ClamAV times out

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
SantaPhil
Posts: 15
Joined: Wed Dec 18, 2019 8:16 pm

ClamAV times out

Post by SantaPhil »

Looking at the antivirus logs it appears that Clam times out all of the time and does not check the file for a virus. It also leaves the files in the scratch directory which is growing.

Reading previous postings I made sure that I was configured correctly, clam is running with administrator permissions and I modified the registry to give it an additional 10 seconds moving it from 20 to 30 seconds before timeout.

While it is not that busy of a mail server I would hate to go longer than 30 seconds. Is this normal?

Running 10.28 Enterprise Premium.

Any help would be appreciated.

Thanks,

Phil

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: ClamAV times out

Post by Admin »

The ClamAV that is installed with MailEnable runs as a service and we pass it the message file to check. You can check it is working ok through a command prompt. Open a prompt, navigate to the ClamAV directory and you can use the clamdscan.exe to scan a file like:

C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV>clamdscan c:\testfile.exe
c:\testfile.exe: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.017 sec (0 m 0 s)

There is something wrong if it times out, as when it runs as a service the virus definitions are kept in memory and scanning is fairly fast. There was a bug in ClamAV though that it failed on specially crafted messages (I think it was due to MIME boundaries), so there was a Clam update. This is included in the new beta we have at

https://www.mailenable.com/beta

So I would recommend you try the command line to make sure it is scanning files fast enough and check the scratch directory files to see if they are actually valid. If they are not valid, then update the server to the beta to get the new Clam.

PhilC
Posts: 8
Joined: Fri Oct 04, 2019 6:08 pm

Re: ClamAV times out

Post by PhilC »

updated to version 10.29

This is from the AV log file

Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\8B43B4~1.MAI\0.ATT" --no-summary) took too long and was terminated
12/26/19 11:21:53 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\8B43B41F8CC24E19A338E8CAEEF53B2A.MAI\0.ATT (Error: 32)
12/26/19 11:21:53 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\8B43B41F8CC24E19A338E8CAEEF53B2A.MAI (Error: 145)

Any Ideas?

I notice that some of the files in the directories are now .tmp instead of .att if that helps.

Thanks,

Phil

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: ClamAV times out

Post by Admin »

Did you run the command line? Does it work? Check the clam logs at:

Mail Enable\Antivirus\ClamAV\clamd.log

It may give an indication of what is happening. The leftover files are because they are being locked by Clam and our MTA service cannot delete them.

PhilC
Posts: 8
Joined: Fri Oct 04, 2019 6:08 pm

Re: ClamAV times out

Post by PhilC »

Here is the clamscan command line test. It took 18 seconds to scan a 3mb txt file.

Is that correct? Seems a bit long, plus it mentions loading the virus files.

Thanks,

Phil
clamscan.JPG
clamscan.JPG (45.29 KiB) Viewed 29223 times

mheidelberger
Posts: 7
Joined: Wed Jan 08, 2020 5:20 pm

Re: ClamAV times out

Post by mheidelberger »

You need to run clamdscan to use the clam daemon that has all the sigs in memory. In the screenshot you ran clamscan

PhilC
Posts: 8
Joined: Fri Oct 04, 2019 6:08 pm

Re: ClamAV times out

Post by PhilC »

And here is the cland.log file

Tue Feb 11 14:14:18 2020 -> +++ Started at Tue Feb 11 14:14:18 2020
Tue Feb 11 14:14:18 2020 -> Received 0 file descriptor(s) from systemd.
Tue Feb 11 14:14:18 2020 -> clamd daemon 0.102.1 (OS: win32, ARCH: i386, CPU: i386)
Tue Feb 11 14:14:18 2020 -> Log file size limited to 1048576 bytes.
Tue Feb 11 14:14:18 2020 -> Reading databases from C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\db
Tue Feb 11 14:14:18 2020 -> Not loading PUA signatures.
Tue Feb 11 14:14:18 2020 -> Bytecode: Security mode set to "TrustSigned".
Tue Feb 11 14:14:30 2020 -> Loaded 6736785 signatures.
Tue Feb 11 14:14:34 2020 -> TCP: Bound to [127.0.0.1]:3310
Tue Feb 11 14:14:34 2020 -> TCP: Setting connection queue length to 30
Tue Feb 11 14:14:34 2020 -> Limits: Global time limit set to 120000 milliseconds.
Tue Feb 11 14:14:34 2020 -> Limits: Global size limit set to 104857600 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: File size limit set to 26214400 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: Recursion level limit set to 16.
Tue Feb 11 14:14:34 2020 -> Limits: Files limit set to 10000.
Tue Feb 11 14:14:34 2020 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Tue Feb 11 14:14:34 2020 -> Limits: MaxPartitions limit set to 50.
Tue Feb 11 14:14:34 2020 -> Limits: MaxIconsPE limit set to 100.
Tue Feb 11 14:14:34 2020 -> Limits: MaxRecHWP3 limit set to 16.
Tue Feb 11 14:14:34 2020 -> Limits: PCREMatchLimit limit set to 100000.
Tue Feb 11 14:14:34 2020 -> Limits: PCRERecMatchLimit limit set to 2000.
Tue Feb 11 14:14:34 2020 -> Limits: PCREMaxFileSize limit set to 26214400.
Tue Feb 11 14:14:34 2020 -> Archive support enabled.
Tue Feb 11 14:14:34 2020 -> AlertExceedsMax heuristic detection disabled.
Tue Feb 11 14:14:34 2020 -> Heuristic alerts enabled.
Tue Feb 11 14:14:34 2020 -> Portable Executable support enabled.
Tue Feb 11 14:14:34 2020 -> ELF support enabled.
Tue Feb 11 14:14:34 2020 -> Mail files support enabled.
Tue Feb 11 14:14:34 2020 -> OLE2 support enabled.
Tue Feb 11 14:14:34 2020 -> PDF support enabled.
Tue Feb 11 14:14:34 2020 -> SWF support enabled.
Tue Feb 11 14:14:34 2020 -> HTML support enabled.
Tue Feb 11 14:14:34 2020 -> XMLDOCS support enabled.
Tue Feb 11 14:14:34 2020 -> HWP3 support enabled.
Tue Feb 11 14:14:34 2020 -> Self checking every 1800 seconds.

PhilC
Posts: 8
Joined: Fri Oct 04, 2019 6:08 pm

Re: ClamAV times out

Post by PhilC »

I ran the command line clamdscan.exe and everything was OK

It only seems to timeout when being run by mailenable.

Here is the logfile

Time Action MessageID Connector Filter Result Account Sender ClientIP
02/11/20 05:13:10 Start - - - - - - -
02/11/20 05:13:10 Error scanning attachment - Command Line Scanner Process ("C:\PROGRA~2\MAILEN~1\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\2F116C~1.MAI\0.ATT" --no-summary) took too long and was terminated
02/11/20 05:13:10 Error scanning attachment - Command Line Scanner Process ("C:\PROGRA~2\MAILEN~1\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\EB2167~1.MAI\0.ATT" --no-summary) took too long and was terminated
02/11/20 05:13:10 Error scanning attachment - Command Line Scanner Process ("C:\PROGRA~2\MAILEN~1\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\56C399~1.MAI\0.ATT" --no-summary) took too long and was terminated
02/11/20 05:13:14 Error scanning attachment - Command Line Scanner Process ("C:\PROGRA~2\MAILEN~1\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\68C877~1.MAI\0.ATT" --no-summary) took too long and was terminated
02/11/20 05:13:19 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\56C3997A13BC449F92E184AC8689AE5F.MAI\0.ATT (Error: 32)
02/11/20 05:13:19 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\56C3997A13BC449F92E184AC8689AE5F.MAI (Error: 145)
02/11/20 09:41:59 Error scanning attachment - Command Line Scanner Process ("C:\PROGRA~2\MAILEN~1\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\7745F3~1.MAI\0.ATT" --no-summary) took too long and was terminated
02/11/20 09:42:05 ->DeleteFiles::[MTAFILTER] Could not delete file C:\PROGRA~2\MAILEN~1\Scratch\7745F3AF1C8045F592D23E1E3439F036.MAI\0.ATT (Error: 32)
02/11/20 09:42:05 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\PROGRA~2\MAILEN~1\Scratch\7745F3AF1C8045F592D23E1E3439F036.MAI (Error: 145)
02/11/20 14:10:37 End - - - - - - -

and here is the clamd.conf

TCPSocket 3310
TCPAddr 127.0.0.1
FixStaleSocket yes
MaxThreads 100
LogFile C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamd.log
LogTime yes
LogFileUnlock yes
DatabaseDirectory C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\db
TemporaryDirectory C:\Program Files (x86)\Mail Enable\Scratch
LogFileMaxSize 1M
MaxQueue 200
MaxConnectionQueueLength 30
MaxDirectoryRecursion 15
SelfCheck 1800
ExitOnOOM yes
ScanArchive yes
ScanHTML yes
ScanMail yes
ScanOLE2 yes
StreamMaxLength 5M
ReadTimeout 160
IdleTimeout 60

Any help would be appreciated.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ClamAV times out

Post by MailEnable-Ian »

Hi,

The errors seem to indicate that the file is being locked by anther process and not able to be removed. Do you have another Antivirus program running on the server with resident AV scanning enabled? If so you need to exclude the "MailEnable" folder.
Regards,

Ian Margarone
MailEnable Support

Post Reply