From clamav-users-bounces@lists.clamav.net  Mon Apr  7 11:50:11 2008
Return-Path: <clamav-users-bounces@lists.clamav.net>
X-Original-To: list@tad.clamav.net
Delivered-To: list@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Kb2OXhEyp1ww; Mon,  7 Apr 2008 11:50:10 +0200 (CEST)
Received: from tad.clamav.net (localhost.localdomain [127.0.0.1])
	by tad.clamav.net (Postfix) with ESMTP id ADA1116C0B2;
	Mon,  7 Apr 2008 11:49:41 +0200 (CEST)
X-Original-To: clamav-users@tad.clamav.net
Delivered-To: clamav-users@tad.clamav.net
X-Virus-Scanned: Debian amavisd-new at tad.clamav.net
Received: from tad.clamav.net ([127.0.0.1])
	by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id w3TQ-SdEoqel for <clamav-users@tad.clamav.net>;
	Mon,  7 Apr 2008 11:49:38 +0200 (CEST)
Received: from posthamster.phnxsoft.com (posthamster.phnxsoft.com
	[195.227.45.4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by tad.clamav.net (Postfix) with ESMTP id 1FE8416C09B
	for <clamav-users@lists.clamav.net>;
	Mon,  7 Apr 2008 11:49:38 +0200 (CEST)
Received: from [10.0.1.11] (ws-tilman.phnxsoft.com [10.0.1.11])
	by posthamster.phnxsoft.com (8.13.3/8.13.3/SuSE Linux 0.7) with ESMTP
	id m379nTR8006669
	for <clamav-users@lists.clamav.net>; Mon, 7 Apr 2008 11:49:33 +0200
Message-ID: <47F9EE29.9080005@phoenixsoftware.de>
Date: Mon, 07 Apr 2008 11:49:29 +0200
From: Tilman Schmidt <t.schmidt@phoenixsoftware.de>
Organization: Phoenix Software GmbH
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT;
	rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: ClamAV users ML <clamav-users@lists.clamav.net>
X-Enigmail-Version: 0.95.6
X-Scanned-By: MIMEDefang 2.53 on 195.227.45.4
Subject: [Clamav-users] all my ClamAV daemons died last night
X-BeenThere: clamav-users@lists.clamav.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
List-Id: ClamAV users ML <clamav-users.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-users@lists.clamav.net>
List-Help: <mailto:clamav-users-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0748121925=="
Mime-version: 1.0
Sender: clamav-users-bounces@lists.clamav.net
Errors-To: clamav-users-bounces@lists.clamav.net

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0748121925==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig10FB92F9B07460279C8CBF4E"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig10FB92F9B07460279C8CBF4E
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: quoted-printable

I have ClamAV running on several Linux mailservers. All of them stopped
working last night with similar symptoms:

- Some time after 23h CEST (21h GMT) freshclam started complaining it
   couldn't connect any update server.

Apr  6 23:07:06 lx1 freshclam[15939]: nonblock_connect: connect timing ou=
t (30 secs)
Apr  6 23:07:06 lx1 freshclam[15939]: Can't connect to port 80 of host db=
=2Ede.clamav.net (IP: 62.26.160.3)
Apr  6 23:07:06 lx1 freshclam[15939]: Trying host db.de.clamav.net (62.20=
1.161.84)...

   [repeating every 30 seconds with varying IP addresses]
   This in itself isn't normally a reason for concern.

