ClamAV timeouts RSS Back to forum
Hello kcit,
I see that you left a message in the other clamav thread yesterday (https://vamsoft.com/forum/topic/759/clamav-error) so I assume you have already added the "TCPAddr 127.0.0.1" line to the clamd.conf file.
To answer question, 20-30 seconds should be plenty for a scan to finish. If you see the timeout error logged occasionally, I guess it is nothing to worry about, however, if you see this logged for all emails, I recommend testing clamdscan.exe from command line using an EML file. You can download a test EML from the following location, it contains an Eicar antivirus test file:
http://blog.vamsoft.com/wp-content/eicar.zip
password: virustest
Extract the EML file to the same folder where clamdscan resides (c:\clamav\ by default, if you followed the instructions in our article at http://vamsoft.com/r?clamav-article) and issue the following command from a command line:
clamdscan.exe --no-summary --stdout --config-file="c:\clamav\clamd.conf" eicar.eml
Does it time out this way?
In any case, I would suggest that you take a look at the ClamAV logs to see if you can find any explanation for the lengthy scan times. If logging is not enabled in your ClamAV installation, it must be enabled first in the clamd.conf file. For the clamd configuration options, please consult the following article: http://linux.die.net/man/5/clamd.conf. Look for the commands starting with ‘Log’ for the logging options.
I hope this helps.
Thanks for the tips Daniel. Yes, i did get the loopback address added and that fixed the initial errors.
Logging was enabled. The only thing I see are warnings like this, which do correspond with the timeout errors:
Fri Feb 22 11:36:42 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-887BCFB0C8E8353B8F810E1029D00AB9.eml
Fri Feb 22 12:40:33 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-127BF4CB982F9D38CC391AE2A739083F.eml
This is not on every email. ClamAV seems to be scanning most things OK, and has even caught some things that ORF wasn't catching thanks to the 3rd party extensions.
Googling around seemed to suggest directory permissions. But clamd and the updater are running as local system, and system has full rights to the C:\ClamAV dir.
Any ideas?
Do you have any antivirus installed on the ORF server? If so, you should double-check that the path configured for temporary email files (ORF Administration Tool: Blacklists > External Agents > "Path for temporary email files") is excluded from virus checking, otherwise the antivirus may lock/delete the file before ClamAV could scan it.
Nope, no AV installed on the ORF server. I've increased the timeout to 30 secs, but i still get the occasional (2-3/day) timeout.
I am seeing the same thing as kcit. No other AV on my server. Time out increased to 30 seconds also added the loopback ip to my configuration. Windows Defender has also been removed from my 2016 Server.
I ran the stand alone test with test file as Daniel suggested and it seemed to work just fine on it's own.
It's come back again ... getting a lot of complaints that PDF attachments are getting corrupted as well.
I have the timeout set up to 35 Seconds and it is still doing it?? Any thoughts
We've been seeing more and more timeouts as well since we moved to version 6. Not sure if that is why. I upgraded to 6.0.1 over the weekend but still see the timeouts.
We are running Exchange 2013 CU23 & have the timeout set to 45 seconds. We had 10 timeouts yesterday and 3 so far today.
Any ideas?
Thanks
I guess I should have included that ... I'm running on Server 2016 [1809], Exchange 2016 CU12 with ORF 6.0.1
If you want to find out what is causing the timeout errors, I recommend enabling detailed logging in both ORF and ClamAV. Please follow the steps below:
1) Mark the "Include email file name in messages" checkbox enabled on the "Logging" tab in the External Agents properties window (ORF Administration Tool: Blacklists > External Agents > ClamAV for Windows > Logging)
2) Save the ORF configuration to apply the new settings (Ctrl + S)
3) Edit the clamd.conf file in the ClamAV program directory (default: c:\clamav) and add the following lines to enable logging:
LogFile c:\clamav\clamd.log
LogFileUnlock true
LogTime true
LogClean true
LogVerbose true
4) Save the clamd.conf file
5) Restart the "ClamWin Free Antivirus Scanner Service" (Run > services.msc)
Once you have done the above, you just have to wait for a timeout event. Then you should open the clamd.log file and look for the line with the filename that was logged in the ORF timeout error message (e.g. sce-3659C64098CDCCD1AD71A8E73BB2181C.eml) to see whether ClamAV could process the email without any issues. If so, it might have spent too much time checking the email against all the virus databases - can happen if your server's resources were tied down at the time of arrival.
Receiving 1-10 timeout error a day can be normal, especially if you receive hundreds or thousands of emails par day.
@shooker: Never heard about ClamAV corrupting PDFs, this sounds more like an Outlook/Office365 issue. There are plenty of posts about this on the internet.
By the way, I tend to receive ClamAV timeout errors on ORF lab servers when an email arrives and the clamd service is busy reading updated database files from the c:\clamav\db folder - which can take up to ~60 seconds. In those cases ClamAV fails to scan the incoming email. Here is the log excerpt of such an event:
Wed Jul 31 12:18:09 2019 -> SelfCheck: Database modification detected. Forcing reload.
Wed Jul 31 12:18:11 2019 -> Reading databases from c:\clamav\db
Wed Jul 31 12:19:13 2019 -> Database correctly reloaded (6401020 signatures)
Wed Jul 31 12:19:13 2019 -> WARNING: lstat() failed on: \\?\C:\ORF\email-temp\sce-089191E5AA550FD62761FB314DC0D54A.eml
The "lstat() failed" warning means that ClamAV could not read the temporary .eml file, which - in this case - is because ORF stopped waiting for ClamAV to respond and deleted the file. You could increase the external agent's timeout value to 60-80+ seconds to avoid this, but I would not recommend that honestly - some mail servers may not wait minutes for your mail server to confirm the receipt of the email. Just keep in mind that the ClamAV agent is not the only one that can timeout and those 8-20 seconds add up... If you do this anyway, make sure your other External Agents do not have excessive timeout values and lower the DNS timeout setting of ORF to 4-6 seconds (System > DNS > DNS Settings > Advanced).
If you want to experiment, you can control the frequency of the signature database "selfchecks" and more via the clamd.conf and freshclam.conf files. You may find the related man pages below:
https://linux.die.net/man/5/clamd.conf
https://linux.die.net/man/5/freshclam.conf
@Daniel Novak (Vamsoft):
I will give those suggestions a try for the other timeouts.
From what I have been able to gather, it seems to be PDFs only from one of our vendors. I tried turning ClamAV off and requested one of them try to resend the file and cc me. The same thing happened with my users but I was able to open it. The same users get other PDFs from other companies and they open just fine. So, I guess there is a glitch in Matrix ... just have to track it down.
I turned on Clam logging ... let it build up for a couple of hours. I saw the db reload time was around 30 Seconds.
I knocked down the DNS timeout from 8 => 5 seconds.
Bumped up Clam Timeout 35 => 40 Seconds.
Changed the FreshClam interval from 10 => 15 Minutes
So far so good
After looking at the logs my DB reload time is ~50 seconds. With the timeout set to 60 secs I haven't seen a single timeout yet.
I guess the reload time is just a combination of how many 3rd party signatures are being loaded and your server's disk speed.
@kcit: You can always edit the "C:\clamav\sigupdate\signames.txt" file to remove signature sources that you do not need. This way you can lower the database reload time if necessary.
@khyati What setting are you trying to adjust?
If you are wanting to turn on Clam Logging to see what is going on.
Open [with notepad] c:\clamav\Clamd.conf
My Clamd.conf settings:
TCPSocket 3310
TCPAddr 127.0.0.1
MaxThreads 2
SelfCheck 2400
LogFile c:\clamav\clamd.log
LogRotate true
LogFileUnlock true
LogTime true
LogClean true
LogVerbose true
DatabaseDirectory c:\clamav\db
--------------
what this does:
TCPAddr 127.0.0.1 [use loop back address]
Selfcheck 2400 [in seconds = every 40 minutes]
Log* entries: set log file path, rotate log files(new log files), *clean = creates clean new file, *Unlock makes them readable, *Time = Timestamps logs, *Verbose= Detailed.
@khyati:
If you want to change the ClamAV or DNS timeout ...
Open ORF Admin Tool.
ClamAV Timeout:
Go to Blacklists => External Agents.
Highlight ClamAV for Windows, Click [Modify], Click on [Run] tab and adjust the timeout.
DNS timeout:
Go to System => DNS
Click [DNS settings]
Click [Advanced]
Adjust Timeout
@shooker Thanks for the reply , actually I am facing timeout error
#message: "ClamAV scanner client failed with error "Timeout waiting to read response"" in windows
and it's not coming daily but if it's comes so for very small file also it displaying that error.
I've just recently installed ClamAV, and i've had good results so far. However i'm receiving about 15-20 timeout errors daily. I've increased the timeout setting to 25 seconds, but don't really want to increase further.
Is there anything i can do to speed up the scanning so I don't see as many timeouts? What are people typically using for the timeout setting?