[SOLVED] Help: Virus Scanner Issues

[cadman]

This is my second post (first one was before we purchased) and now that we are a customer we've been very happy, love zimbra so far. Have had very few problems. However, i am having one now and would really appreciate some help.

First off, my Zimbra version:

Release 4.5.6_GA_1044.RHEL4_20070706161941 RHEL4 NETWORK edition

The issue right now: (from /var/log/maillog)

Jan 10 09:00:54 mail2 postfix/smtp[11844]: D15576B453A: to=<joseph@americanpolyfoam.com>, relay=127.0.0.1[127.0.0.1], delay=8, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=04885-03, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too many retries to talk to 127.0.0.1:3310 (Can't connect to INET socket 127.0.0.1:3310: Connection refused) at (eval 53) line 269. (in reply to end of DATA command))

zmcontrol status shows the following:

antispam Running
antivirus Stopped
zmclamdctl is not running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running

I used zmclamdctl and zmantivirusctl to try and restart the service (i also rebooted the machine as well a few times) with no luck, same stuff seems to come up.

When i check /opt/zimbra/log/clamd.log i see the following:

Thu Jan 10 09:03:50 2008 -> +++ Started at Thu Jan 10 09:03:50 2008
Thu Jan 10 09:03:50 2008 -> clamd daemon 0.90.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Thu Jan 10 09:03:50 2008 -> Log file size limited to 20971520 bytes.
Thu Jan 10 09:03:50 2008 -> Reading databases from /opt/zimbra/clamav/db

I thought that it was odd that i didnt see any kind of error, so i scrolled up, the above message repeats (with different times) until i get to the below message:

SelfCheck: Database modification detected. Forcing reload.
Wed Jan 9 07:29:33 2008 -> Reading databases from /opt/zimbra/clamav/db
Wed Jan 9 07:33:01 2008 -> ERROR: reload db failed: Unable to lock database directory (try 1)
Wed Jan 9 07:41:32 2008 -> Database correctly reloaded (188860 signatures)
Wed Jan 9 07:41:33 2008 -> Client disconnected
Wed Jan 9 07:41:33 2008 -> Client disconnected
Wed Jan 9 07:57:05 2008 -> Pid file removed.
Wed Jan 9 07:57:05 2008 -> --- Stopped at Wed Jan 9 07:57:05 2008
Wed Jan 9 08:01:21 2008 -> +++ Started at Wed Jan 9 08:01:21 2008
Wed Jan 9 08:01:21 2008 -> clamd daemon 0.90.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Wed Jan 9 08:01:21 2008 -> Log file size limited to 20971520 bytes.
Wed Jan 9 08:01:21 2008 -> Reading databases from /opt/zimbra/clamav/db

When i log into Zimbra management screen via web, it shows all process working, but there is a red X through the AntiVirus service.

So where do i go from here? where do i look? what do you guys wanna see.

Your help is really appreciated. IF this is in the wrong section, let me know.

Regards,

~Steve

[cadman]

Should i upgrade to the latest 5.0 version?

[cadman]

This is what i see in /var/log/zimbra.log

Jan 10 09:22:33 mail2 amavis[4913]: (04913-04) ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (1)
Jan 10 09:22:34 mail2 amavis[4913]: (04913-04) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)
Jan 10 09:22:40 mail2 amavis[4913]: (04913-04) (!!)ClamAV-clamd av-scanner FAILED: Too many retries to talk to 127.0.0.1:3310 (Can't connect to INET socket 127.0.0.1:3310: Connection refused) at (eval 53) line 269.
Jan 10 09:22:40 mail2 amavis[4913]: (04913-04) (!!)WARN: all primary virus scanners failed, considering backups
Jan 10 09:22:40 mail2 amavis[4913]: (04913-04) (!!)TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too many retries to talk to 127.0.0.1:3310 (Can't connect to INET socket 127.0.0.1:3310: Connection refused) at (eval 53) line 269.
Jan 10 09:22:40 mail2 amavis[4913]: (04913-04) (!)PRESERVING EVIDENCE in /opt/zimbra/amavisd/tmp/amavis-20080110T092233-04913

[dwmtractor]

I seem to remember some flakiness with 4.5.6 on Clam. If you're not ready to upgrade to 5.x you should at least go to one of the later 4.5 releases (preferably 4.5.10) as .6 had several issues that caused Tums moments for a number of us

Cheers,

Dan

[cadman]

I seem to remember some flakiness with 4.5.6 on Clam. If you're not ready to upgrade to 5.x you should at least go to one of the later 4.5 releases (preferably 4.5.10) as .6 had several issues that caused Tums moments for a number of us

Cheers,

Dan

Dan,

I dont mind upgrading if that is more than likely to fix the issue, i do have a few questions tho.

