HELP! clamd keeps stopping

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 12:08 am

Hi,

Again today clamd just stopped. The maillog shows:
Feb 17 20:59:31 godslove X-Qmail-Scanner-2.02st: [godslove.designhosting.biz123492237079130197] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512$
Feb 17 20:59:32 godslove pop3d: Connection, ip=[70.146.204.26]

People on server don't get emails and they are lost.

I restart clamd and it runs for a while.

Where else can I look for why this is happening?

Is there a script I can use to keep clamd running?

Galactic Zero · Wed Feb 18, 2009 12:34 am

Check your file permissions, make sure the clamd.conf and freshclamd.conf are configured correctly... This usually happens after an upgrade.

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 12:53 am

Hi,

I had already checked the permissions but don't know what I'm missing.

If I run "freshclam" there are no errors.

Is there an exact place to look because clamd will run and then stop so I would think that if the permissions were wrong it wouldn't even run like it did before.

-rw-r--r-- 1 qscand qscand 11412 Jan 24 12:01 clamd.conf

-rw-r--r-- 1 qscand qscand 5165 Jan 24 11:56 freshclam.conf

Unread post by **scott** » Wed Feb 18, 2009 9:03 am

I'm inclined to agree there, an update to the signature databases shouldn't cause that. If it did running the freshclam script should at least make that reproducible. Can you check the logs in /var/log/clamav/?

Galactic Zero · Wed Feb 18, 2009 10:50 am

I've seen this error when the user name gets changed in the conf files. be sure the user name is qscand...

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 10:57 am

Last night I installed dcc, pyzor, and razor and so far this morning clamd is still running.

clamd.log from 2/17/09

Code: Select all

Tue Feb 17 22:20:55 2009 -> No stats for Database check - forcing reload
Tue Feb 17 22:20:55 2009 -> Reading databases from /var/clamav
Tue Feb 17 22:20:55 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123492725479116668/orig-godslove.designhosting.biz123492725479116668: Sanesecurity.Spam.8823.UNOFFICIAL FOUND
Tue Feb 17 22:20:59 2009 -> Database correctly reloaded (959663 signatures)
Tue Feb 17 22:51:01 2009 -> SelfCheck: Database status OK.

Tue Feb 17 22:51:23 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123492908379120929/orig-godslove.designhosting.biz123492908379120929: Sanesecurity.Spam.9634.UNOFFICIAL FOUND
Tue Feb 17 22:51:33 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123492909279120944/orig-godslove.designhosting.biz123492909279120944: Sanesecurity.Spam.9634.UNOFFICIAL FOUND
Tue Feb 17 22:51:55 2009 -> Reading databases from /var/clamav
Tue Feb 17 22:51:55 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123492911479121001/orig-godslove.designhosting.biz123492911479121001: Sanesecurity.Junk.9261.UNOFFICIAL FOUND
Tue Feb 17 22:51:59 2009 -> Database correctly reloaded (959804 signatures)

Wed Feb 18 05:22:44 2009 -> Reading databases from /var/clamav
Wed Feb 18 05:22:51 2009 -> Database correctly reloaded (959867 signatures)

freshclam.log from 2/17/09

ClamAV update process started at Tue Feb 17 05:20:47 2009
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
daily.cld is up to date (version: 8995, sigs: 13152, f-level: 38, builder: guitar)
--------------------------------------
ClamAV update process started at Tue Feb 17 22:51:52 2009
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
Trying host db.us.clamav.net (168.143.19.95)...
Downloading daily-8996.cdiff [100%]
Downloading daily-8997.cdiff [100%]
Downloading daily-8998.cdiff [100%]
Downloading daily-8999.cdiff [100%]
Downloading daily-9000.cdiff [100%]
daily.cld updated (version: 9000, sigs: 13295, f-level: 38, builder: arnaud)
Database updated (513962 signatures) from db.us.clamav.net (IP: 168.143.19.95)
Clamd successfully notified about the update.

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 11:00 am

qscand is user in clamd.conf file and qscand is DatabaseOwner in freshclam file.

Unread post by **scott** » Wed Feb 18, 2009 1:24 pm

Nothing useful there unfortunately, how about in /var/log/messages?

faris · Unread post by **faris** » Wed Feb 18, 2009 2:55 pm

You said:

Code: Select all

-rw-r--r-- 1 qscand qscand 11412 Jan 24 12:01 clamd.conf

-rw-r--r-- 1 qscand qscand 5165 Jan 24 11:56 freshclam.conf

But those are the configuration files in /etc. You should not be changing the ownership of those files. They should be owned by root.

Instead, you should be changing the ownership of /var/clamd and /var/log/clamd (and all files contained in those directories)

In your case everything should be owned by qscand

Faris.

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 3:13 pm

I cannot find anything in messages either.

I will check late tonight and early tomorrow morning to see if clamd has stopped.

modom46 · Unread post by **modom46** » Wed Feb 18, 2009 3:22 pm

oops!

I changed those to root owned now in etc.

I have /var/clamav and /var/log/clamav owned as qscand.

modom46 · Unread post by **modom46** » Thu Feb 19, 2009 12:11 pm

Hi,

clamd was stopped again this morning. I got 22 messages around 8:15 cst today and about 9:30 one of my clients called saying they were not able to send or receive emails.

/var/log/clamav/clamd.log

Thu Feb 19 09:45:08 2009 -> +++ Started at Thu Feb 19 09:45:08 2009
Thu Feb 19 09:45:08 2009 -> clamd daemon 0.94.2 (OS: linux-gnu, ARCH: i386, CPU: i386)
Thu Feb 19 09:45:08 2009 -> Running as user qscand (UID 10065, GID 103)
Thu Feb 19 09:45:08 2009 -> Log file size limit disabled.
Thu Feb 19 09:45:08 2009 -> Reading databases from /var/clamav
Thu Feb 19 09:45:08 2009 -> Not loading PUA signatures.
Thu Feb 19 09:45:13 2009 -> Loaded 960013 signatures.
Thu Feb 19 09:45:13 2009 -> TCP: Bound to address 127.0.0.1 on port 3310
Thu Feb 19 09:45:13 2009 -> TCP: Setting connection queue length to 30
Thu Feb 19 09:45:13 2009 -> LOCAL: Removing stale socket file /tmp/clamd.socket
Thu Feb 19 09:45:13 2009 -> LOCAL: Unix socket file /tmp/clamd.socket
Thu Feb 19 09:45:13 2009 -> LOCAL: Setting connection queue length to 30
Thu Feb 19 09:45:13 2009 -> Limits: Global size limit set to 104857600 bytes.
Thu Feb 19 09:45:13 2009 -> Limits: File size limit set to 26214400 bytes.
Thu Feb 19 09:45:13 2009 -> Limits: Recursion level limit set to 16.
Thu Feb 19 09:45:13 2009 -> Limits: Files limit set to 10000.
Thu Feb 19 09:45:13 2009 -> Archive support enabled.
Thu Feb 19 09:45:13 2009 -> Algorithmic detection enabled.
Thu Feb 19 09:45:13 2009 -> Portable Executable support enabled.
Thu Feb 19 09:45:13 2009 -> ELF support enabled.
Thu Feb 19 09:45:13 2009 -> Detection of broken executables enabled.
Thu Feb 19 09:45:13 2009 -> Mail files support enabled.
Thu Feb 19 09:45:13 2009 -> OLE2 support enabled.
Thu Feb 19 09:45:13 2009 -> PDF support enabled.
Thu Feb 19 09:45:13 2009 -> HTML support enabled.
Thu Feb 19 09:45:13 2009 -> Self checking every 1800 seconds.
Thu Feb 19 09:45:29 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505472879120330/orig-godslove.designhosting.biz123505472879120330: Sanesecurity.Junk.9261.UNOFFICIAL FOUND
Thu Feb 19 09:45:45 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505474479120383/orig-godslove.designhosting.biz123505474479120383: Sanesecurity.Scam.9458.UNOFFICIAL FOUND
Thu Feb 19 09:45:51 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505475179120419/orig-godslove.designhosting.biz123505475179120419: Sanesecurity.Spam.9776.UNOFFICIAL FOUND
Thu Feb 19 09:45:59 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505475779120473/orig-godslove.designhosting.biz123505475779120473: Sanesecurity.Phishing.Cur.10028.UNOFFICIAL FOUND
Thu Feb 19 09:46:05 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505476379120568/orig-godslove.designhosting.biz123505476379120568: Sanesecurity.Spam.9075.UNOFFICIAL FOUND
Thu Feb 19 09:46:09 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505476979120640/orig-godslove.designhosting.biz123505476979120640: Sanesecurity.Hdr.8239.UNOFFICIAL FOUND
Thu Feb 19 09:46:16 2009 -> /var/spool/qscan/tmp/godslove.designhosting.biz123505477679120730/orig-godslove.designhosting.biz123505477679120730: Sanesecurity.Junk.4584.UNOFFICIAL FOUND

