Page MenuHomePhabricator
Create Task
Maniphest T186193

clamav errors on mendelevium
Closed, ResolvedPublic
Actions

Description

exim on mendelevium (otrs machine) has been complaining about clamav errors, in this form:

2018-01-31 11:11:25 XXX malware acl condition: clamd: ClamAV returned: /var/spool/exim4/scan/XXX/XXX.eml: Can't open file or directory ERROR

Looking at lsof of clamav there are plenty of open file descriptors to deleted files in /tmp/, about 1024 of them so I suspect fds are leaking and hitting maximum open file descriptors.

clamd   569 clamav   12u   REG              254,1      245  398903 /tmp/clamav-1fa9c98e831072097777091baae57b3e.tmp (deleted)
clamd   569 clamav   13u   REG              254,1     2271  398889 /tmp/clamav-2cfbf4fc5117d4fca6e3eaa6cd5afa0b.tmp (deleted)
clamd   569 clamav   14u   REG              254,1      974  398900 /tmp/clamav-d93e01b4f246690d2ca56997e3bf3b65.tmp (deleted)
clamd   569 clamav   15u   REG              254,1      974  398901 /tmp/clamav-f856655f9539b8513ca32917729ed2e4.tmp (deleted)
clamd   569 clamav   16u   REG              254,1     2271  398904 /tmp/clamav-ad84f017474ada33d99ac0481f3ec762.tmp (deleted)
clamd   569 clamav   17u   REG              254,1      391  398912 /tmp/clamav-fa43351caa95f4625b19f56d8447b25b.tmp (deleted)
...
clamd   569 clamav 1022u   REG              254,1     6180  404456 /tmp/clamav-edd137867aaa38b33afa79379f52768f.tmp (deleted)
clamd   569 clamav 1023u   REG              254,1      861  404457 /tmp/clamav-9847efae7c2e57fbccd4a830b2d7541b.tmp (deleted)

Event Timeline

fgiunchedi created this task.Feb 1 2018, 9:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 1 2018, 9:22 AM
fgiunchedi added a subscriber: MoritzMuehlenhoff.Feb 1 2018, 9:27 AM

@MoritzMuehlenhoff has upgraded clamav to 0.99.2+dfsg-0+deb8u3 just now, let's see if this happens again.

MoritzMuehlenhoff added a comment.Feb 1 2018, 9:37 AM

clamav is socket-activated, maybe it tripped over some rule? I installed the new version and the errors are gone for now, let's keep an eye on it.

grin subscribed.Feb 1 2018, 6:39 PM

It's a clamd bug + a signature bug. The signature has been fixed the same day it's been fucked up, and clamd will be updated to fix the problem (which resulted dangling filehandles, out of file descriptors, not deleted tmp files and more). Should have been error-free if sigs were updated.

http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

fgiunchedi added a comment.Feb 2 2018, 9:36 AM

@grin fantastic! thanks for the update

MoritzMuehlenhoff closed this task as Resolved.Feb 2 2018, 11:09 AM
MoritzMuehlenhoff claimed this task.

@grin: Thanks for the pointer! Since ClamAV has retracted the broken signature (and will make sure this doesn't reoccur) I'll close this task. We're following ClamAV via jessie-updates, so when this is fixed upstream, we'll pick up the new version once released on short notice.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL