說明

ClamAV 在北京時(shí)間2016年10月22日凌晨提供的病毒庫(kù)更新，有可能使某些版本 clamd 不能提供掃描服務(wù)及 clamscan 工作模式異常。

根據(jù)Amavisd-new配置，這現(xiàn)象將導(dǎo)致郵件隊(duì)列堆積。按照以下步驟解決問題后，用戶已通過WebMail、客戶端發(fā)送的郵件無需重新發(fā)送。

目前可推測(cè)受影響的 程序版本 為 0.97，病毒庫(kù)日期 為 22日及以后。

根據(jù)官方對(duì)版本的公告，0.97版本(引擎程序，非病毒庫(kù))已不再更新及支持，所以建議ClamAV使用者均更新到0.98及以后的版本(最新為0.99)。

相關(guān)報(bào)錯(cuò)：

• /var/log/clamav/clamd.log
• /var/log/clamav/freshclam.log
• 在重啟 clamd 服務(wù)時(shí)標(biāo)準(zhǔn)錯(cuò)誤輸出

LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

相關(guān)鏈接：

• http://lists.clamav.net/pipermail/clamav-users/2016-October/003542.html (ClamAV作者回復(fù)網(wǎng)友對(duì)此次故障的問題，提醒0.97已終止支持)
• http://lists.clamav.net/pipermail/clamav-announce/2016/000022.html (0.97壽終正寢公告)
• http://serverfault.com/questions/810739/clamav-error-mpool-malloc-attempt-to-allocate-8388608-bytes
• https://srad.jp/~kawakazu/journal/607032/
• http://www.extmail.org/

檢查當(dāng)前 ClamAV 是否有此次報(bào)告的故障

查看操作系統(tǒng)版本

# cat /etc/redhat-release EMOS 1.6 (Community)

如果非 EMOS1.6 x86_64 發(fā)行版本

# uname -aLinux hostname 2.6.32-71.el6.x86_64 #1 SMP Tue Nov 23 06:49:13 CST 2010 x86_64 x86_64 x86_64 GNU/Linux# 以此確認(rèn) el5/el6, x86/x86_64

查看ClamAV程序/病毒庫(kù)版本

# clamd -VClamAV 0.97/22412/Sun Oct 23 02:00:00 2016# 如上，0.97版本，2016/10/23的病毒庫(kù)，即為有出問題的程序/病毒庫(kù)的可能組合

查看是否有 clamscan 僵尸進(jìn)程

# ps aux |grep clamclamav    1140  0.9  1.3 440284 109396 ?       Rsl  May06 2337:04 clamdclamav    1561  0.0  0.0  30956  1660 ?        Ss   May06 124:10 /usr/bin/freshclam --daemonamavis   12087  1.9  0.0      0     0 ?        Z    Oct23   5:53 [clamscan] <defunct>amavis   13286  2.3  0.0      0     0 ?        Z    Oct23   6:01 [clamscan] <defunct># ... 此處省略多行僵尸進(jìn)程列表，數(shù)量視amavisd調(diào)用情況root     19143  0.0  0.0   9196  1228 ?        SN   Oct23   0:00 /bin/sh /etc/cron.daily/freshclamroot     19144  0.0  0.0   9080   832 ?        SN   Oct23   0:00 awk -v progname /etc/cron.daily/freshclam progname {?????   print progname ":\n"?????   progname="";????       }????       { print; }clamav   19145  0.0  0.0  31056  1944 ?        SN   Oct23   0:05 /usr/bin/freshclam --quiet --datadir=/var/clamav --log=/var/log/clamav/freshclam.log --daemon-notify=/etc/clamd.confamavis   20108  100  1.2 132232 104636 ?       R    Oct23   4:05 /usr/bin/clamscan --stdout --no-summary -r --tempdir=/var/spool/vscan/tmp /var/spool/vscan/tmp/amavis-20161023T235849-13588/parts# 至此已可初步認(rèn)為ClamAV有故障問題

查看隊(duì)列有否帶 ClamAV 錯(cuò)誤的返回狀態(tài)

# mailqB891FBC17B4     8877 Sun Oct 23 04:00:01  root@mail.xxx.com(host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=13588-07, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command))                                     postmaster@xxx.com

續(xù)上，觀察郵件投遞狀態(tài)

