Issues with ClamAV (managing it by SmarterMail and issues with ClamAV)

Problem reported by Webio - 4/20/2015 at 2:49 AM

Submitted

Hello,

so IMHO there is something wrong with ClamAV itself and also managing its process by SmarterMail. I've started to check how ClamAV works here and there (I have 4 SM gateways which are using ClamAV). I have no clue why sometimes they work and sometimes they dont. For example I was checking on particular system where clamd.exe process just stops during loading. When running clamd.exe from command line with debug attrib I saw something like that:

WARNING: Ignoring deprecated option MailFollowURLs at line 25
LibClamAV debug: searching for unrar, user-searchpath: Standard Windows Paths
LibClamAV debug: sigcheck: Engine enabled
LibClamAV debug: Initialized 0.98.6 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: Loading databases from C:\....\SmarterMail\Service\Clam\share\clamav
LibClamAV debug: C:\....\SmarterMail\Service\Clam\share\clamav\sigwhitelist.ign2 loaded
LibClamAV debug: in cli_cvdload()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload_cleanup()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.cfg loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initialising AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initialising AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initialising AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initialising AC pattern matcher of root[13]
LibClamAV debug: daily.db loaded
LibClamAV debug: hashtab.c:Growing hashtable 000000000301F220, because it has ex
ceeded maxfill, old size:64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 000000000301F220 size after grow:128
LibClamAV debug: hashtab.c:Growing hashtable 000000000301F220, because it has ex
ceeded maxfill, old size:128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 000000000301F220 size after grow:256
LibClamAV debug: hashtab.c:Growing hashtable 000000000301F220, because it has ex
ceeded maxfill, old size:256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 000000000301F220 size after grow:512
LibClamAV debug: hashtab.c:Growing hashtable 000000000301F220, because it has ex
ceeded maxfill, old size:512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 000000000301F220 size after grow:1024
LibClamAV debug: hashtab.c:Growing hashtable 000000000301F220, because it has ex
ceeded maxfill, old size:1024
LibClamAV debug: hashtab.c: new capacity: 2048
LibClamAV debug: Table 000000000301F220 size after grow:2048
LibClamAV debug: daily.fp loaded
LibClamAV debug: Loaded 136 filetype definitions
LibClamAV debug: daily.ftm loaded
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 000000000305A2D8 size after grow:128
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 000000000305A2D8 size after grow:256
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 000000000305A2D8 size after grow:512
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 000000000305A2D8 size after grow:1024
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:1024
LibClamAV debug: hashtab.c: new capacity: 2048
LibClamAV debug: Table 000000000305A2D8 size after grow:2048
LibClamAV debug: hashtab.c:Growing hashtable 000000000305A2D8, because it has ex
ceeded maxfill, old size:2048
LibClamAV debug: hashtab.c: new capacity: 4096
LibClamAV debug: Table 000000000305A2D8 size after grow:4096
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.hdu skipped
LibClamAV debug: daily.idb loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: daily.ign2 loaded
LibClamAV debug: Ignoring signature Trojan.Generic.Fake.ASISSC
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.ldu skipped
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:64
LibClamAV debug: hashtab.c: new capacity: 128
LibClamAV debug: Table 0000000003662CC0 size after grow:128
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:128
LibClamAV debug: hashtab.c: new capacity: 256
LibClamAV debug: Table 0000000003662CC0 size after grow:256
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:256
LibClamAV debug: hashtab.c: new capacity: 512
LibClamAV debug: Table 0000000003662CC0 size after grow:512
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:512
LibClamAV debug: hashtab.c: new capacity: 1024
LibClamAV debug: Table 0000000003662CC0 size after grow:1024
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:1024
LibClamAV debug: hashtab.c: new capacity: 2048
LibClamAV debug: Table 0000000003662CC0 size after grow:2048
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:2048
LibClamAV debug: hashtab.c: new capacity: 4096
LibClamAV debug: Table 0000000003662CC0 size after grow:4096
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:4096
LibClamAV debug: hashtab.c: new capacity: 8192
LibClamAV debug: Table 0000000003662CC0 size after grow:8192
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has ex
ceeded maxfill, old size:8192
LibClamAV debug: hashtab.c: new capacity: 16384
LibClamAV debug: Table 0000000003662CC0 size after grow:16384
LibClamAV debug: hashtab.c:Growing hashtable 0000000003662CC0, because it has exceeded maxfill, old size:16384
LibClamAV debug: hashtab.c: new capacity: 32768
LibClamAV debug: Table 0000000003662CC0 size after grow:32768
LibClamAV debug: Ignoring signature Win.Trojan.5243200

