[SOLVED] Problems with Antivirus subsystem

[tgx]

Over the last 3 weeks our Zimbra server has stopped processing mail twice. This is an unheard of situation for our server. What I am finding is that the Antivirus system is shutting down. There is nothing in any of the logs describing any problems with it, but looking in the Admin console you can see the email backup in the deferred category and the reason for deferral being given is that it is unable to establish a connection with the A/V subsystem. I can run zmclamdctl start and then requeue the deferred mail, but it throws a wrench in the overnight reporting that gets mailed out. As this problem is newly occurring just wondering what is going on that would cause it and what remedies are available? Is is possible to disable the A/V subsystem? It is rather redundant as I have an A/V gateway ahead of the the Zimbra server. I'd rather fix the issue though.

[vavai]

Hi tgx,

Quote:

Originally Posted by tgx

Over the last 3 weeks our Zimbra server has stopped processing mail twice. This is an unheard of situation for our server. What I am finding is that the Antivirus system is shutting down. There is nothing in any of the logs describing any problems with it, but looking in the Admin console you can see the email backup in the deferred category and the reason for deferral being given is that it is unable to establish a connection with the A/V subsystem. I can run zmclamdctl start and then requeue the deferred mail, but it throws a wrench in the overnight reporting that gets mailed out. As this problem is newly occurring just wondering what is going on that would cause it and what remedies are available? Is is possible to disable the A/V subsystem? It is rather redundant as I have an A/V gateway ahead of the the Zimbra server. I'd rather fix the issue though.

AV would be possible to refuse the connection because the ClamaV engine was too old and need an upgrade. If you checked out your logs, it should be warning about the upgrade message. I'm experience with this on some old Zimbra installation.

Anyway, you should be easy to disable AV by login to Zimbra Administration Console, go to Configuration | Servers | Services and disable AV from the check box. After that, restart your Zimbra service.

[tgx]

Quote:

Originally Posted by vavai

Hi tgx,


AV would be possible to refuse the connection because the ClamaV engine was too old and need an upgrade. If you checked out your logs, it should be warning about the upgrade message. I'm experience with this on some old Zimbra installation.

Yes. However, I would expect it to fail consistently. Not run for two weeks after being restarted and then spontaneously die.

**UPDATE** I have found something of interest in the clamd.log.

This is the moment that the service failed to start after shutting down for backup.

LibClamAV Error: cli_load(): Can't open file /opt/zimbra/data/clamav/db/main.cvd
ERROR: Unable to open file or directory

However, running zmclamdctl start manually, 8 hours later and it came up fine.

**MORE INFO** There is no file called main.cvd in /opt/zimbra/data/clamav/db. There IS a file called main.cld.
Is there a typo in a script somewhere?

Going to look at upgrading ClamAV.

**Upgraded to ClamAV 0.95.3 using Wiki instructions. Will monitor for results.**

[phoenix]

Quote:

Originally Posted by tgx

**MORE INFO** There is no file called main.cvd in /opt/zimbra/data/clamav/db. There IS a file called main.cld.

It should be there but you chould be able to recover by doing this: [SOLVED] LibClamAV Error: Can't load /opt/zimbra/data/clamav/db//main.cvd: Can't veri

Mind you, this might be more appropriate: Bug 41070 – zmclamdctl incorrectly recreates main.cvd

[tgx]

Quote:

Originally Posted by phoenix

It should be there but you chould be able to recover by doing this: [SOLVED] LibClamAV Error: Can't load /opt/zimbra/data/clamav/db//main.cvd: Can't veri

Mind you, this might be more appropriate: Bug 41070 – zmclamdctl incorrectly recreates main.cvd

I don't see much similarity in those. In my case the script is complaining .cvd doesn't exist. Odd that it has only recently begun doing this on a server that's been running since '07. I do note that ClamAV is going to stop supporting pre-0.95 versions in April of 2010 so it only made sense to upgrade. Maybe it will solve the issue.

FWIW, the .cvd files are found under /opt/zimbra/clamav-your.version.here.
zmclamdctl looks like it is supposed to copy the files to /opt/zimbra/clamav/db, but doesn't seem to be doing it (or is doing it and then being cleared out by another process).

After shutting down clamd using zmclamdctl, rerunning freshclam and running zmclamdctl start I now have a daily.cvd in /opt/zimbra/data/clamav/db/ but still no main.cvd.

I stopped the AV service manually copied main.cvd.init to /opt/zimbra/clamav/db renamed it to main.cvd, changed the file perms to match the other files in the directory and restarted the service. I had two new directories under /db labelled clamav-(insertlongalphanumberstringhere), which after a time disappeared along with the newly inserted main.cvd, so I assume therefore that the file is dynamically created by some other mechanism. I'm going to assume it is working correctly at this point. Will have to monitor.