Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » ClamAV (on Windows server) unstable?
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I’m having stability problems with ClamAV (ClamAV-SOSDG 0.88.6-1 with KMS 6.3.0 on a fully patched WinServer 2k3 R2). I hope some of you are also using Clamav on a Windows server are willing to read my long story and help out/tell your stories. I really would like to use ClamAV with KMS.

I installed ClamAv according to the Kerio’s instructions and all seemed to work nice. It was catching phishing mails that my Kerio Firewall (with McAfee) and my provider were letting through. Nice! Until 11:42 the next morning…

The clamd process was hogging the CPU, probably being stuck on scanning something. The KMS error log shows lot’s of these:
Quote:

[16/Nov/2006 11:42:04] mail_avir.cpp: Cannot open work file C:\Program Files\Kerio\MailServer\store/tmp/455c3f5e-00001fd9/avfile.tm p: (5) Access is denied.

In the mean time, clamd wasn’t available for scanning and so a) messages were stuck in the mail queue and b) messages that got through got stripped of their attachments because KMS was acting as if a virus was found:
Quote:

Problem: Virus found
MIME type: text/html
File name: (none)
Error: Unable to scan file. ClamAV has not responded for 90 seconds.
Antivirus: Clam AntiVirus

I restarted the clamd daemon, turned off and on Kerios AV scanning option and all was going smoothly again. Until 8:30 the next morning: same problem, different error log:
Quote:

[17/Nov/2006 08:33:31] AvModule.cpp: Server: external plugin cannot be initialized: Unable to initialize plugin, error: Clam AntiVirus is not responding
[17/Nov/2006 08:33:31] AvModule.cpp: Restarting of avir_clam plugin has failed, next try is planned after 300 seconds.

For now I’ve left the AV scanning off…

There’s nothing in the clamd.log indicating any problem.

Specific questions:
  1. In clamd.conf I’ve set the ‘TCPSocket 3310’ and ‘TCPAddr 127.0.0.1’. According to instructions in the clamd.conf file, you should disable the ‘LocalSocket’ and ‘FixStaleSocket’ options when using ‘network mode’. So I did. However, nothing of this is mentioned in Kerio’s instructions. Should the ‘LocalSocket’ and ‘FixStaleSocket’ settings be disabled or not?
  2. The above and the settings in Kerio suggest the communication uses (internal) IP. However, the error log clearly indicates Kerio saves a file and subsequently requests ClamAV to scan it (“mail_avir.cpp: Cannot open work file C:\ ... /avfile.tmp: (5) Access is denied.”). Is this an indication something is wrong in my configuration?
  3. In case of ClamAV failure, I'd rather have KMS deliver the messages unscanned than stripped of attachments. (ClamAV is not the only AV solution scanning our mail traffic.) Is this possible?
Thanks to all of you trying to help me!


FYI: more clamd.conf settings I’ve changed from the default:

Quote:

# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30


# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximal attachment size.
# Default: 10M
StreamMaxLength 50M

# Maximal number of threads running at the same time.
# Default: 10
MaxThreads 15


# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 25M


# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
ArchiveMaxFiles 2000


# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted yes

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)
# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is
# reached.
# Default: no
ArchiveBlockMax yes

[Updated on: Fri, 17 November 2006 17:04]

  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
Quote:

however, the error log clearly indicates Kerio saves a file and subsequently requests ClamAV to scan it (“mail_avir.cpp: Cannot open work file C:\ ... /avfile.tmp: (5) Access is denied.”). Is this an indication something is wrong in my configuration?


1. I don't use clamav on windows
2. Looks like clamav doesn't have permission to scan a directory in the path C:\ ... / Make sure that Clamav has the correct permissions on this directory. Does clamav run as a specific user under windows like it does on *nix?
3. I would probably need to see more of the clamd.conf to be of more assistance
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
winkelman wrote on Fri, 17 November 2006 17:03

I’m having stability problems with ClamAV (ClamAV-SOSDG 0.88.6-1 with KMS 6.3.0 on a fully patched WinServer 2k3 R2). I hope some of you are also using Clamav on a Windows server are willing to read my long story and help out/tell your stories. I really would like to use ClamAV with KMS.

