A integer overflow vulnerability in clamav has been found: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634 We are preparing a new ISPConfig version with the latest ClamAV. As a temporary workaround, you should disable the scanning of PE files: Edit the file: /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin and change the line: CLAMSCANOPT="--no-summary --stdout" To: CLAMSCANOPT="--no-summary --stdout --no-pe"
I think most people use clamdscan and should edit clamd config file to get: And restart clamd service with log check: EDIT: Bug already fixed - at least in SLES10SP1 with clamav patch (clamav-0.92-0.2). -- GreetZ .:JbRaVo:.
Clamscan and not Clamdscan is the default in all ISPConfig installations if you have not patched ISPConfig manually!
Ofcourse, but i'm sure You know that most of us use daemonized version because of performance issues. Anyway thanks for information - i've changed my ClamAV configuration on other servers too -- GreetZ .:JbRaVo:.
Didn't take them long to start using this bug. My server had serious performance issues before I found out about this. How do I disable ClamAV in ISPConfig? Sam
Disabling is not nescessary as you can see in the post above and this bug in clamav has nothing to do with performance. If you want to disable clamav, go to the email user settings and disable the checkbox for the antivirus scan.
How come I'm still getting a lot of processes from the same users even after the "quick fix"? I don't recall there being so many clamscans before. Sam
The above just means that you get many emails, this is not caused by the bug in the pe scanning. To enhance the scanning performance, you can e.g. switch to clamdscan instead of clamscan: http://www.howtoforge.com/forums/showthread.php?t=16204
Are you sure about that, Till? My Apache service kept crashing after a while. And this started at the same time the clamscan went mad. Sam
Odd. I'm still getting lines like this... 12443 user-2a 25 0 28540 25m 2024 R 3.3 5.1 0:14.82 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe - Even after removing the Antivirus: tab from this particular user user-2a. Why is that?
It's been several hours now. Still those accounts are using clamscan. Is there a way to stop/disable clamscan on the whole server?
It's odd. ISPConfig control panel is running at normal speed. Only apache web services get affected by the many clamscan services running mad.
The only way I could gain control off the situation was to manually remove the offending mail accounts folder. Even though I had removed the mail account from ISPConfig it did not remove the account for several hours and finally I just removed it by hand. Obviously something was done to the users mail settings on that particular folder. (Probably spam?) Anyway situation under control for now. In the future if ClamAV goes haywire is there a way to bypass/disable it on the server for all the users?
