How does clamav work?

Discussion in 'Installation/Configuration' started by DrMartinus, Sep 15, 2019.

  1. DrMartinus

    DrMartinus Member HowtoForge Supporter

    I'm asking because I observe every time when I upgrade ispconfig the message that there was an error:
    Code:
    Job for [email protected] failed because the control process exited with error code. 
    Running
    Code:
     systemctl status [email protected]
    returns an
    Code:
    activating
    as active state, and this every time the status is checked (even after days). Just the time since when it's activating changes every time when the status is checked.
    Is this the normal way of running if it's running via amavis? Or do I need to change something in order to make it work properly?
     
  2. DrMartinus

    DrMartinus Member HowtoForge Supporter

    I actually would appreciate a reply to this, because every minute, I get this message on my server:
    Code:
    clamd: ERROR: LOCAL: Socket file /var/run/clamd.amavisd/clamd.socket is in use by another process
    [email protected] control process exited, code = exited status = 1
    Failed to start clamd scanner (amavisd) daemon
    Unit clamavisd.service entered failed state.
    [email protected] failed.
    It worries me because in the recent days the server crashed quite regularly, and while I don't find any hint to the cause, I only see those messages about clamd and wonder if it does its job or not.
    I just notice that I have placed this question in the wrong forum. Is it possible to move it?
     
    Last edited: Oct 5, 2019
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Find out what other process is using clamd.socket. Looks like that prevents that service starting.
    Maybe it is twice in startup scripts so the second attempt to start it fails?
    I do not use CentOS so I can not give better advice.
     
  4. DrMartinus

    DrMartinus Member HowtoForge Supporter

    How do I find that out? I went through the scripts in /etc/systemd/system and didn't find anything suspicious. Any other place?
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Examine if there are more than one clamd processes:
    Code:
    ps -ef | grep -i clam
    Things to try:
    Code:
    systemctl status clamav-daemon.service
    systemctl stop clamav-daemon.service
    systemctl stop clamav-freshclam.service
    
    Then see if clam prosseses are running. If they run, kill them. Then remove that socket file. Now start clamave-daemon and freshclam.
     
  6. DrMartinus

    DrMartinus Member HowtoForge Supporter

    Code:
    systemctl status clamav-daemon.service
    says that there is no such service (could not be found).
    Code:
    ps -ef | grep -i clam
    returns amavis twice and root once (if I knew how to copy lines from the putty window I would, but the somewhere described methods which I found don't seem to work here - no idea why).
     
  7. DrMartinus

    DrMartinus Member HowtoForge Supporter

    Code:
    ps -ef | grep -i clam
    Returns this:
    Code:
    amavis    4973     1  0 Okt05 ?        00:01:20 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
    amavis   26905     1 99 05:34 ?        00:00:35 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf
    root     26978 26962  0 05:34 pts/1    00:00:00 grep --color=auto -i clam
    

    Code:
    systemctl status clamav-daemon.service
    
    Returns this:
    Code:
    Unit clamav-daemon.service could not be found.
     
  8. DrMartinus

    DrMartinus Member HowtoForge Supporter

    I'm sorry for the double post. When I just looked, I didn't see my reply, and it bugged me that I couldn't copy from Putty's console, so I checked once more and looked into the configuration and found that the use of the mouse for copying was disabled. Sop now it works and I posted the output. Oddly, my reply from yesterday then showed up.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    So there are two clamd processes:
    Code:
    amavis    4973     1  0 Okt05 ?        00:01:20 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
    amavis   26905     1 99 05:34 ?        00:00:35 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf
    Both run as user amavis, so maybe something is wrong in amavis configuration and it starts two clamd processes?
    A temporary fix is to kill both clamd processes, and then start just one. This works until next reboot.
    Perhaps some CentOS user can give insights on how to fix this permanently?
     
  10. exynenem

    exynenem Member

    Your Amavis/ClamAV configuration seems to be different to the ISPConfig CentOS defaults.
    Also the EPEL Amavis/Clam packages are using .sock file types instead of .socket in their configs. So, I've no idea from which repository you got your packages from.

    First you should check which process blocks the socket by using the command "lsof".
    Example (change the socketname/type accordingly):
    Code:
    lsof /var/run/clamd.amavisd/clamd.sock
    COMMAND   PID   USER   FD   TYPE             DEVICE SIZE/OFF  NODE NAME
    clamd   13570 amavis    4u  unix 0xffff9acc4368ac00      0t0 51224 /var/run/clamd.amavisd/clamd.sock
    
    The socket should be used by clamd command and user amavis.
    You should also check how you have configured the socket in your amavis and clamav configuration.

    In a working ISPConfig (default) environment and amavis/clamav packages installed from EPEL the config looks as follows:

    Code:
    grep clamd.sock /etc/amavisd.conf
      \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
    
    grep clamd.sock /etc/clamd.d/*
    /etc/clamd.d/amavisd.conf:LocalSocket /var/run/clamd.amavisd/clamd.sock
    
    Make sure that the sockets match in each config file and restart the services after you've made your changes.
    Consider to commit the changes if you use etckeeper, or make a backup of the config files before you do any changes to the configs - just in case...
     
  11. DrMartinus

    DrMartinus Member HowtoForge Supporter

    First of all, thank you very much for your reply! I appreciate your help very much!
    Is there a way to find out what these defaults are? I followed the installation instructions as much as possible, I don't remember if there were any glitches. But it sure would be nice to have somewhere a presentation of what are the defaults for a properly functioning CentOS installation.

    It may be (but I'm absolutely not sure) that the ISPConfig installation expected .socket files. Or it was the other way round. I think that there was a mismatch, and probably I matched them by just naming the one as (one of) the config-file(s) suggested. But I'm really not sure (I didn't take notes of every step I went through, but I realise it's probably worth doing that).
    The result is:
    Code:
    COMMAND  PID   USER   FD   TYPE             DEVICE SIZE/OFF  NODE NAME
    clamd   1821 amavis    4u  unix 0x00000000bff3b486      0t0 22221 /var/run/clamd.amavisd/clamd.socket
    clamd   2015 amavis    4u  unix 0x00000000bff3b486      0t0 22221 /var/run/clamd.amavisd/clamd.socket
    
    It seems to me as if there are two identical processes, only with different PIDs?

    That seems to be the case - for both processes...

    These are the results:
    Code:
     grep clamd.sock /etc/amavisd.conf
      \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.socket"],
    
    and
    Code:
    grep clamd.sock /etc/clamd.d/*
    /etc/clamd.d/amavisd.conf:LocalSocket /var/run/clamd.amavisd/clamd.socket
    /etc/clamd.d/scan.conf:#LocalSocket /var/run/clamd.scan/clamd.sock
    /etc/clamd.d/scan.conf:LocalSocket /var/run/clamd.amavisd/clamd.socket
    /etc/clamd.d/scan.conf.rpmnew:#LocalSocket /var/run/clamd.scan/clamd.sock
    
    This seems to be correct, too. The two lines with clamd.sock are commented out, so they shouldn't have any impact. Is it correct that there are two conf-files in /etc/clamd.d?
    Another thought: should I just rename the clamd.socket entries into clamd.sock? But in /var/run/clamd.amavisd is only a file "clamd.socket".
    From looking at the conf file /etc/clamd.d/scan.conf, I notice that I changed those lines to match the socket file already last year. Now this could have been caused by the entry in the amavis conf file, where it was looking for a .socket file and didn't find it.
     
  12. exynenem

    exynenem Member

    Ok, your scan.conf might have the final clue for what is the issue on your system.
    I guess you have clamd standalone service running which blocks the socket for the [email protected].

    Check whether [email protected] is running and if so stop & disable it. Afterwards restart [email protected].
     
  13. DrMartinus

    DrMartinus Member HowtoForge Supporter

    Well, that seems to have done it. Now I get the status "active" instead of "activating" for the [email protected]. Thanks a lot for your help!!! :)
     

Share This Page