[ZendTo] Error Message When a User Drops of 6GB file. <<< ClamAV 0.103 bug

Jules Jules at Zend.To
Tue Apr 20 12:57:32 BST 2021 

Hi Gavin,

I forcibly installed ClamAV 0.102, then used the yum "versionlock" 
plugin to ensure that they were never upgraded automatically.
I'm still running 0.102 as a result.
It sounds like the bug still exists in the most recent version.
Have you got time to report it as a bug? I'm more than a little 
surprised that they haven't noticed this one.

BTW Changing the clamd.conf parameters for the maximum size of file to 
scan (a few 100K I think) doesn't help at all. It's something to do with 
how they mmap() the file. But I never had the time to find exactly what 
was wrong, I had a broken production service to fix.

Cheers,
Jules.

On Tue 20/04/21 11:58, Gavin Younger wrote:
>
> Anthony, Jules,
>
> Â
>
> How did you get on here? – seems I’ve hit the same problem here at 
> Newcastle (interestingly it was a 4GB cutoff rather than 6GB) – I 
> spent a fruitless afternoon adding more RAM and googling too… 
> (should have checked my mailing list messages first!)
>
> Â
>
> Regards,
>
> Â
>
> Gavin Younger,
>
> Â
>
> Infrastructure Systems,
>
> IT Service (NUIT),
>
> Newcastle University
>
> Â
>
> Â
>
> *From:*ZendTo <zendto-bounces at zend.to> *On Behalf Of *Jules via ZendTo
> *Sent:* 26 January 2021 14:43
> *To:* Anthony Wilson <akwilson at sgul.ac.uk>
> *Cc:* Jules <Jules at Zend.To>; Adam Witney <awitney at sgul.ac.uk>; ZendTo 
> Users <zendto at zend.to>
> *Subject:* Re: [ZendTo] Error Message When a User Drops of 6GB file. 
> <<< ClamAV 0.103 bug
>
> Â
>
> âš External sender. Take care when opening links or attachments. Do 
> not provide your login details.
>
> Anthony,
>
> I have just hit the same problem on our installation of ZendTo here at 
> Southampton.
>
> I'm cc-ing this to the mailing list as it's going to become a 
> widespread problem.
>
> There's a bug in ClamAV 0.103.
> It crashes with a memory allocation failure if you try to scan a file 
> bigger than the available RAM in the server/VM.
>
> ClamAV 0.102 works fine.
>
> You can fetch the 0.102 RPMs from here:
>    
> https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/c/
>
> Stop the services
>     clamd at scan
>     clam-freshclam
>     clamav-freshclam
> Find all the clamAV RPMs you have installed:
>     rpm -qa | grep -i clam
> Then use "rpm -e" to remote all of them in 1 command. That stops 
> dependency problems.
>
> Then fetch the 0.102 versions from the URL above: you want to install 
> these
>     clamav
>     clamav-filesystem
>     clamav-lib
>     clamav-update
>     clamd
> Do *not* install "clamav-data".
>
> Edit /etc/clamd.d/scan.conf. There's a commented out line mentioning 
> "LocalSocket".
> Uncomment that line.
>
> Edit /etc/freshclam.conf. There's a commented out line mentioning 
> "NotifyClamd".
> Uncomment that line so it says
> NotifyClamd /etc/clamd.conf
> and you should find you still have a link in /etc/clamd.conf that 
> points to /etc/clamd.d/scan.conf.
>
>
> Delete everything in /var/lib/clamav totally. Just leave it as an 
> empty directory.
> Run the command
>     freshclam
> once. Ignore its final complaint about being unable to notify clamd. 
> That's because you can't start clamd until freshclam has fetched the 
> latest virus signatures for you.
>
> Then enable and start the services as follows:
>     systemctl enable clamd at scan
>     systemctl enable clam-freshclam
>     systemctl start clamd at scan
>
> And you should find the problem goes away again.
>
> If you have the time to report this to the ClamAV maintainers, please 
> do. No amount of Googling I did yesterday while fixing this myself, 
> produced anything useful. So I suspect they don't know yet.
>
> Cheers,
> Jules.
>
> On Tue 26/01/21 14:24, Anthony Wilson wrote:
>
>     Hi Jules
>
>     Â
>
>     Thank you for your response and apologies for the delay with mine.
>
>     Â
>
>     I have cc’d the user, who will be able to respond to the console
>     task and file size.
>
>     Â
>
>     Please see below the space available
>
>     Â
>
>     “Filesystem                       SizeÂ
>     Used Avail Use% Mounted on
>
>     devtmpfs                         Â
>     3.8G     0  3.8G   0% /dev
>
>     tmpfs        
>                             3.8G     0 
>     3.8G   0% /dev/shm
>
>     tmpfs                       
>              3.8G  377M  3.5G  10% /run
>
>     tmpfs                       
>              3.8G     0  3.8G   0% /sys/fs/cgroup
>
>     /dev/mapper/vg_root-lv_root   91G 4.3G   87G   5% /
>
>     /dev/mapper/dropoff-vol1     300G 9.3G  291G   4%
>     /var/zendto/dropoffs
>
>     /dev/sda1                         1014M 
>     275M  740M  28% /boot
>
>     tmpfs                       
>              777M     0  777M   0% /run/user/0”
>
>     Â
>
>     Please see the error in the log file similar to the initial issue.
>
>     Â
>
>     “zendto.log:2021-01-23 19:29:24 172.19.48.98 [ZendTo]: Error:
>     Virus scan of dropped-off filesÂ
>     /var/zendto/incoming/eYzXdXMzGPtngj8o52brEmKoPjnF8e3d.1 for
>     awitney failed with
>     /var/zendto/incoming/eYzXdXMzGPtngj8o52brEmKoPjnF8e3d.1: Can't
>     allocate memory ERROR  ----------- SCAN SUMMARY -----------
>     Infected files: 0 Total errors: 1 Time: 0.020 sec (0 m 0 s) Start
>     Date: 2021:01:23 19:29:24 End Date:  2021:01:23 19:29:24”
>
>     Â
>
>     Kind regards
>
>     Â
>
>     Anthony
>
>     Â
>
>     *From:*Jules <Jules at Zend.To> <mailto:Jules at Zend.To>
>     *Sent:* 19 January 2021 09:47
>     *To:* Anthony Wilson <akwilson at sgul.ac.uk>
>     <mailto:akwilson at sgul.ac.uk>
>     *Subject:* Re: Error Message When a User Drops of 6GB file.
>
>     Â
>
>     Hi Anthony,
>
>     Can you ask him, when he gets these errors, to take a look in the
>     JavaScript console of his web browser and see if anything is
>     reported there? He basically needs to show the developer console
>     (right-clicking anywhere in the page and doing "Inspect Element"
>     is one of the most obvious ways), then click on the "Console" tab
>     and ensure it is showing "All" log entries).
>
>     Also, does your zendto.log report anything at this point?
>     All the output from the virus checker will be logged in there.
>
>     As it's a tar.gz file, how big is it when unpacked? Have you got
>     enough space in /var/zendto/incoming (and /var/zendto in general),
>     and /tmp for the virus scanner to unpack the compressed archive?
>     You might be simply running out of temporary disk space that clamd
>     needs.
>
>     Hope that helps,
>     Jules.
>
>     On Fri 08/01/21 13:58, Anthony Wilson wrote:
>
>         Hi Support
>
>         Â
>
>         We have a user (Adam) that is receiving a misleading message
>         when dropping of a file (see attached).  However the user has
>         confirmed that the recipient successfully received the files.
>
>         Â
>
>         The process the user took is shown below
>
>         “Hi Anthony Details are 6Gb tar.gz file, unencrypted, being
>         uploaded from an NFS share through a Desktop Windows 10
>         machine. Uploaded using Edge (not sure the version, but it is
>         the new Chome based one on my SGUL machine) Thanks Adam”
>
>         Â
>
>         Please can you assist.
>
>         Â
>
>         Kind regards
>
>         Â
>
>         Â
>
>         Â
>
>         Anthony Wilson
>
>         Computing ServicesÂ
>
>         St Georges - University of London
>
>         Telephone: +44 208 725 5435
>
>         email: akwilson at sgul.ac.uk <mailto:akwilson at sgul.ac.uk>
>
>         website:Â http://www.sgul.ac.uk/ <http://www.sgul.ac.uk/>
>
>         Â
>
>
>
>
>     Jules
>
>     Â
>
>     -- 
>
>     Julian Field MEng CEng CITP MBCS MIEEE MACM
>
>     Â
>
>     The current UK shipping forecast:
>
>     Forties, Cromarty, Forth, Tyne: Southwest 4 to 6, becoming variable 3, then
>
>     cyclonic 4 to 6 later. Slight or moderate, occasionally rough in Forties.
>
>     Rain. Good, occasionally poor.
>
>     Â
>
>     www.Zend.To  <http://www.Zend.To>
>
>     Twitter: @JulesFM
>
>
>
> Jules
> Â
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> Â
> 'Is the Holocaust an aberration, or a reflection of who we really are?'
>   - Holocaust Museum, Berlin
> Â
> www.Zend.To  <http://www.Zend.To>
> Twitter: @JulesFM

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'It's very unlikely indeed he will ever recover consciousness, and
  if he does he won't be the Julian you knew.'
   - A hospital consultant I proved very wrong in 2007 :-)

www.Zend.To
Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20210420/4b85fdc5/attachment-0001.html>

More information about the ZendTo mailing list