# Qmail-scanner and ClamAV problem

## petterg

I've installed Qmail-scanner 1.23 and clamav 0.75.

When a virus infected mail arrives I get this error:

```
X-Qmail-Scanner-1.23st:[some numbers] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2

qmail-inject: fatal: qq temporary problem (#4.3.0)
```

I'm not sure if this is a good thing or not. It's good that when ppl send infected mails, they get an error, but it would be nice if the error was not "temporary", and informed the sender why he get the error.

SOFTLIMIT is 80MB - should be enough.

If I make clamd run as qscand it dies without any error - even when compiled with -debug.

Temparary I've made qmail-scanner run clamscan insted of clamdscan.

Any clues why this problem ocures?

----------

## radulucian

i solved it by applying this quick FAQ:

http://www.clamav.net/faq.html

see if that is the case that applies to you (Q26) and come back with details if you don't manage to have it working.Last edited by radulucian on Thu Nov 18, 2004 11:49 am; edited 1 time in total

----------

## petterg

Softlimit = 80MB should be enough. The faq sugest 40MB.

Clamd is running. As I wrote, if I make clamd run as qscand it dies without any error - even when compiled with -debug.

When making QmS 1.23 run clamscan instead of clamdscan, random virus infected mails passes unchecked through the scanner. The same virus test mail sent 10 times, only got detected 6 times!

I downgraded to QmS 1.16 and everything works, but I'd like to use QmS 1.23 if there was a way to make it work.

----------

## radulucian

i ran into the same problem again and it was solved the same way (the right way)

since the FAQ on the website i quoted seems to change it's numbers here's a quote that would solve your problem

 *Quote:*   

>  Most likely clamd is not running at all, or you are running Qmail-Scanner and clamd under a different uid. If you are running Qmail-Scanner as qscand (default setting) you could put User qscand inside your clamav.conf file and restart clamd. Remember to check that qscand can create clamd.ctl (usually located at /var/run/clamav/clamd.ctl). The same applies to the log file.
> 
> Another possibility is that your softlimit is set too low. Try raising it to 40MB at least.

 

----------

## petterg

I've tried this with 3 servers now. The latest server was installed this weekend, and get the same problem every time!

Downgrading to QmS 1.16 seems to be the only way around.

I've tried running clamav as qscand. I've tried to run QmS as clamav. Softlimit is 80MB.

Aparently the only way to make QmS 1.23 work is to make it use clamscan insted of clamdscan, but then some random viruses passes trough undetected!

Am I the only one to get this problem?

----------

## petterg

Clearly I have permission problems.... For the experiment I made clamd run as root - then everything worked!

The FAQ tells to run clamav (/etc/clamav.conf) run as qscand - which user clamav runs as doesn't seem to make any change. It's the user clamd (/etc/clamd.conf) that makes the stuff work.

The only error I get is from qmail-scanner:

```

clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2

```

Even when clamav is compiled with the extra debug option enabled there is no error messages from it!

----------

## petterg

Can someone please tell me which files clamav / qscand needs access to?

I upgraded perl on a company server today, so qmail-scanner 1.16 does no longer work. QMS 1.24 works only if clamd is running as ROOT!

Somehow the eicar test virus (testmail #2) passes undetected trough the virus check when clamd is running as root. When running as qscand or clamav, clamd returns the error qouted in previous post when sending testmail #2.

Testmail #3 does get detekted when running as root.

----------

## radulucian

try this, if you haven't already, or given up already:

in /etc/conf.d/clamd

change first line to 

START_CLAMD=yes

otherwise clamav online starts the freshclam process that is not detected by qmail_scanner upon execution.

this solved my problem with a default instalation and without any other modifications

----------

## petterg

It's started, otherwise it wouldn't helped much to change the user it runs as. As it works great when running as root, I'm sure the problem is related to file premissions. All the files the documentation refers to I've made world writeable, but still I get the permission problem!

Is there any way to log all files a process tries to access, so I could debug this?

----------

## derheld42

Any idea if the error above could result in email getting dropped?

If that's the case (which I think it is)... qmail with qmail-mail-scanner.pl with spamassassin with clamav shouldn't drop email... Anybody else had this problem?

I think a bug report is in order, but I'm not sure which piece is at fault....

----------

## petterg

As posted - depending on which user it runs as it might drop mails with or withour errors.

----------

## TheSlab

 *petterg wrote:*   

> As posted - depending on which user it runs as it might drop mails with or withour errors.

 

Did you ever figure this out petterg? The other admin on my server did a world update and i've been going crazy the last 6 hours trying to get email working. It's running as root now but I'd really like to not have that. Gonna look at it after I get back Sunday but figured I'd ask first.

----------

## petterg

It's still running as root on all servers I'm adming.

Please post if you find a way to get around this.

----------

## Casshan

Check permissions on:

/var/run/clamav

I had the same problem, and it can't create the pid file :0

----------

## petterg

I've carefully changed the ownership of clamav's run folder and logfolder every time i've changed the username it runs as... to no sucsess.

I've asumed that the folders should be owned by the user clamd is running as. Is that a bad thing?

----------

## Casshan

I have clamd running as the qmaild user I think, whichever one runs the qmail-scanner

----------

## DrUberEgo

Three months later and apparently there's still no fix for this.  :Rolling Eyes: 

I'm in the same boat.  :Mad: 

Here's some steps to reproduce...

1) emerge spamassassin

2) emerge clamav

3) emerge qmail-scanner

4) Spend all day figuring out that clamd and freshclam need to run as user qscand and NOT clamav

    (This is something the ebuild maintainers should take care)

5) Change all qmail/spamassassin AND clamav file/directory and ownership to qscand:qscand

    (which should be taken care of at the ebuild level.)

6) Find out that it still doesn't work!!!

7) Shoot yourself  :Question: 

What the heck is the fix for this???

 it is ***NOT*** permissions or SOFTLIMITs so don't bother suggesting it. Don't believe me?...

Here's proof... clam stuff is running and running as qscand

root@mail:~# ps -elf | grep clam

1 S qscand   18417     1  0  76   0 -  8314 -      18:18 ?        00:00:00 /usr/sbin/clamd

1 S qscand   18419     1  0  75   0 -  3467 pause  18:18 ?        00:00:00 /usr/bin/freshclam -d

0 R root     18616 18246  0  75   0 -   654 -      18:29 pts/7    00:00:00 grep clam

Here are the ownerships of all clam files/directories:

-rw-r--r--  1 root root 193 Oct  9 17:48 /etc/conf.d/clamd

-rwxr-xr-x  1 root root 2037 Oct  9 17:48 /etc/init.d/clamd

lrwxrwxrwx  1 root root 17 Oct  9 16:30 /etc/runlevels/default/clamd -> /etc/init.d/clamd

-rw-r--r--  1 root root 8173 Oct  9 17:59 /etc/clamd.conf

-rw-r--r--  1 root root 3257 Oct  9 18:00 /etc/freshclam.conf

drwxrwxr-x  2 qscand qscand 104 Oct  9 17:56 /var/lib/clamav

-rw-r--r--  1 qscand qscand   97021 Oct  9 17:56 /var/lib/clamav/daily.cvd

-rw-rw-r--  1 qscand qscand 2560365 Oct  9 17:48 /var/lib/clamav/main.cvd

lrwxrwxrwx  1 root root 17 Oct  9 18:18 /var/lib/init.d/started/clamd -> /etc/init.d/clamd

lrwxrwxrwx  1 root root 17 Oct  9 17:33 /var/lib/init.d/softscripts/clamd -> /etc/init.d/clamd

drwxr-xr-x  2 qscand qscand 104 Oct  9 17:48 /var/log/clamav

-rw-r-----  1 qscand qscand 11787 Oct  9 18:18 /var/log/clamav/clamd.log

drwxr-xr-x  2 qscand qscand 168 Oct  9 18:18 /var/run/clamav

-rw-rw----  1 qscand qscand 5 Oct  9 18:18 /var/run/clamav/freshclam.pid

-rw-rw----  1 qscand qscand 5 Oct  9 18:18 /var/run/clamav/clamd.pid

srwxrwxrwx  1 qscand qscand 0 Oct  9 18:18 /var/run/clamav/clamd.sock

-rwxr-xr-x  1 root root 1073 Oct  9 17:48 /usr/bin/clamav-config

-rwxr-xr-x  1 root root 34592 Oct  9 17:48 /usr/bin/clamdscan

-rwxr-xr-x  1 root root 47256 Oct  9 17:48 /usr/bin/freshclam

-rwxr-xr-x  1 root root 55448 Oct  9 17:48 /usr/bin/clamscan

-rwxr-xr-x  1 root root 1676 Oct  6 22:56 /usr/kde/3.4/bin/kmail_clamav.sh

-rwxr-xr-x  1 root root 67152 Oct  9 17:48 /usr/sbin/clamd

-rwxr-xr-x  1 root root 765 Oct  9 17:48 /usr/lib64/libclamav.la

lrwxrwxrwx  1 root root 19 Oct  9 17:48 /usr/lib64/libclamav.so -> libclamav.so.1.0.16

-rw-r--r--  1 root root 274 Oct  9 17:48 /usr/lib64/pkgconfig/libclamav.pc

-rw-r--r--  1 root root 567786 Oct  9 17:48 /usr/lib64/libclamav.a

-rwxr-xr-x  1 root root 314632 Oct  9 17:48 /usr/lib64/libclamav.so.1.0.16

lrwxrwxrwx  1 root root 19 Oct  9 17:48 /usr/lib64/libclamav.so.1 -> libclamav.so.1.0.16

drwxr-xr-x  2 root root 296 Oct  9 17:48 /usr/share/doc/clamav-0.87

-rw-r--r--  1 root root 655 Oct  9 17:48 /usr/share/doc/clamav-0.87/clamav-milter.README.gentoo.gz

-rw-r--r--  1 root root 735 Oct  9 17:50 /usr/share/doc/qmail-scanner-1.25-r1/contrib/test-clamd.pl.gz

-rw-r--r--  1 root root 898 Oct  9 17:48 /usr/share/man/man1/clamdscan.1.gz

-rw-r--r--  1 root root 6838 Oct  9 17:48 /usr/include/clamav.h

So yes, qscand does have accecss to what it needs since I have recursively set

ownership of /var/lib/clamav, /var/log/clamav and /var/run/clamav to qscand:qscand.

Ho yea... the memory problem...

root@mail:~# grep SOFTLIMIT  /var/qmail/control/conf-common

SOFTLIMIT_OPTS="-m 64000000"

So fpppppt if you think that's the problem.

Oh... did I forget to restart something?...

root@mail:~# /etc/init.d/svscan stop

 * Stopping service scan ...                                              [ ok ]

 * Stopping services ...                                                  [ ok ]

 * Stopping service logging ...                                           [ ok ]

root@mail:~# /etc/init.d/clamd stop

 * Stopping clamd ...                                                     [ ok ]

 * Stopping freshclam ...                                                 [ ok ]

root@mail:~# /etc/init.d/spamd stop

 * Stopping spamd ...                                                     [ ok ]

root@mail:~# ps -elf | grep qmail

0 S qmaild   18617     1  0  75   0 -  2038 -      18:29 pts/5    00:00:00 /var/qmail/bin/qmail-smtpd

0 S root     19005 18246  0  76   0 -   653 pipe_w 18:43 pts/7    00:00:00 grep qmail

root@mail:~# kill -TERM 18617

root@mail:~# ps -elf | grep qmail

0 R root     19007 18246  0  77   0 -   653 -      18:43 pts/7    00:00:00 grep qmail

Start everything from scratch...

root@mail:~# /etc/init.d/clamd start

 * Starting clamd ...                                                     [ ok ]

 * Starting freshclam ...                                                 [ ok ]

[1]+  Done                    emacs clamfiles

root@mail:~# /etc/init.d/spamd start

 * Starting spamd ...                                                     [ ok ]

root@mail:~# /etc/init.d/svscan start

 * Starting service scan ...                                              [ ok ]

And yet...

root@mail:/usr/share/doc/qmail-scanner-1.25-r1/contrib# ./test_installation.sh -doit

QMAILQUEUE was not set, defaulting to /var/qmail/bin/qmail-scanner-queue.pl for this test...

Sending standard test message - no viruses...

done!

Sending eicar test virus - should be caught by perlscanner module...

X-Qmail-Scanner-1.25st:[mail112890882871826055] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2

qmail-inject: fatal: qq temporary problem (#4.3.0)

Bad error. qmail-inject died

So it *STILL* doesn't work!

Has anybody figured this out yet?

- Jeff

And, as an aside: The second worst mistake a programmer can make is to produce

general error messages. (The first being no error messages at all; but general messages

are just about as bad.)  Error messages should point out the specific action that

failed and why if at all possible.  This general "corrupt or unknown clamd scanner error or

memory/resource/perms problem" is absolutely useless to the point of being frustrating.

I fixed perm problems and I fixed memory problems. What... am I suppose to guess

what I'm suppose to fix next?  clamdscan (or whatever program is encountering an

error) should log it and *specifically* tell you what it tried to do and couldn't.

----------

## Kooky

I know this is a post from last year but i had the same problem today.

Here is how i solved it:

Clam Config:

USER qscand

chown -R qscand /var/log/clamav

chown -R qscand /var/run/clamav

softlimit 40.....

(all the things that you can read everywhere)

AND:

chmod u+s /var/qmail/bin/qmail-scanner-queue.pl

(and also USE="perlsuid" emerge -avuN perl)

Maybe it will help other people.

Greets Kooky

----------

## Gio

Helped me, thanks Kooky.

----------

## chamont

Kooky you rock. Worked great for me as well. Some random update in the past day or two must have gotten me.

----------

## TheNewb

Took me a long time to figure this out before I found this post...  Many thanks!  Got me up and running.

----------

## lcj

@DrUberEgo

Please check this your setup matches mine:

```

-rws--x--x 1 qscand qscand   3168 Aug  9  2006 /var/qmail/bin/qmail-scanner-queue

-rwxr-xr-x 1 qscand qscand 140111 Dec 27 00:10 /var/qmail/bin/qmail-scanner-queue.pl

```

I was maybe on the same level of frustration, but I had one server running, so I checked the perms once more.

----------

## ycUygB1

Follow the comments of Antarctica here:  http://qmailrocks.thibs.com/qmail-scanner.php,

which worked for me.    To avoid making you click yet another link, here are the instructions:

Using visudo, add

```
ALL ALL=(qscand) NOPASSWD: /var/qmail/bin/qmail-scanner-queue.pl
```

Near line 71, add to /var/qmail/bin/qmail-scanner-queue.pl

```
$ENV{'PATH'}='/bin:/usr/bin';

$whoami = getpwuid($<) || "unknown";

if($whoami ne "qscand") {

    exec("/usr/bin/sudo -u qscand /var/qmail/bin/qmail-scanner-queue.pl") || die;

}
```

Then redo the test, and it should work:

```
# cd /usr/share/doc/qmail-scanner-2.08/contrib/

# ./test_installation.sh -doit --log-details syslog

Sending standard test message - no viruses... 1/4

done!

Sending eicar test virus - should be caught by perlscanner module... 2/4

done!

Sending eicar test virus with altered filename - should only be caught by commercial anti-virus modules (if you have any)... 3/4

done!

Sending bad spam message for anti-spam testing - In case you are using SpamAssassin... 4/4

If you have enabled $sa_quarantine, $sa_delete or $sa_reject the

spam-message wont't arrive to the recipients. But if you have enabled

(good idea!) 'minidebug' or 'debug' you should check

/var/spool/qscan/qmail-queue.log (or where ever you have the log).

        Done!

Finished test. Now go and check Email sent to postmaster@tough-widgets.com and/or the log..

```

Last edited by ycUygB1 on Mon Sep 02, 2013 1:03 pm; edited 1 time in total

----------

