[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: [clamav-users] error files in /
From: "Hoevenaar, Jeffrey \(GE Aviation, US\) via clamav-users" <clamav-users () lists ! cl
Date: 2022-05-04 15:13:36
Message-ID: 05905be7c2874bdfbda56a2ba8160325 () ge ! com
[Download RAW message or body]
Same basic errors in each file.
I have logs going to /var/log/
The restart occurs via a script run by cron. However, the output is redirected to \
/dev/null.
[root@rhel7test ~]# clamconf -n
Checking configuration files in /etc
Config file: clamd.d/scan.conf
------------------------------
LogRotate = "yes"
TemporaryDirectory = "/var/tmp"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
ReadTimeout = "300"
CommandReadTimeout = "120"
CrossFilesystems disabled
ConcurrentDatabaseReload disabled
User = "clamscan"
ScanArchive disabled
OnAccessIncludePath = "/usr", "/home", "/etc", "/root", "/opt", "/boot", "/tmp"
OnAccessExcludePath = "/opt/splunkforwarder", "/opt/commvault", "/opt/SolarWinds"
OnAccessExcludeUname = "clamscan"
OnAccessRetryAttempts = "3"
Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"
mail/clamav-milter.conf not found
Software settings
-----------------
Version: 0.103.3
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021
daily.cvd: version 26505, sigs: 1977345, built on Thu Apr 7 04:25:37 2022
Total number of signatures: 8624864
Platform information
--------------------
uname: Linux 3.10.0-1160.62.1.el7.x86_64 #1 SMP Wed Mar 23 09:04:02 UTC 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a217c7c0800000002040805
Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic \
-fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE \
-D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed \
-lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' \
'--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' \
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' \
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' \
'--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' \
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' \
'--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' \
'--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' \
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' \
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' \
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' \
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld \
-Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches \
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' \
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' sizeof(void*) = 8
Engine flevel: 124, dconf: 124
Thanks,
Jeff Hoevenaar
-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W. Haywood \
via clamav-users
Sent: Wednesday, May 4, 2022 8:46 AM
To: Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users \
<clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: EXT: Re: [clamav-users] error files in /
WARNING: This email originated from outside of GE. Please validate the sender's email \
address before clicking on links or attachments as they may not be safe.
Hi there,
On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:
> I am getting these strange files in the root file system "/" on my linux servers.
>
> -rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U
> -rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U
> -rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U
>
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
> ClamScanQueue: stopped
Do they all contain the same error message? Two of the files are 75 bytes long, the \
other one is 98 bytes. The error message in your post is (give or take formatting in \
an email) 98 bytes. The first line of the error is 75 bytes (with the same proviso).
To connect to clamd, an IP address would be more reliable than a hostname. It \
wouldn't rely on some flaky name resolution service.
In any case more information is needed. Please could you let us have the output of \
the command
clamconf -n
cut and pasted into an email so that there are no accidental changes?
> I believe it is occurring when the clam services are restarted each day.
It isn't really necessary to restart those services daily, but it probably won't do \
any harm and it might help highlight some issues (for example like this one). But \
I'd be inclined to disable the restarts, at least for a while, just to find out if \
the restarts really are triggering this.
> Any idea how to route these errors messages elsewhere?
It will be easy to do but more information is needed. There are very few reasons to \
write files in the root directory, and nothing like ClamAV has any business doing \
that. It might mean there's something wrong with your configuration; it might not be \
the ClamAV-specific configuration but that's a place to start. ClamAV might be \
started or restarted by some configuration that's provided by your operating system \
distribution, and not by ClamAV itself. It would help if you could give us \
information about that, such as the OS distribution(s), the packages which provide \
ClamAV, etc. and any local configuration changes made to the distribution defaults. \
The ideal would be to get any utility (such as one provided by ClamAV) to know where \
to write its error output (e.g. /var/log/somewhere) before actually doing it.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic