[Pkg-clamav-devel] Bug#888512: clamav-daemon: Clamd suddenly eat up all file descriptors, 'Too many open files' error
Bernhard Schmidt
berni at debian.org
Fri Jan 26 15:28:48 UTC 2018
Control: tags -1 confirmed upstream
> Today, in my servers (at least 3 servers), starting from circa 9.00 local
> time (Europe/Rome) clamav stop working, like:
This is an issue in daily.cld 24256+ (released around this morning).
A workaround is described here:
http://lists.clamav.net/pipermail/clamav-users/2018-January/005715.html
===
I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
restarting clamd fixed the problem.
This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem
began a few minutes later
clamd run out of file descriptors.
I also had to clean out TemporaryDirectory before restarting.
Not sure what the exact reason for problem is.
There is an EOF-15 in a subsig. Perhaps this causes a performance hit
on large text files as end
of file must be seeked to and this is sufficient on busy system to cause
demand to exceed supply.
sigtool --find Vbs.Downloader.Generic-6431223-0
Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274
sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
VIRUS NAME: Vbs.Downloader.Generic-6431223-0
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: (0|1)&2&3
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
public sub
* SUBSIG ID 1
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
sub
* SUBSIG ID 2
+-> OFFSET: EOF-15
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
= "re" end if
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
exe /c start
===
There is also a patch floating around that is supposed to fix the FD
leak, but it is unclear where it is from:
https://gist.github.com/manuelm/dbc94001c77c07363cdcb5b390c2cb04
Bernhard
More information about the Pkg-clamav-devel
mailing list