# tail -f /var/log/maillogOct 24 00:05:18 hostname amavis[13588]: (13588-08) (!)killing process [20108] running ClamAV-clamscan (reason: on reading: timed out)Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)process [20108] running ClamAV-clamscan is still alive, using a bigger hammerOct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 3313.Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan collect_results - reading aborted: timed out at /usr/sbin/amavisd line 3313. at (eval 90) line 594.Oct 24 00:05:19 hostname amavis[13588]: (13588-08) (!!)TROUBLE in check_mail: virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILEDOct 24 00:05:19 hostname amavis[13588]: (13588-08) (!)PRESERVING EVIDENCE in /var/spool/vscan/tmp/amavis-20161023T235849-13588Oct 24 00:05:19 hostname postfix/smtp[20080]: 48602BC17CE: to=<xxx@xxx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=30199, delays=29809/0.01/0.01/390, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=13588-08, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command))

至此，如上述情況均被發(fā)現(xiàn)，則確認(rèn)當(dāng)前 ClamAV 發(fā)生故障，需要升級(jí)解決

臨時(shí)提供不帶病毒掃描的郵件投遞服務(wù)

暫停 Amavisd-new 的 ClamAV 調(diào)用

# vim /etc/amavisd.conf# 注釋如下兩個(gè)配置項(xiàng)...156 157 #@av_scanners = (158 # ['ClamAV-clamd',159 #   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],160 #   qr/\bOK$/, qr/\bFOUND$/,161 #   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],162 #);163 #164 #@av_scanners_backup = (165 #  ['ClamAV-clamscan', 'clamscan',166 #    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",167 #    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],168 #);169...

重啟 Amavisd-new 服務(wù)

# /etc/init.d/amavisd restartShutting down Mail Virus Scanner (amavisd): Daemon [22260] terminated by SIGTERMStarting Mail Virus Scanner (amavisd):                     [  OK  ]

刷新隊(duì)列

# 刷新隊(duì)列以投遞滯留的郵件，臨時(shí)提供郵件投遞服務(wù)# postqueue -f

解決 ClamAV 故障

關(guān)閉所有 ClamAV 相關(guān)的程序

# /etc/init.d/clamd stopStopping Clam AntiVirus Daemon: Hangup# killall -15 freshclam# killall -9 clamscan# ps aux |grep clam |grep -v grep# 直至 grep 無結(jié)果

下載/升級(jí)安裝較新版本的 ClamAV相關(guān)軟件包

# rpm -qa |grep clamclamd-0.97-1.el6.rf.x86_64clamav-0.97-1.el6.rf.x86_64clamav-devel-0.97-1.el6.rf.x86_64clamav-db-0.97-1.el6.rf.x86_6# 視當(dāng)前安裝的軟件包，已安裝的，下載對(duì)應(yīng)較新版本的軟件包# wget 下載# el6_x86_64http://mirror.bjtu.edu.cn/repofo ... 1.el6.rf.x86_64.rpmhttp://mirror.bjtu.edu.cn/repofo ... 1.el6.rf.x86_64.rpmhttp://mirror.bjtu.edu.cn/repofo ... 1.el6.rf.x86_64.rpmhttp://mirror.bjtu.edu.cn/repofo ... 1.el6.rf.x86_64.rpm# 如當(dāng)前為 el5 或 x86 系統(tǒng)版本，修改 URL 路徑中 el6 為 el5, x86_64 為 i386 或 i686# 如 el5_x86 http://mirror.bjtu.edu.cn/repoforge/redhat/[el5]/en/[i386]/dag/RPMS/clamav-0.98.4-1.[el5].rf.[i386].rpm# el5_x86_64 [el5][x86_64][el5][x86_64]# el6_x86    [el6][i386][el6][i686]# 升級(jí)安裝# rpm -Uvh clam*.rpm# 啟動(dòng) clamd 服務(wù)# /etc/init.d/clamd restartStopping Clam AntiVirus Daemon:                            [FAILED]Starting Clam AntiVirus Daemon:                            [  OK  ]

恢復(fù) Amavisd-new 的 ClamAV 調(diào)用

# vim /etc/amavisd.conf# 參考上文撤銷注釋# /etc/init.d/amavisd restartShutting down Mail Virus Scanner (amavisd): Daemon [20823] terminated by SIGTERMStarting Mail Virus Scanner (amavisd):                     [  OK  ]

檢查/設(shè)置 ClamAV 開機(jī)啟動(dòng)

# chkconfig --list |grep clamd# chkconfig clamd on