检查当前 ClamAV 是否有此次报告的故障

ClamAV 在北京时间2016年10月22日凌晨提供的病毒库更新,有可能使某些版本 clamd 不能提供扫描服务及 clamscan 工作模式异常。
根据Amavisd-new配置,这现象将导致邮件队列堆积。按照以下步骤解决问题后,用户已通过WebMail、客户端发送的邮件无需重新发送。
目前可推测受影响的 程序版本 为 0.97,病毒库日期 为 22日及以后。
根据官方对版本的公告,0.97版本(引擎程序,非病毒库)已不再更新及支持,所以建议ClamAV使用者均更新到0.98及以后的版本(最新为0.99)。

相关报错:
• /var/log/clamav/clamd.log
• /var/log/clamav/freshclam.log

• 在重启 clamd 服务时标准错误输出

LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

相关链接:

• http://lists.clamav.net/pipermail/clamav-users/2016-October/003542.html (ClamAV作者回复网友对此次故障的问题,提醒0.97已终止支持)
• http://lists.clamav.net/pipermail/clamav-announce/2016/000022.html (0.97寿终正寝公告)
• http://serverfault.com/questions/810739/clamav-error-mpool-malloc-attempt-to-allocate-8388608-bytes
• https://srad.jp/~kawakazu/journal/607032/
• http://www.extmail.org

检查当前ClamAV 是否有此次报告的故障

查看操作系统版本

# cat /etc/redhat-release
EMOS 1.6 (Community)

如果非 EMOS1.6 x86_64 发行版本

# uname -a
Linux hostname 2.6.32-71.el6.x86_64 #1 SMP Tue Nov 23 06:49:13 CST 2010 x86_64 x86_64 x86_64 GNU/Linux
# 以此确认 el5/el6, x86/x86_64

查看ClamAV程序/病毒库版本

# clamd -V
ClamAV 0.97/22412/Sun Oct 23 02:00:00 2016
# 如上,0.97版本,2016/10/23的病毒库,即为有出问题的程序/病毒库的可能组合

查看是否有 clamscan 僵尸进程

# ps aux |grep clam
clamav 1140 0.9 1.3 440284 109396 ? Rsl May06 2337:04 clamd
clamav 1561 0.0 0.0 30956 1660 ? Ss May06 124:10 /usr/bin/freshclam –daemon
amavis 12087 1.9 0.0 0 0 ? Z Oct23 5:53 [clamscan] <defunct>
amavis 13286 2.3 0.0 0 0 ? Z Oct23 6:01 [clamscan] <defunct>
# … 此处省略多行僵尸进程列表,数量视amavisd调用情况
root 19143 0.0 0.0 9196 1228 ? SN Oct23 0:00 /bin/sh /etc/cron.daily/freshclam
root 19144 0.0 0.0 9080 832 ? SN Oct23 0:00 awk -v progname /etc/cron.daily/freshclam progname {????? print progname “:\n”????? progname=””;???? }???? { print; }
clamav 19145 0.0 0.0 31056 1944 ? SN Oct23 0:05 /usr/bin/freshclam –quiet –datadir=/var/clamav –log=/var/log/clamav/freshclam.log –daemon-notify=/etc/clamd.conf
amavis 20108 100 1.2 132232 104636 ? R Oct23 4:05 /usr/bin/clamscan –stdout –no-summary -r –tempdir=/var/spool/vscan/tmp /var/spool/vscan/tmp/amavis-20161023T235849-13588/parts
# 至此已可初步认为ClamAV有故障问题

查看队列有否带 ClamAV 错误的返回状态

# mailq
B891FBC17B4 8877 Sun Oct 23 04:00:01 root@mail.xxx.com
(host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=13588-07, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command))
postmaster@xxx.com