- Five minutes later it gives up on incrementals and switches to
   main.cvd, which is probably standard behaviour, but the connection
   problems persist:

Apr  6 23:12:08 lx1 freshclam[15939]: Incremental update failed, trying t=
o download main.cvd
Apr  6 23:12:38 lx1 freshclam[15939]: nonblock_connect: connect timing ou=
t (30 secs)
Apr  6 23:12:38 lx1 freshclam[15939]: Can't connect to port 80 of host db=
=2Ede.clamav.net (IP: 195.246.234.199)
Apr  6 23:12:38 lx1 freshclam[15939]: Trying host db.de.clamav.net (212.1=
=2E60.18)...
Apr  6 23:13:08 lx1 freshclam[15939]: nonblock_connect: connect timing ou=
t (30 secs)

- Some time later ClamAV complains it cannot update its database, and
   exits:

Apr  6 23:15:28 lx1 clamav-milter[15949]: Unable to lock database directo=
ry
Apr  6 23:15:28 lx1 clamav-milter[15949]: Failed to load updated database=

Apr  6 23:15:31 lx1 clamav-milter[15947]: ClamAv: mi_stop=3D1
Apr  6 23:15:31 lx1 clamav-milter[15947]: Stopping ClamAV 0.92.1/6635/Sun=
 Apr  6 18:29:31 2008

   Or on a different machine using MIMEdefang instead of clamav-milter:

Apr  6 23:49:10 monolith clamd[4648]: reload db failed: Unable to lock da=
tabase directory (try 3)
Apr  6 23:49:10 monolith clamd[4648]: reload db failed: Unable to lock da=
tabase directory
Apr  6 23:49:10 monolith clamd[4648]: Terminating because of a fatal erro=
r.
Apr  6 23:49:10 monolith clamd[4648]: Socket file removed.
Apr  6 23:49:10 monolith clamd[4648]: Pid file removed.
Apr  6 23:49:10 monolith clamd[4648]: --- Stopped at Sun Apr  6 23:49:10 =
2008

   From that point on, mail is blocked because I deliberately configured
   the servers in question not to let messages pass unchecked in case of
   a virus scanner outage.

- Several hours later, the update finally succeeds:

Apr  7 02:41:25 lx1 freshclam[15939]: Downloading main-46.cdiff [100%]
Apr  7 02:41:29 lx1 freshclam[15939]: main.inc updated (version: 46, sigs=
: 231834, f-level: 26, builder: sven)
Apr  7 02:42:01 lx1 freshclam[15939]: Downloading daily-6636.cdiff [100%]=

[...]
Apr  7 02:49:17 lx1 freshclam[15939]: Downloading daily-6637.cdiff [100%]=

Apr  7 02:49:28 lx1 freshclam[15939]: Downloading daily-6638.cdiff [100%]=

Apr  7 02:49:45 lx1 freshclam[15939]: Downloading daily-6639.cdiff [100%]=

Apr  7 02:49:45 lx1 freshclam[15939]: daily.inc updated (version: 6639, s=
igs: 13046, f-level: 26, builder: ccordes)
Apr  7 02:49:45 lx1 freshclam[15939]: Database updated (244880 signatures=
) from db.de.clamav.net (IP: 85.199.169.78)
Apr  7 02:49:45 lx1 freshclam[15939]: Clamd successfully notified about t=
he update.
Apr  7 02:49:45 lx1 freshclam[15939]: -----------------------------------=
---

   But the clamd process stays dead.

- When I come into the office in the morning I find all mailservers
   blocking their mail. I restart all the ClamAV daemons, and all is well=

   again.

Simple question: why did that happen? IMHO a failure to update the
signatures, even if it persists for several hours, should not prevent
the continued use of the scan service with the signatures it already
has. Is this:
- a misconfiguration (ie. my own fault)?
- a bug?
- a feature?

TIA
T.

--=20
Tilman Schmidt
Phoenix Software GmbH                               Tel. +49 228 97199 0
Adolf-Hombitzer-Str. 12                            Fax  +49 228 97199 99
53227 Bonn, Germany                               www.phoenixsoftware.de


--------------enig10FB92F9B07460279C8CBF4E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH+e4p780oymN0g8MRAnyjAJ9upkjM/cZUuVlSiwPUwE6zkgOzUgCdHMJv
Wft6iuqKhdLmCAdl2iXYscI=
=mXiF
-----END PGP SIGNATURE-----

--------------enig10FB92F9B07460279C8CBF4E--

--===============0748121925==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

--===============0748121925==--