EMOS-ClamAV过期-处理过程.doc

EMOS ClamAV过期 处理过程 说明ClamAV 在北京时间2016年10月22日凌晨提供的病毒库更新，有可能使某些版本 clamd 不能提供扫描服务及 clamscan 工作模式异常。根据Amavisd-new配置，这现象将导致邮件队列堆积。按照以下步骤解决问题后，用户已通过WebMail、客户端发送的邮件无需重新发送。目前可推测受影响的 程序版本 为 0.97，病毒库日期 为 22日及以后。根据官方对版本的公告，0.97版本(引擎程序，非病毒库)已不再更新及支持，所以建议ClamAV使用者均更新到0.98及以后的版本(最新为0.99)。相关报错：/var/log/clamav/clamd.log/var/log/clamav/freshclam.log在重启 clamd 服务时标准错误输出LibClamAV Error: mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to 相关链接：/pipermail/clamav-users/2016-October/003542.html (ClamAV作者回复网友对此次故障的问题，提醒0.97已终止支持)/pipermail/clamav-announce/2016/000022.html (0.97寿终正寝公告)/questions/810739/clamav-error-mpool-malloc-attempt-to-allocate-8388608-byteshttps:/srad.jp/kawakazu/journal/607032//检查当前 ClamAV 是否有此次报告的故障查看操作系统版本# cat /etc/redhat-release EMOS 1.6 (Community)如果非 EMOS1.6 x86_64 发行版本# uname -aLinux hostname 2.6.32-71.el6.x86_64 #1 SMP Tue Nov 23 06:49:13 CST 2010 x86_64 x86_64 x86_64 GNU/Linux# 以此确认 el5/el6, x86/x86_64查看ClamAV程序/病毒库版本# clamd -VClamAV 0.97/22412/Sun Oct 23 02:00:00 2016# 如上，0.97版本，2016/10/23的病毒库，即为有出问题的程序/病毒库的可能组合查看是否有 clamscan 僵尸进程# ps aux |grep clamclamav 1140 0.9 1.3 440284 109396 ? Rsl May06 2337:04 clamdclamav 1561 0.0 0.0 30956 1660 ? Ss May06 124:10 /usr/bin/freshclam -daemonamavis 12087 1.9 0.0 0 0 ? Z Oct23 5:53 clamscan <defunct>amavis 13286 2.3 0.0 0 0 ? Z Oct23 6:01 clamscan <defunct># . 此处省略多行僵尸进程列表，数量视amavisd调用情况root 19143 0.0 0.0 9196 1228 ? SN Oct23 0:00 /bin/sh /etc/cron.daily/freshclamroot 19144 0.0 0.0 9080 832 ? SN Oct23 0:00 awk -v progname /etc/cron.daily/freshclam progname ? print progname :n? progname=;? ? print; clamav 19145 0.0 0.0 31056 1944 ? SN Oct23 0:05 /usr/bin/freshclam -quiet -datadir=/var/clamav -log=/var/log/clamav/freshclam.log -daemon-notify=/etc/clamd.confamavis 20108 100 1.2 132232 104636 ? R Oct23 4:05 /usr/bin/clamscan -stdout -no-summary -r -tempdir=/var/spool/vscan/tmp /var/spool/vscan/tmp/amavis-20161023T235849-13588/parts# 至此已可初步认为ClamAV有故障问题查看队列有否带 ClamAV 错误的返回状态# mailqB891FBC17B4 8877 Sun Oct 23 04:00:01 (host said: 451 4.5.0 Error in processing, id=13588-07, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command) 续上，观察邮件投递状态# tail -f /var/log/maillogOct 24 00:05:18 hostname amavis13588: (13588-08) (!)killing process 20108 running ClamAV-clamscan (reason: on reading: timed out)Oct 24 00:05:19 hostname amavis13588: (13588-08) (!)process 20108 running ClamAV-clamscan is still alive, using a bigger hammerOct 24 00:05:19 hostname amavis13588: (13588-08) (!)run_av (ClamAV-clamscan): collect_results - reading aborted: timed out at /usr/sbin/amavisd line 3313.Oct 24 00:05:19 hostname amavis13588: (13588-08) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan collect_results - reading aborted: timed out at /usr/sbin/amavisd line 3313. at (eval 90) line 594.Oct 24 00:05:19 hostname amavis13588: (13588-08) (!)TROUBLE in check_mail: virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILEDOct 24 00:05:19 hostname amavis13588: (13588-08) (!)PRESERVING EVIDENCE in /var/spool/vscan/tmp/amavis-20161023T235849-13588Oct 24 00:05:19 hostname postfix/smtp20080: 48602BC17CE: to=<>, relay=:10024, delay=30199, delays=29809/0.01/0.01/390, dsn=4.5.0, status=deferred (host said: 451 4.5.0 Error in processing, id=13588-08, virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED (in reply to end of DATA command)至此，如上述情况均被发现，则确认当前 ClamAV 发生故障，需要升级解决临时提供不带病毒扫描的邮件投递服务暂停 Amavisd-new 的 ClamAV 调用# vim /etc/amavisd.conf# 注释如下两个配置项.156 157 #av_scanners = (158 # ClamAV-clamd,159 # &ask_daemon, CONTSCAN n, /var/run/clamav/clamd.sock,160 # qr/bOK$/, qr/bFOUND$/,161 # qr/.*?: (?!Infected Archive)(.*) FOUND$/ ,162 #);163 #164 #av_scanners_backup = (165 # ClamAV-clamscan, clamscan,166 # -stdout -no-summary -r -tempdir=$TEMPBASE ,167 # 0, qr/:.*sFOUND$/, qr/.*?: (?!Infected Archive)(.*) FOUND$/ ,168 #);169.重启 Amavisd-new 服务# /etc/init.d/amavisd restartShutting down Mail Virus Scanner (amavisd): Daemon 22260 terminated by SIGTERMStarting Mail Virus Scanner (amavisd): OK 刷新队列# 刷新队列以投递滞留的邮件，临时提供邮件投递服务# postqueue -f解决 ClamAV 故障关闭所有 ClamAV 相关的程序# /etc/init.d/clamd stopStopping Clam AntiVirus Daemon: Hangup# killall -15 freshclam# killall -9 clamscan# ps aux |grep clam |grep -v grep# 直至 grep 无结果下载/升级安装较新版本的 ClamAV相关软件包# rpm -qa |grep clamclamd-0.97-1.el6.rf.x86_64clamav-0.97-1.el6.rf.x86_64clamav-devel-0.97-1.el6.rf.x86_64clamav-db-0.97-1.el6.rf.x86_6# 视当前安装的软件包，已安装的，下载对应较新版本的软件包# wget 下载# el6_x86_64/repofo . 1.el6.rf.x86_64.rpm/repofo . 1.el6.rf.x86_64.rpm/repofo . 1.el6.rf.x86_64.rpm/repofo . 1.el6.rf.x86_64.rpm# 如当前为 el5 或 x86 系统版本，修改 URL 路径中 el6 为 el5, x86_64 为 i386 或 i686# 如 el5_x86 /repoforge/redhat/el5/en/i386/dag/RPMS/clamav-0.98.4-1.el5.rf.i386.rpm# el5_x86_64 el5x86_64el5x86_64# el6_x86 el6i386el6i686# 升级安装# rpm -Uvh clam*.rpm# 启动 clamd 服务# /etc/init.d/clamd restartStopping Clam AntiVirus Daemon: FAILEDStarting Clam AntiVirus Daemon: OK