clamd.exe process was stopping without any particular error somewhere where table was 16384 or 32768. I have no idea why but maybe this had something to do with AV DB files because when I've moved files from other SM gateway clamd.exe process started to run correctly (after few tries - ??). Next thing is that SmarterMail was spawning a lot (sometimes A LOT > 20) of clamd.exe processes which was starting and stopping and all of them during startup is using CPU so when we combine 5 or more clamd.exe processes we have 100% CPU usage and when they are starting and stopping we have killed our system. I've decided to change one thing in SmarerMail configuration for ClamAV and it is marking checkbox Remote Server as checked. This should let SM know that I'm managing ClamAV service manually and it should not start any clamd.exe on its own. So I've enabled remote server, opened cmd.exe and runned clamd.exe as a daemon with debug mode on and clamd.conf file. It should work just fine because I have in clamd.conf file:

TCPSocket 3310
TCPAddr 127.0.0.1

and the same values in SM ClamAV remote server configuration but for some reason it is not working. Log file informs:

Mon Apr 20 11:35:25 2015 -> +++ Started at Mon Apr 20 11:35:25 2015
Mon Apr 20 11:35:25 2015 -> clamd daemon 0.98.6 (OS: win32, ARCH: x86_64, CPU: x86_64)
Mon Apr 20 11:35:25 2015 -> Log file size limited to 1048576 bytes.
Mon Apr 20 11:35:25 2015 -> Reading databases from C:\....\SmarterMail\Service\Clam\share\clamav
Mon Apr 20 11:35:25 2015 -> Not loading PUA signatures.
Mon Apr 20 11:35:25 2015 -> Bytecode: Security mode set to "TrustSigned".
Mon Apr 20 11:35:44 2015 -> Loaded 4360151 signatures.
Mon Apr 20 11:35:47 2015 -> TCP: Bound to [127.0.0.1]:3310
Mon Apr 20 11:35:47 2015 -> TCP: Setting connection queue length to 30

that service is running at 127.0.0.1 on port 3310 but delivery logs says something else:

[2015.04.20] 11:36:30 [05571] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
[2015.04.20]    at MailStore.Spam.ClamDClient.CheckStream()
[2015.04.20] 11:36:30 [05572] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
[2015.04.20]    at MailStore.Spam.ClamDClient.CheckStream()
[2015.04.20] 11:36:30 [05573] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
[2015.04.20]    at MailStore.Spam.ClamDClient.CheckStream()

I have no idea why SM is not connecting to ClamAV. I've tried loopback IP, local IP and remote IP. I even unblocked 3310 port on Windows firewall to make sure if this is not an issue here.

Does someone experienced similar issues? I'm using latest builds from http://oss.netfarm.it/clamav/

P.S. Too bad SmarterTrack is not allowing to attach files to posts (another +1 for having previous forum) I would show you screenshot from task manager where multiple clamd.exe processes was starting eating all CPU from system. Another thing is that post writing window is WAAAY to small for big posts writing

12 Replies

Reply to Thread

Webio Replied

4/20/2015 at 2:59 AM

Update: so now when I've failed all of my tries to run ClamAV as a remote server in SM configuration even if ClamAV service is running locally I've unchecked Remote Server in ClamAV configuration and saved settings. What I've noticed then? clamd.exe process started, stopped and then after few minutes 5-10 clamd.exe processes has been spawned once again taking all of CPU. I had to revert to Avast Business command line scanner runned by Declude for now.

