[Exim] Paniclog says clamd: buffer too small

Top Page
Delete this message
Reply to this message
Author: Mark Douglas
Date:  
To: exim-users
Subject: [Exim] Paniclog says clamd: buffer too small
--
[ Picked text/plain from multipart/alternative ]
Content-description: Mail message body

Hello all

I tried posting this on the clamav and exiscan lists but drew a blank.
Perhaps it was too long winded...:-(

I hope someone can help me.

In brief. Clamav0.65 with exim 4.24 and revision 13 exiscan.
Clamd died, required re-install. Now all works but in Exim's
paniclog I sometimes get

malware acl condition: clamd: buffer too small

Can anyone tell me why and how to fix it?

Cheers

Mark

PS. Original long version pasted in below with my clamav.conf (in
case it helps.

__________

Hello

I can't seem to find a reference to this anywhere. I'm running exim-
4.24 with exiscan-acl patch revision 13 and clamav 0.65.

Clamd died on New Years Eve, causing all mail to be rejected with a
451. Simply restarting it resulted in its falling over regularly
(apparently every time it encountered a virus). I recompiled clamav
and since then it has stayed up for the past few days. However..

Checking the logs shows that for a few days before the catastrophe an
error message started making a regular appearance in the mainlogs.

> 1Aa1nL-0003sf-I9 malware acl condition: clamd: ClamAV returned
> /opt/local/exim/spool/scan/1Aa1nL-0003sf-I9/1Aa1nL-0003sf-I9-00000.zip:
> Zip module failure. ERROR


until it fell over with a

> 1AbePm-0005CX-6f malware acl condition: clamd: unable to rea
> d from socket (Bad file number)


After bringing it back up, and also after recompiling, I haven't seen
the Zip module failure yet, but I've started to get

> 1AdoXU-0006Yq-Hc malware acl condition: clamd: buffer too small


written both to the main and the paniclogs, which I'm not aware of
ever having seen before.

I'm a bit nervous...

Everything was fine before, since the first installation of
exiscan/clamav in July, and through the various exim/exiscan upgrades
:-)

One extra note/question:

I've always had ScanMail uncommented in my clamav.conf, and I
remember a thread on the exim list in early November

(Subject: [Exim] ClamAV + exiscan missing virus)

about certain archives not being properly unpacked without it. But I
see the following in the Clamav faq at number 3

> A rogue mail locks up clamd when scanned and stops it from responding.
> What can I do?
> Disable the ScanMail directive in clamav.conf. Our internal
> mail scanner is still in high development. You'd better rely upon the mime
> handling function of an external program (like qmail-scanner, exiscan,
> etc.)


Can I ask for opinions/enlightenment from the gurus out there?

Thanks in advance for any responses!

I paste my clamav.conf below.

__

# Comment or remove the line below.
#Example

# Uncomment this option to enable logging.
# LogFile must be writable for the user running the daemon.
# Full path is required.
LogFile /tmp/clamd.log

# By default the log file is locked for writing - the lock protects
against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option). That's why you shouldn't
uncomment
# this option.
#LogFileUnlock

# Maximal size of the log file. Default is 1 Mb.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the
size
# in bytes just don't use modifiers.
#LogFileMaxSize 2M

# Log time with an each message.
#LogTime

# Use system logger (can work together with LogFile).
#LogSyslog

# Enable verbose logging.
#LogVerbose

# This option allows you to save the process identifier of the
listening
# daemon (main thread).
PidFile /var/run/clamd.pid

# Path to a directory containing .db files.
# Default is the hardcoded directory (mostly /usr/local/share/clamav,
# it depends on installation options).
#DataDirectory /var/lib/clamav

# The daemon works in local or network mode. Currently the local mode
is
# recommended for security reasons.

# Path to the local socket. The daemon doesn't change the mode of the
# created file (portability reasons). You may want to create it in a
directory
# which is only accessible for a user running daemon.
LocalSocket /tmp/clamd

# TCP port address.
#TCPSocket 3310

# Maximum length the queue of pending connections may grow to.
# Default is 15.
MaxConnectionQueueLength 30

# When activated, input stream (see STREAM command) will be saved to
disk before
# scanning - this allows scanning within archives.
StreamSaveToDisk

# Close the connection if this limit is exceeded.
StreamMaxLength 10M

# Maximal number of a threads running at the same time.
# Default is 5, and it should be sufficient for a typical
workstation.
# You may need to increase threads number for a server machine.
MaxThreads 30

# Thread (scanner - single task) will be stopped after this time
(seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT:
Increase the
# timeout instead of disabling it.
#ThreadTimeout 500

# Maximal depth the directories are scanned at.
MaxDirectoryRecursion 15

# Follow a directory symlinks.
# SECURITY HINT: You should have enabled directory recursion limit to
# avoid potential problems.
FollowDirectorySymlinks

# Follow regular file symlinks.
FollowFileSymlinks

# Do internal checks (eg. check the integrity of the database
structures)
# By default clamd checks itself every 3600 seconds (1 hour).
#SelfCheck 600

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
# User clamav

# Initialize the supplementary group access (for all groups in
/etc/group
# user is added in. clamd must be started by root).
#AllowSupplementaryGroups

# Don't fork into background. Useful in debugging.
#Foreground

##
## Mail support
##

# Uncomment this option if you are planning to scan mail files.
ScanMail

##
## Archive support
##


# Comment this line to disable scanning of the archives.
ScanArchive

# Options below protect your system against Denial of Service attacks
# with archive bombs.

# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# WARNING: Due to the unrarlib implementation, whole files (one by
one) in RAR
#          archives are decompressed to the memory. That's why never
disable
#          this limit (but you may increase it of course!)
ArchiveMaxFileSize 30M


# Archives are scanned recursively - e.g. if Zip archive contains RAR
file,
# the RAR file will be decompressed, too (but only if recursion limit
is set
# at least to 1). With this option you may set the recursion level.
# Value of 0 disables the limit.
ArchiveMaxRecursion 5

# Number of files to be scanned within archive.
# Value of 0 disables the limit.
ArchiveMaxFiles 1000

# Use slower decompression algorithm which uses less memory. This
option
# affects bzip2 decompressor only.
#ArchiveLimitMemoryUsage

##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will
hang
##          up your system !!!
##


# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and
running.
#ClamukoScanOnLine

# Set access mask for Clamuko.
# ClamukoScanOnOpen
# ClamukoScanOnClose
# ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can
have
# multiple ClamukoIncludePath options, but each directory must be
added
# in a seperate option. All subdirectories are scanned, too.
# ClamukoIncludePath /home
#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.
#ClamukoExcludePath /home/guru

# Limit the file size to be scanned (probably you don't want to scan
your movie
# files ;))
# Value of 0 disables the limit. 1 Mb should be fine.
# ClamukoMaxFileSize 1M

# Enable archive support. It uses the limits from clamd section.
# (This option doesn't depend on ScanArchive, you can have archive
support
# in clamd disabled).
# ClamukoScanArchive




Mark Douglas

SOAS Postmaster
Network Section
IT Department
School of Oriental and African Studies

email: postmaster@???

--