 Apr  1 08:00 @g)$?U
>
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
> ClamScanQueue: stopped

Do they all contain the same error message?  Two of the files are 75
bytes long, the other one is 98 bytes.  The error message in your post
is (give or take formatting in an email) 98 bytes.  The first line of
the error is 75 bytes (with the same proviso).

To connect to clamd, an IP address would be more reliable than a
hostname.  It wouldn't rely on some flaky name resolution service.

In any case more information is needed.  Please could you let us have
the output of the command

clamconf -n

cut and pasted into an email so that there are no accidental changes?

> I believe it is occurring when the clam services are restarted each day.

It isn't really necessary to restart those services daily, but it
probably won't do any harm and it might help highlight some issues
(for example like this one).  But I'd be inclined to disable the
restarts, at least for a while, just to find out if the restarts
really are triggering this.

> Any idea how to route these errors messages elsewhere?

It will be easy to do but more information is needed.  There are very
few reasons to write files in the root directory, and nothing like
ClamAV has any business doing that.  It might mean there's something
wrong with your configuration; it might not be the ClamAV-specific
configuration but that's a place to start.  ClamAV might be started or
restarted by some configuration that's provided by your operating
system distribution, and not by ClamAV itself.  It would help if you
could give us information about that, such as the OS distribution(s),
the packages which provide ClamAV, etc. and any local configuration
changes made to the distribution defaults.  The ideal would be to get
any utility (such as one provided by ClamAV) to know where to write
its error output (e.g. /var/log/somewhere) before actually doing it.

-- 

73,
Ged.

More information about the clamav-users mailing list