ClamAV timeouts - ORF Forums

ClamAV timeouts RSS Back to forum

1

I've just recently installed ClamAV, and i've had good results so far. However i'm receiving about 15-20 timeout errors daily. I've increased the timeout setting to 25 seconds, but don't really want to increase further.

Is there anything i can do to speed up the scanning so I don't see as many timeouts? What are people typically using for the timeout setting?

by kcit 7 months ago
2

Hello kcit,

I see that you left a message in the other clamav thread yesterday (https://vamsoft.com/forum/topic/759/clamav-error) so I assume you have already added the "TCPAddr 127.0.0.1" line to the clamd.conf file.

To answer question, 20-30 seconds should be plenty for a scan to finish. If you see the timeout error logged occasionally, I guess it is nothing to worry about, however, if you see this logged for all emails, I recommend testing clamdscan.exe from command line using an EML file. You can download a test EML from the following location, it contains an Eicar antivirus test file:

http://blog.vamsoft.com/wp-content/eicar.zip

password: virustest

Extract the EML file to the same folder where clamdscan resides (c:\clamav\ by default, if you followed the instructions in our article at http://vamsoft.com/r?clamav-article) and issue the following command from a command line:

clamdscan.exe --no-summary --stdout --config-file="c:\clamav\clamd.conf" eicar.eml

Does it time out this way?

In any case, I would suggest that you take a look at the ClamAV logs to see if you can find any explanation for the lengthy scan times. If logging is not enabled in your ClamAV installation, it must be enabled first in the clamd.conf file. For the clamd configuration options, please consult the following article: http://linux.die.net/man/5/clamd.conf. Look for the commands starting with ‘Log’ for the logging options.

I hope this helps.

by Daniel Novak (Vamsoft) 7 months ago
3

Thanks for the tips Daniel. Yes, i did get the loopback address added and that fixed the initial errors.

Logging was enabled. The only thing I see are warnings like this, which do correspond with the timeout errors:
Fri Feb 22 11:36:42 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-887BCFB0C8E8353B8F810E1029D00AB9.eml
Fri Feb 22 12:40:33 2019 -> WARNING: lstat() failed on: \\?\C:\ClamAV\temp\sce-127BF4CB982F9D38CC391AE2A739083F.eml

This is not on every email. ClamAV seems to be scanning most things OK, and has even caught some things that ORF wasn't catching thanks to the 3rd party extensions.

Googling around seemed to suggest directory permissions. But clamd and the updater are running as local system, and system has full rights to the C:\ClamAV dir.

Any ideas?

by kcit 7 months ago
4

Do you have any antivirus installed on the ORF server? If so, you should double-check that the path configured for temporary email files (ORF Administration Tool: Blacklists > External Agents > "Path for temporary email files") is excluded from virus checking, otherwise the antivirus may lock/delete the file before ClamAV could scan it.

by Daniel Novak (Vamsoft) 6 months ago
5

Nope, no AV installed on the ORF server. I've increased the timeout to 30 secs, but i still get the occasional (2-3/day) timeout.

by kcit 6 months ago
6

I am seeing the same thing as kcit. No other AV on my server. Time out increased to 30 seconds also added the loopback ip to my configuration. Windows Defender has also been removed from my 2016 Server.

I ran the stand alone test with test file as Daniel suggested and it seemed to work just fine on it's own.

by shooker 5 months ago
7

It's come back again ... getting a lot of complaints that PDF attachments are getting corrupted as well.

I have the timeout set up to 35 Seconds and it is still doing it?? Any thoughts

by shooker 1 month ago
8

We've been seeing more and more timeouts as well since we moved to version 6. Not sure if that is why. I upgraded to 6.0.1 over the weekend but still see the timeouts.

We are running Exchange 2013 CU23 & have the timeout set to 45 seconds. We had 10 timeouts yesterday and 3 so far today.

Any ideas?

Thanks

by kcit 1 month ago
9

I guess I should have included that ... I'm running on Server 2016 [1809], Exchange 2016 CU12 with ORF 6.0.1

by shooker 1 month ago
10

If you want to find out what is causing the timeout errors, I recommend enabling detailed logging in both ORF and ClamAV. Please follow the steps below:

1) Mark the "Include email file name in messages" checkbox enabled on the "Logging" tab in the External Agents properties window (ORF Administration Tool: Blacklists > External Agents > ClamAV for Windows > Logging)

2) Save the ORF configuration to apply the new settings (Ctrl + S)

3) Edit the clamd.conf file in the ClamAV program directory (default: c:\clamav) and add the following lines to enable logging:

LogFile c:\clamav\clamd.log
LogFileUnlock true
LogTime true
LogClean true
LogVerbose true

4) Save the clamd.conf file

5) Restart the "ClamWin Free Antivirus Scanner Service" (Run > services.msc)

Once you have done the above, you just have to wait for a timeout event. Then you should open the clamd.log file and look for the line with the filename that was logged in the ORF timeout error message (e.g. sce-3659C64098CDCCD1AD71A8E73BB2181C.eml) to see whether ClamAV could process the email without any issues. If so, it might have spent too much time checking the email against all the virus databases - can happen if your server's resources were tied down at the time of arrival.

Receiving 1-10 timeout error a day can be normal, especially if you receive hundreds or thousands of emails par day.

by Daniel Novak (Vamsoft) 1 month ago
11

@shooker: Never heard about ClamAV corrupting PDFs, this sounds more like an Outlook/Office365 issue. There are plenty of posts about this on the internet.

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

12

By the way, I tend to receive ClamAV timeout errors on ORF lab servers when an email arrives and the clamd service is busy reading updated database files from the c:\clamav\db folder - which can take up to ~60 seconds. In those cases ClamAV fails to scan the incoming email. Here is the log excerpt of such an event:

Wed Jul 31 12:18:09 2019 -> SelfCheck: Database modification detected. Forcing reload.
Wed Jul 31 12:18:11 2019 -> Reading databases from c:\clamav\db
Wed Jul 31 12:19:13 2019 -> Database correctly reloaded (6401020 signatures)
Wed Jul 31 12:19:13 2019 -> WARNING: lstat() failed on: \\?\C:\ORF\email-temp\sce-089191E5AA550FD62761FB314DC0D54A.eml

The "lstat() failed" warning means that ClamAV could not read the temporary .eml file, which - in this case - is because ORF stopped waiting for ClamAV to respond and deleted the file. You could increase the external agent's timeout value to 60-80+ seconds to avoid this, but I would not recommend that honestly - some mail servers may not wait minutes for your mail server to confirm the receipt of the email. Just keep in mind that the ClamAV agent is not the only one that can timeout and those 8-20 seconds add up... If you do this anyway, make sure your other External Agents do not have excessive timeout values and lower the DNS timeout setting of ORF to 4-6 seconds (System > DNS > DNS Settings > Advanced).

by Daniel Novak (Vamsoft) 1 month ago
13

If you want to experiment, you can control the frequency of the signature database "selfchecks" and more via the clamd.conf and freshclam.conf files. You may find the related man pages below:

https://linux.die.net/man/5/clamd.conf
https://linux.die.net/man/5/freshclam.conf

by Daniel Novak (Vamsoft) 1 month ago
14

@Daniel Novak (Vamsoft): I will give those suggestions a try for the other timeouts.

From what I have been able to gather, it seems to be PDFs only from one of our vendors. I tried turning ClamAV off and requested one of them try to resend the file and cc me. The same thing happened with my users but I was able to open it. The same users get other PDFs from other companies and they open just fine. So, I guess there is a glitch in Matrix ... just have to track it down.

by shooker 1 month ago
(in reply to this post)

15

I turned on Clam logging ... let it build up for a couple of hours. I saw the db reload time was around 30 Seconds.

I knocked down the DNS timeout from 8 => 5 seconds.
Bumped up Clam Timeout 35 => 40 Seconds.
Changed the FreshClam interval from 10 => 15 Minutes

So far so good

by shooker 1 month ago
16

@shooker: I am glad to hear that :)

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

17

After looking at the logs my DB reload time is ~50 seconds. With the timeout set to 60 secs I haven't seen a single timeout yet.

I guess the reload time is just a combination of how many 3rd party signatures are being loaded and your server's disk speed.

by kcit 1 month ago
18

@kcit: You can always edit the "C:\clamav\sigupdate\signames.txt" file to remove signature sources that you do not need. This way you can lower the database reload time if necessary.

by Daniel Novak (Vamsoft) 1 month ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2