Page MenuHomePhabricator

clamav errors on mendelevium
Closed, ResolvedPublic

Description

exim on mendelevium (otrs machine) has been complaining about clamav errors, in this form:

2018-01-31 11:11:25 XXX malware acl condition: clamd: ClamAV returned: /var/spool/exim4/scan/XXX/XXX.eml: Can't open file or directory ERROR

Looking at lsof of clamav there are plenty of open file descriptors to deleted files in /tmp/, about 1024 of them so I suspect fds are leaking and hitting maximum open file descriptors.

clamd   569 clamav   12u   REG              254,1      245  398903 /tmp/clamav-1fa9c98e831072097777091baae57b3e.tmp (deleted)
clamd   569 clamav   13u   REG              254,1     2271  398889 /tmp/clamav-2cfbf4fc5117d4fca6e3eaa6cd5afa0b.tmp (deleted)
clamd   569 clamav   14u   REG              254,1      974  398900 /tmp/clamav-d93e01b4f246690d2ca56997e3bf3b65.tmp (deleted)
clamd   569 clamav   15u   REG              254,1      974  398901 /tmp/clamav-f856655f9539b8513ca32917729ed2e4.tmp (deleted)
clamd   569 clamav   16u   REG              254,1     2271  398904 /tmp/clamav-ad84f017474ada33d99ac0481f3ec762.tmp (deleted)
clamd   569 clamav   17u   REG              254,1      391  398912 /tmp/clamav-fa43351caa95f4625b19f56d8447b25b.tmp (deleted)
...
clamd   569 clamav 1022u   REG              254,1     6180  404456 /tmp/clamav-edd137867aaa38b33afa79379f52768f.tmp (deleted)
clamd   569 clamav 1023u   REG              254,1      861  404457 /tmp/clamav-9847efae7c2e57fbccd4a830b2d7541b.tmp (deleted)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 1 2018, 9:22 AM

@MoritzMuehlenhoff has upgraded clamav to 0.99.2+dfsg-0+deb8u3 just now, let's see if this happens again.

clamav is socket-activated, maybe it tripped over some rule? I installed the new version and the errors are gone for now, let's keep an eye on it.

grin added a subscriber: grin.Feb 1 2018, 6:39 PM

It's a clamd bug + a signature bug. The signature has been fixed the same day it's been fucked up, and clamd will be updated to fix the problem (which resulted dangling filehandles, out of file descriptors, not deleted tmp files and more). Should have been error-free if sigs were updated.

http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

@grin fantastic! thanks for the update

MoritzMuehlenhoff closed this task as Resolved.Feb 2 2018, 11:09 AM
MoritzMuehlenhoff claimed this task.

@grin: Thanks for the pointer! Since ClamAV has retracted the broken signature (and will make sure this doesn't reoccur) I'll close this task. We're following ClamAV via jessie-updates, so when this is fixed upstream, we'll pick up the new version once released on short notice.