[SOLVED]CLAM AV scanner suddenly stopped by itself

Discussion forum for Enterprise Edition.
Post Reply
poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

[SOLVED]CLAM AV scanner suddenly stopped by itself

Post by poweredge »

1. I just came across this morning that clamd.exe is no longer there in the service tab under task manager.

clamd.exe usually takes 1-1.5GB, and stays at the top of my services process, so I noticed immediately. :lol:

Then I checked it's stopped by itself on July 1, 7:59PM from the Administrative Events log, also seems clamd.exe at least crashed once a month.
`.jpg
`.jpg (73.97 KiB) Viewed 11822 times
1.jpg
1.jpg (110.03 KiB) Viewed 11822 times
Then I digged deeper into the problem by looking up clamd.log in C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV

Thu Jul 01 07:41:08 2021 -> SelfCheck: Database status OK.
Thu Jul 01 07:59:06 2021 -> C:\PROGRA~2\MAILEN~1\Scratch\E89B5C~1.MAI\0.ATT: Can't allocate memory ERROR
Thu Jul 01 07:59:14 2021 -> --- Stopped at Thu Jul 01 07:59:14 2021

Memory ERROR??? Too little RAM left?

Permanent Solution > Increase server RAM?


Anyway, for temporary solution, I've set the clamd.exe service to restart automatically in service should it failed again.


2. Btw, there is no alert or status check in ME console for ClamAV if it's running or not, so one would not never know it's been crashed/stopped until going to Windows services or task manager by chance.


3.
There are a few Database reload failed, keeping the previous instance error, is there anything that I can do?

Wed Jun 30 20:05:41 2021 -> SelfCheck: Database status OK.
Wed Jun 30 20:36:14 2021 -> SelfCheck: Database modification detected. Forcing reload.
Wed Jun 30 20:36:14 2021 -> Reading databases from C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\db
Wed Jun 30 20:36:14 2021 -> ERROR: reload_th: Database load failed: Malformed database
Wed Jun 30 20:36:15 2021 -> WARNING: Database reload failed, keeping the previous instance
Wed Jun 30 21:06:35 2021 -> SelfCheck: Database status OK.
Wed Jun 30 21:37:04 2021 -> SelfCheck: Database status OK.
Wed Jun 30 22:09:44 2021 -> SelfCheck: Database status OK.
Wed Jun 30 22:41:34 2021 -> SelfCheck: Database status OK.
Wed Jun 30 23:11:37 2021 -> SelfCheck: Database status OK.

Does it mean Wed Jun 30 20:36:15 2021 error occured, then Wed Jun 30 21:06:35 2021 it self corrected the problem by itself?


4. There are quite a few large MAI left in /scratch folders.

Can I delete all of them? Are those just Skipped files? meaning the original email has already been delivered to user's inbox and Not being held in the Scratched folder due to clamav timeout or other issue?

from MEAVGEN-Report, for example

06/18/21 10:32:28 Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\EA7DD3~1.MAI\0.ATT" --no-summary) took too long and was terminated
06/18/21 10:32:34 ->DeleteFiles::[MTAFILTER] Could not delete file C:\Program Files (x86)\Mail Enable\Scratch\EA7DD3535703450F822211360999E133.MAI\0.ATT (Error: 32)
06/18/21 10:32:34 ->CleanupScratchArea:: [MTAFILTER] Could not remove directory C:\Program Files (x86)\Mail Enable\Scratch\EA7DD3535703450F822211360999E133.MAI (Error: 145)

Looks like due to time out?

Solution is to increase the default time out? (https://www.mailenable.com/kb/content/article.asp?ID=ME020362)

However I did specifically exclude /Mail Enable directory as there is another antivirus program installed on the server and manually checked clamdscan "C:\PROGRA~2\MAILEN~1\Scratch\EA7DD3~1.MAI\0.ATT", it's a 770KB file and completed the scanning in 0.075 seconds, so it can't be the time-out paramter is being too low.

Also did a test for a 30MB file, Clamav completed the scanning in 0.34 seconds.
Last edited by poweredge on Wed Jan 18, 2023 4:00 am, edited 1 time in total.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: CLAM AV scanner suddenly stopped by itself

Post by poweredge »

I may locate the problem. Probably it's due to a large size attachment that crashed clamd.exe service.

Some suggested by setting the upper limit of the attachment, then clamav will skip scanning those large attachement (particular zip files, as it needs to unzip those first then process the scanning)

I wonder if we can add "MaxFileSize 102400000" (ie, skip attachement size over 100MB) to C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamd.conf?

Ian, Could you kindly reply and confirm the above next week please? Many thanks again.


clamd.conf
========================
TCPSocket 3310
TCPAddr 127.0.0.1
FixStaleSocket yes
MaxThreads 100
LogFile C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamd.log
LogTime yes
LogFileUnlock yes
DatabaseDirectory C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\db
TemporaryDirectory C:\Program Files (x86)\Mail Enable\Scratch
LogFileMaxSize 1M
MaxQueue 200
MaxConnectionQueueLength 30
MaxDirectoryRecursion 15
SelfCheck 1800
ExitOnOOM yes
ScanArchive yes
ScanHTML yes
ScanMail yes
ScanOLE2 yes
StreamMaxLength 5M
ReadTimeout 60
IdleTimeout 60

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: CLAM AV scanner suddenly stopped by itself

Post by poweredge »

Could ME kindly help me please? Is it a short of server memory problem?

Thanks.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: CLAM AV scanner suddenly stopped by itself

Post by MailEnable-Ian »

HI,

This is a ClamAV error. You will need to consult with ClamAV for more information. But as the error indicates it could be that your low in memory.
Regards,

Ian Margarone
MailEnable Support

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: CLAM AV scanner suddenly stopped by itself

Post by poweredge »

Thanks, I shall increase the server memory first, and monitor it for a period of time to see if the same error will still occur.

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: CLAM AV scanner suddenly stopped by itself

Post by poweredge »

Forgot to ask, if CLAM AV crashed will it hold the email in spool until the ClamAV service is restarted again?

poweredge
Posts: 157
Joined: Sat May 29, 2021 11:16 am

Re: CLAM AV scanner suddenly stopped by itself

Post by poweredge »

Just want to update this topic.

After adding more RAM to ME server, "Can't allocate memory ERROR" no longer shows up, problem solved, it's indeed that server is shortly of RAM that's causing ClamAV to crash.

Wed Jan 11 21:08:03 2023 -> C:\PROGRA~2\MAILEN~1\Scratch\E0E802~1.MAI\0.ATT: Can't allocate memory ERROR

Post Reply