Atomicorp

Hi,

My server clamd will stop and then nobody can receive emails. You can send but not receive.

I have a ton of these listings in the /var/log/clamav/ file:
Thu Feb 12 07:25:45 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444154479113875/orig-godslove.designhosting.biz123444154479113875: Sanesecurity.Hdr.9429.UNOFFICIAL FOUND
Thu Feb 12 07:26:42 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444160179113990/orig-godslove.designhosting.biz123444160179113990: Sanesecurity.Junk.5963.UNOFFICIAL FOUND
Thu Feb 12 07:26:56 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444161679114053/orig-godslove.designhosting.biz123444161679114053: Sanesecurity.Hdr.9429.UNOFFICIAL FOUND
Thu Feb 12 07:27:20 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444163979114146/orig-godslove.designhosting.biz123444163979114146: Sanesecurity.Hdr.9429.UNOFFICIAL FOUND
Thu Feb 12 07:28:13 2009 -> SelfCheck: Database status OK.
Thu Feb 12 07:28:15 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444169479114244/orig-godslove.designhosting.biz123444169479114244: Sanesecurity.Spam.9537.UNOFFICIAL FOUND
Thu Feb 12 07:28:26 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123444170579114316/orig-godslove.designhosting.biz123444170579114316: Sanesecurity.Junk.5802.UNOFFICIAL FOUND

When clamd quits I have these warnings:
Feb 14 14:34:11 godslove X-Qmail-Scanner-2.02st: [godslove.designhosting.biz12346400517912392] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2
Feb 14 14:34:11 godslove pop3d: Connection, ip=[70.178.80.45]

How do I fix this to keep clamd up and running?

Also, I see this kind of thing in the qscan/tmp section:
[root@godslove clamav]# cd /var/spool/qscan
[root@godslove qscan]# ls
archives qmail-queue.log.1 quarantine quarantine-events.txt tmp
qmail-queue.log qmail-scanner-queue-version.txt quarantine-events.db quarantine.log working
[root@godslove qscan]# cd tmp
[root@godslove tmp]# ls
[root@godslove tmp]# ls -la
total 20
drwxr-x--- 3 qscand qscand 12288 Feb 14 14:48 .
drwxr-xr-x 9 qscand qscand 4096 Feb 14 14:38 ..
drwxr-x--- 2 qscand nofiles 4096 Feb 14 14:48 godslove.designhosting.biz123464090679113642
[root@godslove tmp]# cd godslove.designhosting.biz123464090679113642
-bash: cd: godslove.designhosting.biz123464090679113642: No such file or directory
[root@godslove tmp]# ls -la
total 16
drwxr-x--- 2 qscand qscand 12288 Feb 14 14:48 .
drwxr-xr-x 9 qscand qscand 4096 Feb 14 14:38 ..
[root@godslove tmp]# ls -l
total 4
drwxr-x--- 2 qscand nofiles 4096 Feb 14 14:49 godslove.designhosting.biz123464096379114303
[root@godslove tmp]# ls -la
total 16
drwxr-x--- 2 qscand qscand 12288 Feb 14 14:49 .
drwxr-xr-x 9 qscand qscand 4096 Feb 14 14:38 ..

Is there a problem with this?

We use psmon to monitor it on our systems. Its in atomic

Scott are you referring to monitoring clamd going down all the time?

ahhh I just found this site:
http://www.sanesecurity.com/usage.htm
and ran the 3 tests they said to and the tests for all 3 were listed in the clamav log so guess this is ok and working as it should.

Need to know why clamd shuts down though and would like to use psmon but see below.

I tried installing psmon and get this:
Resolving Dependencies
--> Running transaction check
---> Package psmon.noarch 0:1.39-1.el5.art set to be updated
--> Processing Dependency: perl(Proc::ProcessTable) for package: psmon
--> Processing Dependency: perl-Config-General for package: psmon
--> Processing Dependency: perl-Proc-ProcessTable for package: psmon
--> Processing Dependency: perl(Config::General) for package: psmon
--> Processing Dependency: perl-Unix-Syslog for package: psmon
--> Finished Dependency Resolution
Error: Missing Dependency: perl-Unix-Syslog is needed by package psmon
Error: Missing Dependency: perl(Config::General) is needed by package psmon
Error: Missing Dependency: perl-Config-General is needed by package psmon
Error: Missing Dependency: perl(Proc::ProcessTable) is needed by package psmon
Error: Missing Dependency: perl-Proc-ProcessTable is needed by package psmon

Ouch, we might only have those built as binaries in the ASL channels. My shiney nickle says you can pull them from rpmforge though.

Scott,

When I used the full path of the package to try to get it the server said there was no such package so just wanted to let you know.

It seems everything is running ok today since I ran the sanesecurity command to pull in the additional rules.

Hi,

Is this suppose to be a cron?

/usr/bin/clamav_updater.sh

If so would it be put in the Plesk admin section or in one of the cron sections on the server like cron.weekly?
If in the server, is there a script for it?

Thank you!

Yup its called from /etc/cron.daily/freshclam

Thanks I didn't get this email because clamd stopped again...just posted another post about this....help is greatly appreciated.

how configure correctly psmon please? which configuration is the best in psmon.conf file please?

Thanks.

You could use a script provided at http://www.sanesecurity.co.uk/usage.htm

Download script 2 and "install" clamd-status.sh. Set up a cronjob to run clamd-status.sh quite often, and if clamd is dead it will be restarted.

Griffith's solution would be simpler for you if you just want psmon for reviving clamav when it stops. It does the job quite nicely

Ok I have this in the /etc folder
-rw-r--r-- 1 root root 8013 Mar 12 11:01 unofficial-clamav-sigs.conf

I have -rw-r--r-- 1 root root 8013 Mar 12 11:01 unofficial-clamav-sigs.sh
in the /usr/bin folder

when I run the script:
./unofficial-clamav-sigs.sh

I get this error:
[root@godslove bin]# ./unofficial-clamav-sigs.sh
/etc/unofficial-clamav-sigs.conf: line 38: socat: command not found

I have checked the LocalSocket line in clamd.conf and it is the same as in the unofficial-clamav-sigs.conf file
clamd_socket="/tmp/clamd.socket"

I appreciate your help.
Thanks!