clamav-users August 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] amavisd can't connect to clamd

Re: [Clamav-users] amavisd can't connect to clamd on Gentoo

From: Michael Orlitzky <michael_at_nospam>
Date: Wed Aug 19 2009 - 03:10:13 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


Nathan Phillip Brink wrote:
>
>> On 2009-08-17 15:15, Federico Giovannini wrote: >> > Hi all, >> > >> > I'm new in this mailing-list and also as clamav-user so sorry for my >> elementary questions. >> > With my configuration gentoo, postfix ( 2.2.11-r1), amavisd-new >> (2.5.2) and ClamAV 0.95.2 sometimes when my mailserver receives emails >> with attachments, clamd stops working and also clamscan dies as >> indicated in the following amavis logs:
> If you expect clamav + amavisd + postfix to essentially work out of the
> box in gentoo, you should file a bug at https://bugs.gentoo.org/ (and CC
> me, for my benefit ;-)). Personally, I use clamav-milter to scan emails,
> so all my advice for your use of amavisd is primarily guessing based on
> the information you have posted.
>> > >> > Aug 17 03:42:59 scilla.sestante.net /usr/sbin/amavisd[10531]: >> (10531-12) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL >> VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8011a434) >> Too many retries to talk to /var/amavis/clamd.sock (Can't connect to >> UNIX socket /var/amavis/clamd.sock: Connection refused) at (eval 67) >> line 310. at (eval 67) line 511.; ClamAV-clamscan av-scanner FAILED: >> /usr/bin/clamscan DIED on signal 11 (000b) at (eval 67) line 511. >> >
> Could you check if /var/amavis/clamd.sock exists after clamd has been
> started? Please also give the permissions of the file. You can get this
> information by running:
>
> stat /var/amavis/clamd.sock
>
> Of course, you should tell amavisd to look for the clamd socket in
> /var/run/clamav/clamd.sock instead. If you still have trouble after
> updating amavisd's configuration, please also give the output of:
>
> stat /var/run/clamav/clamd.sock
>
> Also, why is /usr/bin/clamscan being run when a connection is being made
> to clamd? wouldn't it be better to run clamdscan?

I posted a reply to the other thread about this, but my message has been stuck in the hold queue for a couple of days.

In all of these cases, clamd/clamscan are either segfaulting, or being killed off by PaX. At first, I suspected a (possibly exploitable) bug in LibClamAV, but it would seem that this is not the case. I now believe the bug is actually in our particular version of GCC, which is why only Gentoo users have noticed.

For example, with my default,

   CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer"

I get the crash (PaX is killing off an execution attempt at NULL):

   mx1 test-cases # clamscan postcard.zip    LibClamAV Error: cli_checkfp(): lseek() failed    Killed

But with,

   CFLAGS="-pipe -fomit-frame-pointer"

Everything works as expected:

   mx1 ~ # clamscan postcard.zip
   postcard.zip: Trojan.Delf-5385 FOUND

  • SCAN SUMMARY ----------- Known viruses: 1358189 Engine version: 0.95.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.08 MB Data read: 0.08 MB (ratio 1.00:1) Time: 9.645 sec (0 m 9 s)

I haven't filed a Gentoo bug yet, but I plan to if nobody beats me to it.



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml