ClamAV Not Working - SM16
Problem reported by Nicolas Le Merle - February 4 at 2:49 PM
Submitted
I recently noticed these errors coming through in the delivery logs regarding ClamAV:
Calls to ClamAV have failed many times.  Restarting the clamd process...
Unable to run Clam virus checks: System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it 127.0.0.1:3310
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
at MailStore.Spam.ClamDClient.CheckScan()
I have rebooted, re installed, upgraded to the latest release (16.3.6607) and the issue still persists.
 
Anyone else experiencing this ?

9 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Does your freshclam or clamd.log say anything that's suspect? 
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\log
You can verify your log settings are correct using the .conf files found here: C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Clam\etc
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Nicolas Le Merle Replied
Hi @Matt Petty, freshclam is throwing some errors as per below.
 
ERROR: NotifyClamd: No communication socket specified in C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\etc\clamd.conf
ERROR: Can't send to clamd: Not a socket
ClamAV update process started at Mon Feb 05 03:44:05 2018
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
WARNING: getfile: daily-24286.cdiff not found on database.clamav.net (IP: 78.158.65.73)
WARNING: getpatch: Can't download daily-24286.cdiff from database.clamav.net
Can't query daily.24286.84.0.1.4E9E4149.ping.clamav.net
WARNING: getfile: daily-24286.cdiff not found on database.clamav.net (IP: 193.1.193.64)
WARNING: getpatch: Can't download daily-24286.cdiff from database.clamav.net
Can't query daily.24286.84.0.1.C101C140.ping.clamav.net
Trying host database.clamav.net (81.91.100.173)...
Downloading daily-24286.cdiff [100%]
daily.cld updated (version: 24286, sigs: 1844820, f-level: 63, builder: neo)
Can't query daily.24286.84.1.1.515B64AD.ping.clamav.net
bytecode.cld is up to date (version: 319, sigs: 75, f-level: 63, builder: neo)
Database updated (6411144 signatures) from database.clamav.net (IP: 81.91.100.173)
ERROR: NotifyClamd: No communication socket specified in C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\etc\clamd.conf
ERROR: Can't send to clamd: Not a socket
Clamd successfully notified about the update.
 
Here is the contents of the freshclam.conf file
DatabaseDirectory C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
UpdateLogFile C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\log\freshclam.log
PidFile C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\freshclam.pid
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 3
Checks 24
NotifyClamd C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\etc\clamd.conf
*I have attempted to add a setting value of TCPSocket 3310 to the config, no luck yet (unless I need to restart the SM service which will need to be scheduled)
0
Matt Petty Replied
Employee Post
Did that ClamD error occur while its updating? I don't have any timestamps to go off of but I'm wondering if it spent a decent amount of time updating and meanwhile if SmarterMail was restarted that could put it into a state where it doesn't know its updating ClamD and it might be expecting it to run.

If you see MailService and clamd.exe, and you restart MailService and kill clamd.exe, once running again do you still see the behavior?
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Kyle Kerst Replied
It looks like Clam is having trouble pulling signature updates, can you check the following? This might just do the trick :-)
 
1. Check server DNS to ensure at least ONE outside DNS server is available. Personally I recommend 8.8.8.8 (Google DNS.)
2. Check SmarterMail DNS addresses to ensure ONE outside DNS server is available. 
3. If there is a proxy connection between the server and the internet, you may want to bypass the proxy connection for outbound connections to Clam's update server. 
 
Most of the time these issues are DNS related! After updating the server addresses, and verifying connectivity, restart the SM service and attempt update again. 
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
0
Nicolas Le Merle Replied
Nope, I can date that error back to Nov 22 2017 :(
"ERROR: NotifyClamd: No communication socket specified in C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\etc\clamd.conf"

Does my config settings look right ?

clamd.exe process doesn't start so don't get the opportunity to kill it.
0
Nicolas Le Merle Replied
Hey @Kyle Kerst
 
1. DNS is a good start! I changed my SM setting to use Google DNS as a backup, but I pinged both domains from the server and both are resolving so not sure that could be the issue ?
 
3. No proxy.
 
Does your config file include any 'communication socket' settings ?
0
Kyle Kerst Replied
Thanks for getting back to me on this :-) connectivity on the DNS server is one side of it, but you also want to issue an nslookup from the server itself, seeing if you can find the server addresses being queried by Clam. If the DNS server doesn't have an entry currently, and doesn't have permission to request zones, you might not be able to find the server's IP from that hostname. If that checks out I'd say your DNS is in great shape, and we can likely move on to other things. I checked my ClamAV config and found the following: (you'll see the TCPSocket 3310 and TCPAddr 127.0.0.1. )

LogFile C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\log\clamd.log
LogFileMaxSize 1M
LogTime yes
LogFileUnlock yes
TemporaryDirectory C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\tmp
DatabaseDirectory C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
StreamMaxLength 5M
MaxQueue 200
MaxThreads 100
ReadTimeout 60
IdleTimeout 60
MaxDirectoryRecursion 15
FollowDirectorySymlinks yes
FollowFileSymlinks yes
SelfCheck 1800
AllowSupplementaryGroups yes
ExitOnOOM yes
ScanPE yes
ScanOLE2 yes
ScanMail yes
MailFollowURLs no
ScanHTML yes
ScanArchive yes

Maybe take a backup of your config file and try with this one? Another thing I thought of is this as well!

1. If you're running a third party AV solution on the server that does real time scanning, it might be preventing Clam from connecting out or even opening ports on localhost.

2. If the permissions are wrong on the temp directory, this could cause issues too!

Let me know what you find out :-)
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com
0
Nicolas Le Merle Replied
RESOLVED
 
Hey guys, i eventually managed to resolve this by uninstalling SM >> deleting the clam folder >> reinstalling and allowing for the clam folder to get recreated.
0
Kyle Kerst Replied
Thats great to hear! Sometimes reboot and try again is the way to go!
Kyle Kerst Cameron Solutions LLC www.cameron-solutions.com

Reply to Thread