/var/log/messages

Feb 19 09:45:13 godslove clamd[20225]: Loaded 960013 signatures.
Feb 19 09:45:13 godslove clamd[20225]: TCP: Bound to address 127.0.0.1 on port 3310
Feb 19 09:45:13 godslove clamd[20225]: TCP: Setting connection queue length to 30
Feb 19 09:45:13 godslove clamd[20225]: LOCAL: Removing stale socket file /tmp/clamd.socket
Feb 19 09:45:13 godslove clamd[20225]: LOCAL: Unix socket file /tmp/clamd.socket
Feb 19 09:45:13 godslove clamd[20225]: LOCAL: Setting connection queue length to 30
Feb 19 09:45:13 godslove clamd[20299]: Limits: Global size limit set to 104857600 bytes.
Feb 19 09:45:13 godslove clamd[20299]: Limits: File size limit set to 26214400 bytes.
Feb 19 09:45:13 godslove clamd[20299]: Limits: Recursion level limit set to 16.
Feb 19 09:45:13 godslove clamd[20299]: Limits: Files limit set to 10000.
Feb 19 09:45:13 godslove clamd[20299]: Archive support enabled.
Feb 19 09:45:13 godslove clamd[20299]: Algorithmic detection enabled.
Feb 19 09:45:13 godslove clamd[20299]: Portable Executable support enabled.
Feb 19 09:45:13 godslove clamd[20299]: ELF support enabled.
Feb 19 09:45:13 godslove clamd[20299]: Detection of broken executables enabled.
Feb 19 09:45:13 godslove clamd[20299]: Mail files support enabled.
Feb 19 09:45:13 godslove clamd[20299]: OLE2 support enabled.
Feb 19 09:45:13 godslove clamd[20299]: PDF support enabled.
Feb 19 09:45:13 godslove clamd[20299]: HTML support enabled.
Feb 19 09:45:13 godslove clamd[20299]: Self checking every 1800 seconds.

Feb 19 09:45:29 godslove clamd[20299]: /var/spool/qscan/tmp/godslove.designhosting.biz123505472879120330/orig-godslove.designhosting.biz123505472879120330: Sanesecurity.Junk.9261.UNOFFICIAL FOUND

It looks like it might have stopped here:
Feb 19 05:46:58 godslove clamd[2265]: SelfCheck: Database modification detected. Forcing reload.
Feb 19 05:46:58 godslove clamd[2265]: Reading databases from /var/clamav

I restarted clamd about here:
Feb 19 09:45:08 godslove clamd[20225]: clamd daemon 0.94.2 (OS: linux-gnu, ARCH: i386, CPU: i386)
Feb 19 09:45:08 godslove clamd[20225]: Running as user qscand (UID 10065, GID 103)
Feb 19 09:45:08 godslove clamd[20225]: Log file size limit disabled.
Feb 19 09:45:08 godslove clamd[20225]: Reading databases from /var/clamav
Feb 19 09:45:08 godslove clamd[20225]: Not loading PUA signatures.

Is there a script or something I can setup to keep clamd running?

Unread post by **scott** » Thu Feb 19, 2009 12:48 pm

Yup, check out psmon

modom46 · Unread post by **modom46** » Thu Feb 19, 2009 1:00 pm

Scott,

Your psmon doesn't work and don't know about other places.

Did any of those logs help?

Unread post by **scott** » Thu Feb 19, 2009 2:04 pm

It works great, we use it in ASL. And no, theres nothing in those logs I'm afraid

Atomicorp

HELP! clamd keeps stopping

HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping

Re: HELP! clamd keeps stopping