续上,观察邮件投递状态

# tail -f /var/log/maillog
Oct 24 00:05:18 hostname amavis[13588]: (13588-08) (!)killing process [20108] running ClamAV-clamscan (reason: on reading: timed out)
Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)process [20108] running ClamAV-clamscan is still alive, using a bigger hammer
Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)run_av (ClamAV-clamscan): collect_results – reading aborted: timed out at /usr/sbin/amavisd line 3313.
Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan collect_results – reading aborted: timed out at /usr/sbin/amavisd line 3313. at (eval 90) line 594.
Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!!)TROUBLE in check_mail: virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED
Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)PRESERVING EVIDENCE in /var/spool/vscan/tmp/amavis-20161023T235849-13588
Oct 24 00:05:19 hostname postfix/smtp[20080]: 48602BC17CE: to=<xxx@xxx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=30199, delays=29809/0.01/0.01/390, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=13588-08, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command))
至此,如上述情况均被发现,则确认当前 ClamAV 发生故障,需要升级解决

临时提供不带病毒扫描的邮件投递服务

暂停 Amavisd-new 的 ClamAV 调用

# vim /etc/amavisd.conf
# 注释如下两个配置项

156
157 #@av_scanners = (
158 # [‘ClamAV-clamd’,
159 # \&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamav/clamd.sock”],
160 # qr/\bOK$/, qr/\bFOUND$/,
161 # qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
162 #);
163 #
164 #@av_scanners_backup = (
165 # [‘ClamAV-clamscan’, ‘clamscan’,
166 # “–stdout –no-summary -r –tempdir=$TEMPBASE {}”,
167 # [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
168 #);
169

重启 Amavisd-new 服务

# /etc/init.d/amavisd restart
Shutting down Mail Virus Scanner (amavisd): Daemon [22260] terminated by SIGTERM
Starting Mail Virus Scanner (amavisd): [ OK ]

刷新队列

# 刷新队列以投递滞留的邮件,临时提供邮件投递服务
# postqueue -f

解决 ClamAV 故障

关闭所有 ClamAV 相关的程序

# /etc/init.d/clamd stop
Stopping Clam AntiVirus Daemon: Hangup
# killall -15 freshclam
# killall -9 clamscan
# ps aux |grep clam |grep -v grep
# 直至 grep 无结果

下载/升级安装较新版本的 ClamAV相关软件包

# rpm -qa |grep clam
clamd-0.97-1.el6.rf.x86_64
clamav-0.97-1.el6.rf.x86_64
clamav-devel-0.97-1.el6.rf.x86_64
clamav-db-0.97-1.el6.rf.x86_6
# 视当前安装的软件包,已安装的,下载对应较新版本的软件包

# wget 下载
# el6_x86_64
http://mirror.bjtu.edu.cn/repoforge/redhat/el6/en/x86_64/dag/RPMS/clamav-0.98.4-1.el6.rf.x86_64.rpm
http://mirror.bjtu.edu.cn/repoforge/redhat/el6/en/x86_64/dag/RPMS/clamav-devel-0.98.4-1.el6.rf.x86_64.rpm
http://mirror.bjtu.edu.cn/repoforge/redhat/el6/en/x86_64/dag/RPMS/clamd-0.98.4-1.el6.rf.x86_64.rpm
http://mirror.bjtu.edu.cn/repoforge/redhat/el6/en/x86_64/dag/RPMS/clamav-db-0.98.4-1.el6.rf.x86_64.rpm

# 如当前为 el5 或 x86 系统版本,修改 URL 路径中 el6 为 el5, x86_64 为 i386 或 i686
# 如 el5_x86 http://mirror.bjtu.edu.cn/repoforge/redhat/[el5]/en/[i386]/dag/RPMS/clamav-0.98.4-1.[el5].rf.[i386].rpm
# el5_x86_64 [el5][x86_64][el5][x86_64]
# el6_x86 [el6][i386][el6][i686]

# 升级安装
# rpm -Uvh clam*.rpm
# 启动 clamd 服务
# /etc/init.d/clamd restart
Stopping Clam AntiVirus Daemon: [FAILED]
Starting Clam AntiVirus Daemon: [ OK ]

恢复 Amavisd-new 的 ClamAV 调用

# vim /etc/amavisd.conf
# 参考上文撤销注释
# /etc/init.d/amavisd restart
Shutting down Mail Virus Scanner (amavisd): Daemon [20823] terminated by SIGTERM
Starting Mail Virus Scanner (amavisd): [ OK ]

检查/设置 ClamAV 开机启动

# chkconfig –list |grep clamd
# chkconfig clamd on