Webio Replied

4/20/2015 at 3:24 AM

Another update: it looks like ClamAV bin content is crucial here. During various updates I was just copying new files over previous ones and now I've cleaned whole bin directory and unpacked Joe Wolf ClamAV package, runned it in reparate cmd.exe window and configured ClamAV with Remote Server checkbox marked. It looks now it is working correctly but I have no idea why it was not working fine previously (without any particular errors).

Webio Replied

4/20/2015 at 3:26 AM

I will monitor sitations in next few days and let you know how it runs. When evertyhing will be all right I will try to switch clamd.exe process management back to SM.

YS Tech Replied

4/7/2017 at 7:33 AM

Thanks for the post, I am receiving the same errors:

15:22:25 [85024] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at MailStore.Spam.ClamDClient.CheckScan()
15:22:25 [85026] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at MailStore.Spam.ClamDClient.CheckScan()
15:22:25 [85023] Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at MailStore.Spam.ClamDClient.CheckScan()

Did you ever cure the issue?

Was it an easy fix or am I going to have to fudge it?

Employee Replied

4/7/2017 at 8:46 AM

Employee Post

Hi Anthony. Installing the 2010 C++ Redistributes should fix these errors.

https://www.microsoft.com/en-us/download/details.aspx?id=13523
https://www.microsoft.com/en-us/download/details.aspx?id=8328

Grey Replied

4/7/2017 at 12:00 PM

Rod, we also have this same error. We just migrated our install from Windows 2008R2 to Windows2016. We installed both the redistributes (64/86) and still get the error...

CCC Replied

11/16/2017 at 8:04 AM

We have also been seeing this error. Running on 2008R2x64 and have VS 2010 x86/X64 installed as well

CCC Replied

11/16/2017 at 8:05 AM

Bump :)

JerseyConnect Team Replied

11/16/2017 at 3:06 PM

We started having this issue with Clam after upgrading to 15.7. What we found was that Clam would get stuck in a failure loop. It would start with Clam reloading its signatures after Freshclam ran. During that reload time connections to Clam would fail. We'd then hit Clam's "Failures Before Disable" threshold, which was still set to 5. The SmarterMail service would then automatically restart Clam, which loads signatures and then the connection failures start again.

You can look in the Freshclam and Clam logs to see when the signature DB loads. The time should correlate with the start of the Clam errors in your delivery log.

We got Clam stabilized by increasing the Clam "Timeout" to 120 seconds, the "Failures Before Disable" to 40, and increasing the spool "Delivery Delay" to 5 seconds. Obviously those values will depend on your system usage and how long the signatures take to load. For reference the Clam signatures would take around 40 seconds to load on our system.

CCC Replied

11/17/2017 at 8:34 AM

Thanks for this info JerseyConnect Team!

I noticed in my clam logs that my clam version was also outdated (0.99 instead of 0.99.2) so I downloaded the x64 update and put that in place along with these setting changes.

Hopefully this does the trick for this long standing issue!

I'm surprised that SmarterMail doesn't auto-update the clam engine during software releases, seems like that wouldn't be hard to do while running the MSI.

CCC Replied

11/17/2017 at 10:19 AM

So far so good. 2 hours without a single CLAMAV socket exception error. It was happening within 5 minutes of service start previously. KUDOS!

JerseyConnect Team Replied

11/17/2017 at 12:29 PM

Excellent!

We still get the Clam socket errors from time to time, but the settings now let it fail more gracefully.

There is also a "ClamAV Failures" notification event that you can enable. We have that set to alert us after 100 consecutive failures.

Back to Community Threads

Please leave this box unchecked

12 Replies

Reply to Thread

Tags

Related Knowledge Base Articles