When upgrading, i am assuming that messages that are currently deferred and stored in the queue will be in the new upgraded system?

and secondly, when i do a backup, the backup includes the deferred and current queued messages waiting to be sent out?

Would upgarding to 4.5.10 be a smoother transition than going straight to 5.x?

[dwmtractor]

When upgrading, i am assuming that messages that are currently deferred and stored in the queue will be in the new upgraded system?

Yes, but that doesn't mean it wouldn't make me nervous! I'd try real hard to break the queue loose first if I could. Have you tried running (as su - zimbra) zmcontrol stop and then zmcontrol start to see if you can get it to wake up?

and secondly, when i do a backup, the backup includes the deferred and current queued messages waiting to be sent out?

Yes, if you use any of the open source backup methods they back up the whole of /opt/zimbra which includes your queues.

Would upgarding to 4.5.10 be a smoother transition than going straight to 5.x?

Not necessarily from an I.T. perspective, but depending on how dependent your users are on various little environment things, they may find the 4.5.x upgrade more transparent. Also, I THINK the 4.x upgrade may require less downtime than the 5 conversion (others will correct me if I'm wrong on this) and so it might be the quicker fix. Clearly you want to be on 5 eventually, but 4.x may be a faster repair to the current pain.

[mmorse]

Turn off your AV temporarily & the messages will flow - temp solutions are in this thread: [SOLVED] Clamd.pid - no such file

Make a backup (zmbackup or rsync method) jump to 4.5.10 NE (& enable your AV if it's still disabled).

Make another backup read the NE release notes & jump to 5.0.0 NE (If you're not comfortable with fixing any certs issues that may crop up you may consider holding for 5.0.1 NE) Certs: If you have trouble with Zimbra 5.0, Read this:

Also RHEL4: 5.0 GA ships an XS compiled version of Scalar::Util in its perl modules for RHEL4. So before that jump as root, read the ~zimbra/.bashrc, and set the PERLLIB and PERL5LIB environment variables to match what the zimbra user does, and then try installing.
You're setting the perl bits in the root environment similar to what is in the zimbra user's, is, as root, run these at the shell on RHEL4:

export PERLLIB=/opt/zimbra/zimbramon/lib:/opt/zimbra/zimbramon/lib/i386-linux-thread-multi
export PERLLIB
PERL5LIB=$PERLLIB
export PERL5LIB

This should tell perl to use the Zimbra perl libraries before using the system perl libraries.

[cadman]

Thanks for the help guys

I ended up contacting Zimbra Support and they were able to fix the issue for now. My plan is to upgrade soon tho as newer versions have already solved this issue. In case anyone else is still using this older version i will paste into here the email i got from Zimbra support:

Hello Steve,

Seems that you were running into the below reported and now fixed bug in ZCS 4.5.7:

Bug 18511 - clamav performance is poor -- upgrade to clamAV 0.91.1
Bug 18511 - clamav performance is poor -- upgrade to clamAV 0.91.1

The reason ClamAV was not starting is because the mta monitor (zmmtaconfig) is not waiting long enough for clamd to start.
The version of clam in the current release has some performance problems. This has been updated for 4.5.7 as Bug 18511. The workaround at this point is to edit the file /opt/zimbra/libexec/zmmtaconfig to increase the check interval. I have increased this setting from 60s to 240s.

Regarding your question on moving from your current server to a new server, please read the below article:

http://www.zimbra.com/blog/archives/...er_server.html

Regards,

Angad Bhullar
Zimbra Network Support

And lastly, i must say. Zimbra's support on this issue was outstanding! I am very happy with this software and the support system in place.

thanks again!

[mmorse]

Please refresh this page and see the slight edit above where I've explained what you have to do with the PERL env when you're ready for the 5.0 jump in more detail.