The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

clamavconnector runs, but exim times out connecting to socket?

Discussion in 'E-mail Discussions' started by quanin, Jan 2, 2012.

  1. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I decided to give Clamavconnector a try, and it looks to have installed correctly. However, exim times out when connecting to the clamd socket. Exim looks for it in /var/clamd, which is configured in clamd.conf and, yes, works--however, Exim throws this error in paniclog.
    2012-01-02 06:55:20 1RhgNP-0001vr-9Q malware acl condition: clamd: unable to read from socket (Connection timed out)

    Doing a check on the socket itself produces this:
    srw-rw-rw- 1 root root 0 Jan 2 12:22 /var/clamd=

    What you see there is, in fact, a symlink with no actual file to symlink to. Hence--I'd imagine--exim's inability to actually connect. From Exim: av_scanner = clamd:/var/clamd
    From clamd.conf: LocalSocket /var/clamd

    I'm not an expert by any means, but I'm fairly sure this isn't supposed to happen. What didn't get done during install process and can I fix it? Any help would be awesome.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    What you are describing is the same as a known-working ClamAV installation on a test server. To rule out the possibility that perhaps ClamAV was not built completely when you installed the plug-in (this can happen if a memory limit is reached), I would like to ask a few questions:

    1. Does ClamAV work when you try to use it from cPanel (the Virus Scanner option)?

    2. Is the ClamAV service actually running? The following commands should return output similar to the following:

    Code:
    # /scripts/restartsrv_clamd --check
    # /scripts/restartsrv_clamd --status
    clamd (/usr/sbin/clamd) running as root with PID 19858
    3. Is there any chance that a ClamAV RPM package might be installed? Our plug-in builds from source, so an RPM package could cause a conflict. This should return no output:

    Code:
    # rpm -qa|grep -i clam
     
  3. stickbear

    stickbear Member

    Joined:
    Aug 31, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    hello;
    I'm another one of the administrators of the server in question.
    We'll take your questions in order.
    1. the virus scanning from within cpanel is working, it's running as we speak.
    2. the service is running, here's the output from the commands you gave us.
    ---begin output---
    root@node1 [~]# /scripts/restartsrv_clamd --check
    root@node1 [~]# /scripts/restartsrv_clamd --status
    clamd (clamd) running as root with PID 28358
    ---end output---
    3. their's no RPM package installed as seen in the following output.
    ---begin output---
    root@node1 [~]# rpm -qa|grep -i clam
    root@node1 [~]#
    ---end output---
    Any other ideas?
    Thank you for promptly getting back to us.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Can you please provide several lines around that one in the exim_paniclog file? I'm asking this as they are usually shown in conjunction with these type of entries:

    If that is the case, it's likely being caused by the message being too large to scan.
     
  5. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    2012-01-02 06:55:19 1RhgMu-0001vS-ON malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 06:55:20 1RhgNv-0001w1-7l malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 06:55:19 1RhgNF-0001vn-LL malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 06:55:20 1RhgNP-0001vr-9Q malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 06:55:20 1RhgNv-0001vz-7l malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 06:55:20 1RhgNJ-0001vp-4e malware acl condition: clamd: unable to read from socket (Connection timed out)
    2012-01-02 07:33:37 1Rhh0k-00027U-Q3 spam acl condition: error reading from spamd socket: Connection timed out
    2012-01-02 17:02:25 1RhpxT-0004MB-FG spam acl condition: cannot parse spamd output
     
    #5 quanin, Jan 3, 2012
    Last edited: Jan 3, 2012
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    To see if you can reduce some of the failure messages in the /var/log/exim_paniclog, please try changing the maximum attachment size that gets scanned in Main >> Service Configuration >> Exim Configuration Editor. At the bottom, there's an option called "SpamAssassinTM: Maximum size a message can be before it will not be scanned by SpamAssassin"

    Please keep in mind that the larger the file SpamAssassin has to scan, the longer it will take for scanning and the more CPU intensive it will be.
     
  7. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I increased the message size in exim.conf to 25600 K (25M), which is the configured default in clamav.conf. Still seeing timeout messages related to SpamACL. Any ideas?
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Yep, the best idea is to open up a ticket at this point. I didn't find any resolution besides SpamAssassin being possibly intertwined with the ClamAV issues for the error. Since the suggested resolution I provided didn't fix the issue, please open up a ticket using WHM > Support Center > Contact cPanel or using the link in my signature.
     
  9. quanin

    quanin Well-Known Member

    Joined:
    Aug 18, 2011
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    It's really quite odd. Now, I'm not seeing timeout messages from Clamav's socket--but messages aren't being scanned using Clamav. Now, I'm seeing them primarily with the spamd socket. It's really quite confusing, to say the least.
     

Share This Page