I installed ClamAv according to the Kerio’s instructions and all seemed to work nice. It was catching phishing mails that my Kerio Firewall (with McAfee) and my provider were letting through. Nice! Until 11:42 the next morning…

The clamd process was hogging the CPU, probably being stuck on scanning something. The KMS error log shows lot’s of these:
Quote:

[16/Nov/2006 11:42:04] mail_avir.cpp: Cannot open work file C:\Program Files\Kerio\MailServer\store/tmp/455c3f5e-00001fd9/avfile.tm p: (5) Access is denied.



This error means that something (probably ClamAV) has locked the file so KMS has no access to it. It seems ClamAV has problem when scanning the file.
Quote:


In the mean time, clamd wasn’t available for scanning and so a) messages were stuck in the mail queue and b) messages that got through got stripped of their attachments because KMS was acting as if a virus was found:
Quote:

Problem: Virus found
MIME type: text/html
File name: (none)
Error: Unable to scan file. ClamAV has not responded for 90 seconds.
Antivirus: Clam AntiVirus



This is correct. For ensuring maximum security, files that cannot be scanned by antivirus are delivered with a warning.
Quote:


I restarted the clamd daemon, turned off and on Kerios AV scanning option and all was going smoothly again. Until 8:30 the next morning: same problem, different error log:
Quote:

[17/Nov/2006 08:33:31] AvModule.cpp: Server: external plugin cannot be initialized: Unable to initialize plugin, error: Clam AntiVirus is not responding
[17/Nov/2006 08:33:31] AvModule.cpp: Restarting of avir_clam plugin has failed, next try is planned after 300 seconds.

For now I’ve left the AV scanning off…

There’s nothing in the clamd.log indicating any problem.

Specific questions:

[*]In clamd.conf I’ve set the ‘TCPSocket 3310’ and ‘TCPAddr 127.0.0.1’. According to instructions in the clamd.conf file, you should disable the ‘LocalSocket’ and ‘FixStaleSocket’ options when using ‘network mode’. So I did. However, nothing of this is mentioned in Kerio’s instructions. Should the ‘LocalSocket’ and ‘FixStaleSocket’ settings be disabled or not?


Actually, this is a question for ClamAV developers. According to comments in the configuration file, you should disable it.
Quote:


[*]The above and the settings in Kerio suggest the communication uses (internal) IP. However, the error log clearly indicates Kerio saves a file and subsequently requests ClamAV to scan it (“mail_avir.cpp: Cannot open work file C:\ ... /avfile.tmp: (5) Access is denied.”). Is this an indication something is wrong in my configuration?


No, this is correct. KMS sends to ClamAV only a file name to scan (not whole file) if ClamAV is running on same computer. The main purpose is faster scanning. This can be disabled by "UseStreamOnLocalhost" option in AV plugin settings.
Quote:


[*]In case of ClamAV failure, I'd rather have KMS deliver the messages unscanned than stripped of attachments. (ClamAV is not the only AV solution scanning our mail traffic.) Is this possible?


No, this is not possible with only one AV plugin. ClamAV failed to scan the file. Due to security reasons, KMS ensures that EVERY email is scanned as long as AV scanning is enabled.
It is possible if KMS is running dual AV. KMS will then use the result from second antivirus if one of them fails to scan the file. This is one of advantages when using dual AV scanning in KMS.
Quote:


Thanks to all of you trying to help me!


FYI: more clamd.conf settings I’ve changed from the default:




My suggestion is to revert settings in clamd.conf file to default values and enable debug logging in ClamAV to see what happened there.
Previous Topic: how to mark the subject with mail filter forwarded messages?
Next Topic: How to automatic archive sent item and delete Item
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 16:53:43 CET 2017

Total time taken to generate the page: 0.00357 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.