We have used EFA for quite some time now with little to no issue however over the last few weeks we have experienced an issue where email gets "backed up" in the mail queue and EFA seems to scan mail multiple times then categorises it as other?
Please see attachment.
Email not being delivered - scanned multiple times
Email not being delivered - scanned multiple times
- Attachments
-
- efa_error.png (130.15 KiB) Viewed 7818 times
Re: Email not being delivered - scanned multiple times
After a bit more digging it appears that clamd is not running and throwing errors:
[root@mx ~]# clamd
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[root@mx ~]# ps -A | grep clam
[root@mx ~]#
I have removed all of the databases from /var/lib/clamav then run freshclam to update - this downloaded 3 database files.
Overnight however the unofficial signatures were downloaded and the problem returned.
As a work around I have commented out the files listed above in: /etc/clamav-unofficial-sigs/master.conf
MailScanner should stop processing messages when clamd is not running as looking at the logs MailScanner seems to class all emails as viruses and deletes them as per the screenshot above - claiming "Other infection Y and MailScanner: Message attempted to kill MailScanner"
[root@mx ~]# clamd
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[root@mx ~]# ps -A | grep clam
[root@mx ~]#
I have removed all of the databases from /var/lib/clamav then run freshclam to update - this downloaded 3 database files.
Overnight however the unofficial signatures were downloaded and the problem returned.
As a work around I have commented out the files listed above in: /etc/clamav-unofficial-sigs/master.conf
MailScanner should stop processing messages when clamd is not running as looking at the logs MailScanner seems to class all emails as viruses and deletes them as per the screenshot above - claiming "Other infection Y and MailScanner: Message attempted to kill MailScanner"
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Email not being delivered - scanned multiple times
I agree that mailscanner should be more resilient against that.
unofficial sigs add to the memory overhead, possible you may need to boost the amount of memory in the host (this won't be apparent watching top)
unofficial sigs add to the memory overhead, possible you may need to boost the amount of memory in the host (this won't be apparent watching top)
Re: Email not being delivered - scanned multiple times
OP: I'm seeing this too. Was there a fix?
Re: Email not being delivered - scanned multiple times
I did a lot of work to "fix" the issue however an increase of RAM and removal of the signatures as mentioned fixed it.
Re: Email not being delivered - scanned multiple times
recently I had this issue.
this post ssaved my life!!!
this post ssaved my life!!!
Re: Email not being delivered - scanned multiple times
I know this is from an old thread, but I can confirm that this issue has come back on build 3.0.2.6. As soon as i upgraded to this build I stopped getting email and clamd would not stay running. The process would start and then just stop. tried cleaning up the databases and running freshclam. Once I reverted back to 3.0.2.5 everything works fine.
Re: Email not being delivered - scanned multiple times
As for the mentioned yar(a) errors in this old post, you did read? viewtopic.php?f=13&t=2928&start=25
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams