# amavisd-new not cleaning up after checking mail

## vilkai

I have interesting problem, after amavisd-new unpacks mail into /var/amavis/tmp and checks it, removing only

/var/amavis/tmp/amavis-20070419T130811-06098/parts but not amavis-20070419T130811-06098 directory

this is fresh install, amavisd.conf, before pasting conf file I removed some lines with # because of text limit in post,

amavis.conf is default, changed only hostname and domain, also turned off spam and virus checks: 

```

use strict;

# $MYHOME serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $MYHOME is not used directly by the program. No trailing slash!

$MYHOME = '/var/amavis';   # (default is '/var/amavis')

# $mydomain serves as a quick default for some other configuration settings.

# More refined control is available with each individual setting further down.

# $mydomain is never used directly by the program.

$mydomain = 'ddd.com';      # (no useful default)

$myhostname = 'testmail.ddd.com';  # fqdn of this host, default by uname(3)

# Set the user and group to which the daemon will change if started as root

# (otherwise just keeps the UID unchanged, and these settings have no effect):

$daemon_user  = 'amavis';   # (no default;  customary: vscan or amavis)

$daemon_group = 'amavis';   # (no default;  customary: vscan or amavis or sweep)

# Runtime working directory (cwd), and a place where

# temporary directories for unpacking mail are created.

# (no trailing slash, may be a scratch file system)

#$TEMPBASE = $MYHOME;           # (must be set if other config vars use is)

$TEMPBASE = "$MYHOME/tmp";     # prefer to keep home dir /var/amavis clean?

#$db_home = "$MYHOME/db";   # DB databases directory, default "$MYHOME/db"

# $helpers_home sets environment variable HOME, and is passed as option

# 'home_dir_for_helpers' to Mail::SpamAssassin::new. It should be a directory

# on a normal persistent file system, not a scratch or temporary file system

#$helpers_home = $MYHOME;   # (defaults to $MYHOME)

# Run the daemon in the specified chroot jail if nonempty:

#$daemon_chroot_dir = $MYHOME;  # (default is undef, meaning: do not chroot)

#$pid_file  = "$MYHOME/amavisd.pid";  # (default is "$MYHOME/amavisd.pid")

#$lock_file = "$MYHOME/amavisd.lock"; # (default is "$MYHOME/amavisd.lock")

# set environment variables if you want (no defaults):

$ENV{TMPDIR} = $TEMPBASE;       # wise to set TMPDIR, but not obligatory

#...

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)

$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

# MTA SETTINGS, UNCOMMENT AS APPROPRIATE,

# both $forward_method and $notify_method default to 'smtp:[127.0.0.1]:10025'

# POSTFIX, or SENDMAIL in dual-MTA setup, or EXIM V4

# (set host and port number as required; host can be specified

# as an IP address or a DNS name (A or CNAME, but MX is ignored)

$forward_method = 'smtp:[127.0.0.1]:10025';  # where to forward checked mail

$notify_method = $forward_method;            # where to submit notifications

#$os_fingerprint_method = 'p0f:127.0.0.1:2345';  # query p0f-analyzer.pl

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10)

$child_timeout=5*60;  # abort child if it does not complete its processing in

                      # approximately n seconds (default: 8*60 seconds)

$smtpd_timeout = 120; # disconnect session if client is idle for too long

                      # (default: 8*60 seconds); should be higher than a

                      # Postfix setting max_idle (default 100s)

 @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code

 @bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

@local_domains_maps = ( [".$mydomain"] );  # $mydomain and its subdomains

$inet_socket_port = 10024;        # accept SMTP on this local TCP port

                                  # (default is undef, i.e. disabled)

$inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface

                                  # (default is '127.0.0.1')

@inet_acl = qw(127.0.0.1 [::1]);  # allow SMTP access only from localhost IP

                                  # (default is qw(127.0.0.1 [::1]) )

$DO_SYSLOG = 1;                   # (defaults to 0)

$syslog_ident = 'amavis';     # Syslog ident string (defaults to 'amavis')

$syslog_facility = 'mail';    # Syslog facility as a string

           # e.g.: mail, daemon, user, local0, ... local7, ...

$syslog_priority = 'debug';   # Syslog base (minimal) priority as a string,

           # choose from: emerg, alert, crit, err, warning, notice, info, debug

$LOGFILE = "$MYHOME/amavis.log";  # (defaults to empty, no log)

$log_level = 5;        # (defaults to 0)

$log_recip_templ = undef;  # undef disables by-recipient level-0 log entries

$final_virus_destiny      = D_DISCARD; # (defaults to D_DISCARD)

$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_spam_destiny       = D_BOUNCE;  # (defaults to D_BOUNCE)

$final_bad_header_destiny = D_PASS;    # (defaults to D_PASS)

# to explicitly list all (or most) possible contents category (ccat) keys:

%final_destiny_by_ccat = (

  CC_VIRUS,      D_DISCARD,

  CC_BANNED,     D_BOUNCE,

  CC_UNCHECKED,  D_PASS,

  CC_SPAM,       D_DISCARD,

  CC_BADH,       D_PASS,

  CC_OVERSIZED,  D_BOUNCE,

  CC_CLEAN,      D_PASS,

  CC_CATCHALL,   D_PASS,

);

@viruses_that_fake_sender_maps = (new_RE(

  qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,

  qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,

  qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,

  qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,

  qr'@mm|@MM',    # mass mailing viruses as labeled by f-prot and uvscan

  qr'Worm'i,      # worms as labeled by ClamAV, Kaspersky, etc

# [qr'^(EICAR|Joke\.|Junk\.)'i         => 0],

# [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],

  [qr/^/ => 1],   # true by default  (remove or comment-out if undesired)

));

$virus_admin = "abuse\@$mydomain";

$spam_admin = "abuse\@$mydomain";

$mailfrom_notify_admin     = undef;

$mailfrom_notify_recip     = undef;

$mailfrom_notify_spamadmin = undef;

$mailfrom_to_quarantine = '';   # override sender address with null return path

$QUARANTINEDIR = "$MYHOME/quarantine";

$virus_quarantine_method          = 'local:virus-%m';     # default

$spam_quarantine_method           = 'local:spam-%m.gz';   # default

$banned_files_quarantine_method   = 'local:banned-%m';    # default

$bad_header_quarantine_method     = 'local:badh-%m';      # default

$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine

$banned_quarantine_to     = 'banned-quarantine';     # local quarantine

$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine

$spam_quarantine_to       = 'spam-quarantine';       # local quarantine

$X_HEADER_TAG = 'X-Virus-Scanned';   # (default: 'X-Virus-Scanned')

$undecipherable_subject_tag = '***UNCHECKED*** ';  # undef disables it

$defang_virus  = 1;  # default is false: don't modify mail body

$defang_banned = 1;  # default is false: don't modify mail body

$remove_existing_x_scanned_headers = 0; # leave existing X-Virus-Scanned alone

$remove_existing_spam_headers  = 1;     # remove existing spam headers if

               # spam scanning is enabled (default)

@keep_decoded_original_maps = (new_RE(

# qr'^MAIL$',   # retain full original message for virus checking (can be slow)

  qr'^MAIL-UNDECIPHERABLE$',  # retain full mail if it contains undecipherables

  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,

# qr'^Zip archive data',      # don't trust Archive::Zip

));

$banned_filename_re = new_RE(

# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components

  # block certain double extensions anywhere in the base name

  qr'\.[^./]*[A-Za-z][^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,

# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i,  # Class ID extensions - CLSID

  qr'^application/x-msdownload$'i,                  # block these MIME types

  qr'^application/x-msdos-program$'i,

  qr'^application/hta$'i,

# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed

  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives

  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic

# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.

  qr'^\.(exe-ms)$',                       # banned file(1) types

# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types

);

# new-style of banned lookup table

$banned_namepath_re = new_RE(

  # block these MIME types

  qr'(?#NO X-MSDOWNLOAD)   ^(.*\t)? M=application/x-msdownload   (\t.*)? $'xmi,

  qr'(?#NO X-MSDOS-PROGRAM)^(.*\t)? M=application/x-msdos-program(\t.*)? $'xmi,

  qr'(?#NO HTA)            ^(.*\t)? M=application/hta            (\t.*)? $'xmi,

# # block rfc2046 MIME types

# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/partial       (\t.*)? $'xmi,

# qr'(?# BLOCK RFC2046 ) ^ (.*\t)? M=message/external-body (\t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*\t)? M=application/x-msmetafile (\t.*)? $'xmi,

# qr'(?#No Metafile MIME) ^(.*\t)? M=image/x-wmf              (\t.*)? $'xmi,

# qr'(?#No Metafile file) ^(.*\t)? T=wmf                      (\t.*)? $'xm,

# # within traditional Unix compressions allow any name and type

# [ qr'(?#rule-3) ^ (.*\t)? T=(Z|gz|bz2)     (\t.*)? $'xmi => 0 ],  # allow

  # within traditional Unix archives allow any name and type

  [ qr'(?#rule-4) ^ (.*\t)? T=(tar|rpm|cpio) (\t.*)? $'xmi => 0 ],  # allow

# # block anything within a zip

# qr'(?#rule-5) ^ (.*\t)? T=zip (\t.*)? (.*\n)+ .* $'xmi,

  # block certain double extensions in filenames

  qr'(?# BLOCK DOUBLE-EXTENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. [^./\t\n]* [A-Za-z] [^./\t\n]* \.

                  (exe|vbs|pif|scr|bat|cmd|com|cpl|dll) \.? (\t.*)? $'xmi,

# # block Class ID (CLSID) extensions in filenames

# qr'(?# BLOCK CLSID-EXTENSIONS )

#    ^ (.*\t)? N= [^\t\n]* \{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}? [^\t\n]* (\t.*)? $'xmi,

# # banned declared names with three or more consecutive spaces

# qr'(?# BLOCK NAMES WITH SPACES )

#    ^ (.*\t)? N= [^\t\n]*  [ ]{3,} 'xmi,

# # within PC archives allow any types or names at any depth

# [ qr'(?#rule-7) ^ (.*\t)? T=(zip|rar|arc|arj|zoo) (\t.*)? $'xmi => 0 ],  # ok

# # within certain archives allow leaf members at any depth if crypted

# [ qr'(?# ALLOW ENCRYPTED )

#      ^ (.*\t)? T=(zip|rar|arj) (.*\n)+ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],

# # allow crypted leaf members regardless of their name or type

# [ qr'(?# ALLOW IF ENCRYPTED )    ^ (.*\t)? A=C (\t.*)? \z'xmi => 0 ],

# # block if any component can not be decoded (is encrypted or bad archive)

# qr'(?# BLOCK IF UNDECIPHERABLE ) ^ (.*\t)? A=U (\t.*)? \z'xmi,

# [ qr'(?# SPECIAL ALLOWANCES - MAGIC NAMES)

#      \A (.*\t)? T=(rpm|cpio|tar|zip|rar|arc|arj|zoo|Z|gz|bz2)

#         \t(.*\t)* N=example\d+[^\t\n]*

#         (\t.*)? $'xmi => 0 ],

  # banned filename extensions (in declared names) anywhere - basic

  qr'(?# BLOCK COMMON NAME EXENSIONS )

     ^ (.*\t)? N= [^\t\n]* \. (exe|vbs|pif|scr|bat|com|cpl) (\t.*)? $'xmi,

# # banned filename extensions anywhere - WinZip vulnerability (pre-V9)

# qr'(?# BLOCK WinZip VULNERABILITY EXENSIONS )

#    ^ (.*\t)? N= [^\t\n]* \. (mim|b64|bhx|hqx|xxe|uu|uue) (\t.*)? $'xmi,

  [ qr'(?# BLOCK EMPTY MIME PART APPLICATION/OCTET-STREAM )

       ^ (.*\t)? M=application/octet-stream \t(.*\t)* T=empty (\t.*)? $'xmi

    => 'DISCARD' ],

# [ qr'(?# BLOCK EMPTY MIME PARTS )

#      ^ (.*\t)? M= [^\t\n]+ \t(.*\t)* T=empty (\t.*)? $'xmi => 'DISCARD' ],

  qr'(?# BLOCK Microsoft EXECUTABLES )

     ^ (.*\t)? T=exe-ms (\t.*)? $'xm,              # banned file(1) type

# qr'(?# BLOCK ANY EXECUTABLE )

#    ^ (.*\t)? T=exe (\t.*)? $'xm,                 # banned file(1) type

# qr'(?# BLOCK THESE TYPES )

#    ^ (.*\t)? T=(exe|lha|tnef|cab|dll) (\t.*)? $'xm,  # banned file(1) types

);

# use old or new style of banned lookup table; not both to avoid confusion

#

# @banned_filename_maps = ();   # to disable old-style

  $banned_namepath_re = undef;  # to disable new-style

%banned_rules = (

  'MYNETS-DEFAULT' => new_RE(   # permissive set of rules for internal hosts

    [ qr'^\.(rpm|cpio|tar)$' => 0 ],  # allow any name/type in Unix archives

    qr'.\.(vbs|pif|scr)$'i,     # banned extension - rudimentary

  ),

  'DEFAULT' => $banned_filename_re,

);

$sql_select_white_black_list = undef;  # undef disables SQL white/blacklisting

$localpart_is_case_sensitive = 0;   # (default is false)

@score_sender_maps = ({  # a by-recipient hash lookup table

  # site-wide opinions about senders (the '.' matches any recipient)

  '.' => [  # the _first_ matching sender determines the score boost

   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist

    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],

    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],

    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],

    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],

    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],

    [qr'^(your_friend|greatoffers)@'i                                => 5.0],

    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],

   ),

#  read_hash("/var/amavis/sender_scores_sitewide"),

   { # a hash-type lookup table (associative array)

     'nobody@cert.org'                        => -3.0,

     'cert-advisory@us-cert.gov'              => -3.0,

     'owner-alert@iss.net'                    => -3.0,

     'slashdot@slashdot.org'                  => -3.0,

     'bugtraq@securityfocus.com'              => -3.0,

     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,

     'security-alerts@linuxsecurity.com'      => -3.0,

     'mailman-announce-admin@python.org'      => -3.0,

     'amavis-user-admin@lists.sourceforge.net'=> -3.0,

     'spamassassin.apache.org'                => -3.0,

     'notification-return@lists.sophos.com'   => -3.0,

     'owner-postfix-users@postfix.org'        => -3.0,

     'owner-postfix-announce@postfix.org'     => -3.0,

     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,

     'sendmail-announce-request@lists.sendmail.org' => -3.0,

     'donotreply@sendmail.org'                => -3.0,

     'ca+envelope@sendmail.org'               => -3.0,

     'noreply@freshmeat.net'                  => -3.0,

     'owner-technews@postel.acm.org'          => -3.0,

     'ietf-123-owner@loki.ietf.org'           => -3.0,

     'cvs-commits-list-admin@gnome.org'       => -3.0,

     'rt-users-admin@lists.fsck.com'          => -3.0,

     'clp-request@comp.nus.edu.sg'            => -3.0,

     'surveys-errors@lists.nua.ie'            => -3.0,

     'emailnews@genomeweb.com'                => -5.0,

     'yahoo-dev-null@yahoo-inc.com'           => -3.0,

     'returns.groups.yahoo.com'               => -3.0,

     'clusternews@linuxnetworx.com'           => -3.0,

     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,

     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,

     # soft-blacklisting (positive score)

     'sender@example.net'                     =>  3.0,

     '.example.net'                           =>  1.0,

   },

  ],  # end of site-wide tables

});

@blacklist_sender_maps = ( new_RE(

    qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,

    qr'^(investments|lose_weight_today|market\.alert|money2you|MyGreenCard)@'i,

    qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,

    qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,

    qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,

    qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,

));

$MAXLEVELS = 14;      # (default is undef, no limit)

# Maximum number of extracted files (0 or undef disables the limit)

$MAXFILES = 1500;      # (default is undef, no limit)

$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)

$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not enforced)

$MIN_EXPANSION_FACTOR =   5;  # times original mail size  (default is 5)

$MAX_EXPANSION_FACTOR = 500;  # times original mail size  (default is 500)

# expiration time of cached results: time to live in seconds

#   (how long the result of a virus/spam test remains valid)

$virus_check_negative_ttl=  3*60; # time to remember that mail was not infected

$virus_check_positive_ttl= 30*60; # time to remember that mail was infected

$spam_check_negative_ttl = 30*60; # time to remember that mail was not spam

$spam_check_positive_ttl = 30*60; # time to remember that mail was spam

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/bin';

$file   = 'file';   # file(1) utility; use 3.41 or later to avoid vulnerability

$dspam  = 'dspam';

@decoders = (

  ['mail', \&do_mime_decode],

  ['asc',  \&do_ascii],

  ['uue',  \&do_ascii],

  ['hqx',  \&do_ascii],

  ['ync',  \&do_ascii],

  ['F',    \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ],

  ['Z',    \&do_uncompress, ['uncompress','gzip -d','zcat'] ],

  ['gz',   \&do_gunzip],

  ['gz',   \&do_uncompress,  'gzip -d'],

  ['bz2',  \&do_uncompress,  'bzip2 -d'],

  ['lzo',  \&do_uncompress,  'lzop -d'],

  ['rpm',  \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ],

  ['cpio', \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_pax_cpio,   ['pax','gcpio','cpio'] ],

  ['tar',  \&do_tar],

  ['deb',  \&do_ar,          'ar'],

# ['a',    \&do_ar,          'ar'],  # unpacking .a seems an overkill

  ['zip',  \&do_unzip],

  ['rar',  \&do_unrar,      ['rar','unrar'] ],

  ['arj',  \&do_unarj,      ['arj','unarj'] ],

  ['arc',  \&do_arc,        ['nomarch','arc'] ],

  ['zoo',  \&do_zoo,         'zoo'],

  ['lha',  \&do_lha,         'lha'],

# ['doc',  \&do_ole,         'ripole'],

  ['cab',  \&do_cabextract,  'cabextract'],

  ['tnef', \&do_tnef_ext,    'tnef'],

  ['tnef', \&do_tnef],

  ['exe',  \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ],

);

# SpamAssassin settings

$sa_local_tests_only = 0;   # only tests which do not require internet access?

#$sa_auto_whitelist = 1;    # turn on AWL in SA 2.63 or older (irrelevant

                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger

             # (less than 1% of spam is > 64k)

             # default: undef, no limitations

# default values, customarily used in the @spam_*_level_maps as the last entry

$sa_tag_level_deflt  = 2.0; # add spam info headers if at, or above that level;

             # undef is interpreted as lower than any spam level

$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to

                            # passed mail, adding address extensions;

$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions

             # at or above that level: bounce/reject/drop,

             # quarantine

$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,

                            # effectively turning D_BOUNCE into D_DISCARD;

                            # undef disables this feature and is a default;

# see also $sa_quarantine_cutoff_level above, which only controls quarantining

# string to prepend to Subject header field when message exceeds tag2 level

$sa_spam_subject_tag = '***SPAM*** ';   # (defaults to undef, disabled)

              # (only seen when spam is passed and recipient is

                             # in local_domains*)

$sa_spam_modifies_subj = 1; # in @spam_modifies_subj_maps, default is true

# Example: modify Subject for all local recipients except user@example.com

#@spam_modifies_subj_maps = ( [qw( !user@example.com . )] );

#$sa_spam_level_char = '*';  # char for X-Spam-Level bar, defaults to '*';

              # undef or empty disables inserting X-Spam-Level

#$sa_spam_report_header = 0; # insert X-Spam-Report header field? default false

# stop anti-virus scanning when the first scanner detects a virus?

#$first_infected_stops_scan = 1;  # default is false, all scanners in a section

                                  # are called

@av_scanners = (

  ### http://www.kaspersky.com/  (kav4mailservers)

  ['KasperskyLab AVP - aveclient',

    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',

     '/opt/kav/bin/aveclient','aveclient'],

    '-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,

    qr/(?:INFECTED|SUSPICION) (.+)/,

  ],

  ### http://www.kaspersky.com/

  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],

    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?

    qr/infected: (.+)/,

    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky

  ### products and replaced by aveserver and aveclient

  ['KasperskyLab AVPDaemonClient',

    [ '/opt/AVP/kavdaemon',       'kavdaemon',

      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',

      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',

      '/opt/AVP/avpdc', 'avpdc' ],

    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],

    # change the startup-script in /etc/init.d/kavd to:

    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"

    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )

    # adjusting /var/amavis above to match your $TEMPBASE.

    # The '-f=/var/amavis' is needed if not running it as root, so it

    # can find, read, and write its pid file, etc., see 'man kavdaemon'.

    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever

    #   directory $TEMPBASE specifies) in the 'Names=' section.

    # cd /opt/AVP/DaemonClients; configure; cd Sample; make

    # cp AvpDaemonClient /opt/AVP/

    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

  ### http://www.centralcommand.com/

  ['CentralCommand Vexira (new) vascan',

    ['vascan','/usr/lib/Vexira/vascan'],

    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".

    "--vdb=/usr/lib/Vexira/vexira8.vdb --log=/var/log/vascan.log {}",

    [0,3], [1,2,5],

    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],

    # Adjust the path of the binary and the virus database as needed.

    # 'vascan' does not allow to have the temp directory to be the same as

    # the quarantine directory, and the quarantine option can not be disabled.

    # If $QUARANTINEDIR is not used, then another directory must be specified

    # to appease 'vascan'. Move status 3 to the second list if password

    # protected files are to be considered infected.

  ### http://www.hbedv.com/

  ['H+BEDV AntiVir or the (old) CentralCommand Vexira Antivirus',

    ['antivir','vexira'],

    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,

    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |

         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],

    # NOTE: if you only have a demo version, remove -z and add 214, as in:

    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

  ### http://www.commandsoftware.com/

  ['Command AntiVirus for Linux', 'csav',

    '-all -archive -packed {}', [50], [51,52,53],

    qr/Infection: (.+)/ ],

  ### http://www.symantec.com/

  ['Symantec CarrierScan via Symantec CommandLineScanner',

    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',

    qr/^Files Infected:\s+0$/, qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

  ### http://www.symantec.com/

  ['Symantec AntiVirus Scan Engine',

    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',

    [0], qr/^Infected\b/,

    qr/^(?:Info|Virus Name):\s+(.+)/ ],

    # NOTE: check options and patterns to see which entry better applies

  ### http://www.f-secure.com/products/anti-virus/

  ['F-Secure Antivirus', 'fsav',

    '--dumb --mime --archive {}', [0], [3,8],

    qr/(?:infection|Infected|Suspected): (.+)/ ],

# ### http://www.avast.com/

# ['avast! Antivirus daemon',

#   \&ask_daemon,   # greets with 220, terminate with QUIT

#   ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],

#   qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

# ### http://www.avast.com/

# ['avast! Antivirus - Client/Server Version', 'avastlite',

#   '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],

#   qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

  ['CAI InoculateIT', 'inocucmd',  # retired product

    '-sec -nex {}', [0], [100],

    qr/was infected by virus (.+)/ ],

  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)

  ['CAI eTrust Antivirus', 'etrust-wrapper',

    '-arc -nex -spm h {}', [0], [101],

    qr/is infected by virus: (.+)/ ],

    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer

    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

  ### http://mks.com.pl/english.html

  ['MkS_Vir for Linux (beta)', ['mks32','mks'],

    '-s {}/*', [0], [1,2],

    qr/--[ \t]*(.+)/ ],

  ### http://mks.com.pl/english.html

  ['MkS_Vir daemon', 'mksscan',

    '-s -q {}', [0], [1..7],

    qr/^... (\S+)/ ],

  ### http://www.nod32.com/

  ['ESET Software NOD32 Command Line Interface v 2.51', 'nod32cli',

    '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],

# ### http://www.nod32.com/   old

# ['ESET Software NOD32 - Client/Server Version', 'nod32cli',

#   '-a -r -d recurse --heur standard {}', [0], [10,11],

#   qr/^\S+\s+infected:\s+(.+)/ ],

# ### http://www.nod32.com/   old

# ['ESET Software NOD32', 'nod32',

#   '--arch --mail {}', [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],

# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31

# ['ESET Software NOD32 Client/Server (NOD32SS)',

#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT

#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],

#   qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],

  ### http://www.norman.com/products_nvc.shtml

  ['Norman Virus Control v5 / Linux', 'nvcc',

    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],

    qr/(?i).* virus in .* -> \'(.+)\'/ ],

  ### http://www.pandasoftware.com/

  ['Panda Antivirus for Linux', ['pavcl'],

    '-nob -nos   -aex -heu -cmp -nbr -nor  -eng {}',

    #'-aut -aex -heu -cmp -nbr -nor -nso -eng {}',

    qr/Number of files infected[ .]*: 0+(?!\d)/,

    qr/Number of files infected[ .]*: 0*[1-9]/,

    qr/Found virus :\s*(\S+)/ ],

  ### http://www.nai.com/

  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',

    '--secure -rv --mime --summary --noboot --mailbox --program --timeout 180 - {}', [0], [13],

    qr/(?x) Found (?:

        \ the\ (.+)\ (?:virus|trojan)  |

        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |

        :\ (.+)\ NOT\ a\ virus)/,

  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},

  # sub {delete $ENV{LD_PRELOAD}},

  ],

  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before

  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6

  # and then clear it when finished to avoid confusing anything else.

  # NOTE2: to treat encrypted files as viruses replace the [13] with:

  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

  ### http://www.virusbuster.hu/en/

  ['VirusBuster', ['vbuster', 'vbengcl'],

    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],

    qr/: '(.*)' - Virus/ ],

  # VirusBuster Ltd. does not support the daemon version for the workstation

  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of

  # binaries, some parameters AND return codes have changed (from 3 to 1).

  # See also the new Vexira entry 'vascan' which is possibly related.

# ### http://www.virusbuster.hu/en/

# ['VirusBuster (Client + Daemon)', 'vbengd',

#   '-f -log scandir {}', [0], [3],

#   qr/Virus found = (.*);/ ],

# # HINT: for an infected file it always returns 3,

# # although the man-page tells a different story

  ### http://www.cyber.com/

  ['CyberSoft VFind', 'vfind',

    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,

  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},

  ],

  ### http://www.avast.com/

  ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],

    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],

  ### http://www.ikarus-software.com/

  ['Ikarus AntiVirus for Linux', 'ikarus',

    '{}', [0], [40], qr/Signature (.+) found/ ],

  ### http://www.bitdefender.com/

  ['BitDefender', 'bdc',

    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,

    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,

    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],

  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may

  # not apply to your version of bdc, check documentation and see 'bdc --help'

);

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV

  ['ClamAV-clamscan', 'clamscan',

    "--stdout --disable-summary -r --tempdir=$TEMPBASE {}",

    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

  ### http://www.f-prot.com/   - backs up F-Prot Daemon

  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],

    '-dumb -ai -archive -packed -server {}', [0,8], [3,6],

    qr/Infection: (.+)|\s+contains\s+(.+)$/ ],

  ### http://www.trendmicro.com/   - backs up Trophie

  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],

    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD

  ['drweb - DrWeb Antivirus',

    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],

    '-path={} -al -go -ot -cn -upn -ok-',

    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

  ['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],

    '-i1 -xp {}', [0,10,15], [5,20,21,25],

    qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,

    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},

    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

  ],

);

1;  # insure a defined return
```

logs says:

```

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) TempDir::strip: /var/amavis/tmp/amavis-20070419T130811-06098

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) rmdir_recursively: /var/amavis/tmp/amavis-20070419T130811-06098/parts, excl=1

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) TIMING [total 183 ms] - SMTP LHLO: 6 (3%)3, SMTP pre-MAIL: 4 (2%)5, mkdir tempdir: 1 (0%)6, create email.txt: 0 (0%)6, SMTP pre-DATA-flush: 4 (2%)8, SMTP DATA: 36 (19%)28, body_digest: 1 (1%)29, gen_mail_id: 1 (0%)29, mkdir parts: 0 (0%)29, mime_decode: 15 (8%)37, get-file-type2: 9 (5%)42, parts_decode: 1 (0%)43, update_cache: 8 (4%)47, decide_mail_destiny: 2 (1%)48, fwd-connect: 13 (7%)55, fwd-xforward: 1 (0%)55, fwd-mail-from: 2 (1%)56, fwd-rcpt-to: 3 (1%)58, fwd-data-cmd: 1 (0%)58, write-header: 2 (1%)59, fwd-data-contents: 1 (0%)60, fwd-data-end: 41 (23%)82, fwd-rundown: 2 (1%)84, prepare-dsn: 2 (1%)85, main_log_entry: 24 (13%)98, update_snmp: 2 (1%)98, unlink-2-files: 2 (1%)100, rundown: 0 (0%)100

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) LMTP> 250 2.6.0 Ok, id=06098-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 13ED63101D

Apr 19 13:08:12 testmail postfix/lmtp[6137]: EB90F3101A: to=<admin@ddd.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.23, delays=0.04/0.01/0.01/0.18, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=06098-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 13ED63101D)

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) switch_to_client_time 120 s, smtp response sent

Apr 19 13:08:12 testmail postfix/qmgr[4516]: EB90F3101A: removed

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) idle_proc, 6: was busy, 171.3 ms, total idle 0.001 s, busy 0.184 s

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) idle_proc, 5: was idle, 0.4 ms, total idle 0.002 s, busy 0.184 s

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) LMTP< QUIT\r\n

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) switch_to_my_time     300 s, SMTP QUIT received

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) LMTP> 221 2.0.0 [127.0.0.1] amavisd-new closing transmission channel

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) switch_to_client_time 120 s, smtp response sent

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) SMTP session over, timer stopped

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) exiting process_request

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) post_process_request_hook: timer was not running

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) idle_proc, bye: was busy, 4.2 ms, total idle 0.002 s, busy 0.188 s

Apr 19 13:08:12 testmail amavis[6098]: (06098-01) load: 99 %, total idle 0.002 s, busy 0.188 s

Apr 19 13:08:12 testmail postfix/pipe[6144]: 13ED63101D: to=<admin@ddd.com>, relay=maildrop, delay=0.09, delays=0.05/0.01/0/0.03, dsn=2.0.0, status=sent (delivered via maildrop service)

Apr 19 13:08:12 testmail postfix/qmgr[4516]: 13ED63101D: removed

```

any ideas?

----------

## magic919

Apparently not such an interesting problem  :Smile: 

I think you'll find this is a feature.  Each child process (4 max in your config) starts one of these in the tmp directory.  Once the child has done its max requests it should clean up and die and then respawn.

You could lower these and watch it in action if life is quiet.

```

$max_servers  =  4;   # number of pre-forked children          (default 2)

$max_requests = 20;   # retire a child after that many accepts (default 10) 

```

----------

