ClamAV timeouts RSS

1

I've just recently installed ClamAV, and i've had good results so far. However i'm receiving about 15-20 timeout errors daily. I've increased the timeout setting to 25 seconds, but don't really want to increase further.

Is there anything i can do to speed up the scanning so I don't see as many timeouts? What are people typically using for the timeout setting?

by kcit 1 month ago
2

Hello kcit,

I see that you left a message in the other clamav thread yesterday (https://vamsoft.com/forum/topic/759/clamav-error) so I assume you have already added the "TCPAddr 127.0.0.1" line to the clamd.conf file.

To answer question, 20-30 seconds should be plenty for a scan to finish. If you see the timeout error logged occasionally, I guess it is nothing to worry about, however, if you see this logged for all emails, I recommend testing clamdscan.exe from command line using an EML file. You can download a test EML from the following location, it contains an Eicar antivirus test file:

http://blog.vamsoft.com/wp-content/eicar.zip

password: virustest

Extract the EML file to the same folder where clamdscan resides (c:\clamav\ by default, if you followed the instructions in our article at http://vamsoft.com/r?clamav-article) and issue the following command from a command line:

clamdscan.exe --no-summary --stdout --config-file="c:\clamav\clamd.conf" eicar.eml

Does it time out this way?

In any case, I would suggest that you take a look at the ClamAV logs to see if you can find any explanation for the lengthy scan times. If logging is not enabled in your ClamAV installation, it must be enabled first in the clamd.conf file. For the clamd configuration options, please consult the following article: http://linux.die.net/man/5/clamd.conf. Look for the commands starting with ‘Log’ for the logging options.

I hope this helps.

by Daniel Novak (Vamsoft) 1 month ago
3

Thanks for the tips Daniel. Yes, i did get the loopback address added and that fixed the initial errors.

Logging was enabled. The only thing I see are warnings like this, which do correspond with the timeout errors:
Fri Feb 22 11:36:42 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-887BCFB0C8E8353B8F810E1029D00AB9.eml
Fri Feb 22 12:40:33 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-127BF4CB982F9D38CC391AE2A739083F.eml

This is not on every email. ClamAV seems to be scanning most things OK, and has even caught some things that ORF wasn't catching thanks to the 3rd party extensions.

Googling around seemed to suggest directory permissions. But clamd and the updater are running as local system, and system has full rights to the C:\ClamAV dir.

Any ideas?

by kcit 1 month ago
4

Do you have any antivirus installed on the ORF server? If so, you should double-check that the path configured for temporary email files (ORF Administration Tool: Blacklists > External Agents > "Path for temporary email files") is excluded from virus checking, otherwise the antivirus may lock/delete the file before ClamAV could scan it.

by Daniel Novak (Vamsoft) 1 month ago
5

Nope, no AV installed on the ORF server. I've increased the timeout to 30 secs, but i still get the occasional (2-3/day) timeout.

by kcit 1 month ago
6

I am seeing the same thing as kcit. No other AV on my server. Time out increased to 30 seconds also added the loopback ip to my configuration. Windows Defender has also been removed from my 2016 Server.

I ran the stand alone test with test file as Daniel suggested and it seemed to work just fine on it's own.

by shooker 1 week ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed