Same basic errors in each file.
I have logs going to /var/log/
The restart occurs via a script run by cron. However, the output is redirected to /dev/null.
[root@rhel7test ~]# clamconf -n
Checking configuration files in /etc
Config file: clamd.d/scan.conf
------------------------------
LogRotate = "yes"
TemporaryDirectory = "/var/tmp"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
ReadTimeout = "300"
CommandReadTimeout = "120"
CrossFilesystems disabled
ConcurrentDatabaseReload disabled
User = "clamscan"
ScanArchive disabled
OnAccessIncludePath = "/usr", "/home", "/etc", "/root", "/opt", "/boot", "/tmp"
OnAccessExcludePath = "/opt/splunkforwarder", "/opt/commvault", "/opt/SolarWinds"
OnAccessExcludeUname = "clamscan"
OnAccessRetryAttempts = "3"
Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"
mail/clamav-milter.conf not found
Software settings
-----------------
Version: 0.103.3
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021
daily.cvd: version 26505, sigs: 1977345, built on Thu Apr 7 04:25:37 2022
Total number of signatures: 8624864
Platform information
--------------------
uname: Linux 3.10.0-1160.62.1.el7.x86_64 #1 SMP Wed Mar 23 09:04:02 UTC 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a217c7c0800000002040805
Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 124, dconf: 124
Thanks,
Jeff Hoevenaar
-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users
Sent: Wednesday, May 4, 2022 8:46 AM
To: Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: EXT: Re: [clamav-users] error files in /
WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe.
Hi there,
On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:
> I am getting these strange files in the root file system "/" on my linux servers.
>
> -rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U
> -rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U
> -rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U
>
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
> ClamScanQueue: stopped
Do they all contain the same error message? Two of the files are 75 bytes long, the other one is 98 bytes. The error message in your post is (give or take formatting in an email) 98 bytes. The first line of the error is 75 bytes (with the same proviso).
To connect to clamd, an IP address would be more reliable than a hostname. It wouldn't rely on some flaky name resolution service.
In any case more information is needed. Please could you let us have the output of the command
clamconf -n
cut and pasted into an email so that there are no accidental changes?
> I believe it is occurring when the clam services are restarted each day.
It isn't really necessary to restart those services daily, but it probably won't do any harm and it might help highlight some issues (for example like this one). But I'd be inclined to disable the restarts, at least for a while, just to find out if the restarts really are triggering this.
> Any idea how to route these errors messages elsewhere?
It will be easy to do but more information is needed. There are very few reasons to write files in the root directory, and nothing like ClamAV has any business doing that. It might mean there's something wrong with your configuration; it might not be the ClamAV-specific configuration but that's a place to start. ClamAV might be started or restarted by some configuration that's provided by your operating system distribution, and not by ClamAV itself. It would help if you could give us information about that, such as the OS distribution(s), the packages which provide ClamAV, etc. and any local configuration changes made to the distribution defaults. The ideal would be to get any utility (such as one provided by ClamAV) to know where to write its error output (e.g. /var/log/somewhere) before actually doing it.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml