Greg Helledy on 9 Mar 2017 09:19:30 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Error when clamscan runs as cron job

I have set clam antivirus to run as a cron job on the mail directories on our VPS, early Sunday mornings. 

When I run the scan manually through the cPanel GUI, it seems to run ok.
When it runs as a cron job, it does seem to run, but throws off several errors, which I get emailed about. 

One is this:

ERROR: Can't create temporary directory /usr/local/cpanel/3rdparty/share/clamav/clamav-30dbd4701847fcf97fcfca4946ac8d5d.tmp

Although it seems to still run, as the following lines are like this:

/home/grais40/mail/gra-inc.com/[user]/cur/1464705718.H422761P48248.grainc.arvixevps.com,S=21081:2,Sc: Heuristics.Phishing.Email.SSL-Spoof FOUND
/home/grais40/mail/gra-inc.com/[user]/cur/1437927501.H455459P5273.grainc.arvixevps.com,S=37616:2,Sc: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/grais40/mail/gra-inc.com/[user]/cur/1471109872.M229124P64818.grainc.arvixevps.com,S=20386,W=20645:2,S: Heuristics.Phishing.Email.SSL-Spoof FOUND


Here's the directory listing:

root@grainc [/usr/local/cpanel/3rdparty/share]# ll|grep clamav
drwxrwxr-x  3 clamav clamav 4096 Mar  9 08:15 clamav/
root@grainc [/usr/local/cpanel/3rdparty/share]# cd clamav
root@grainc [/usr/local/cpanel/3rdparty/share/clamav]# ll
total 229440
drwxrwxr-x  3 clamav clamav      4096 Mar  9 08:15 ./
drwxr-xr-x 81 root   root        4096 Jan 31 02:30 ../
-rw-r--r--  1 clamav clamav    524800 Jan 26 21:57 bytecode.cld
-rwxr-xr-x  1 root   root       14905 Feb  6 08:07 copyright*
-rw-r--r--  1 clamav clamav 125229568 Mar  9 08:15 daily.cld
drwxr-xr-x  2 clamav clamav      4096 Feb  6 08:07 .first-install/
-rw-r--r--  1 clamav clamav 109143933 Mar 17  2016 main.cvd
-rw-------  1 clamav clamav      1248 Mar  9 08:15 mirrors.dat
Does that look right? Why would the cron job be unable to create a temporary directory there? 

I also get this in separate emails (many of them):


Out of memory: The process “clamscan” was terminated because the system is low on memory.
	

In order to avoid a system crash due to low memory, the kernel terminated the process named “clamscan” with the PID “4329”.
Server 	grainc.arvixevps.com
Primary IP Address 	198.252.67.98
Process Name 	clamscan
Event Time 	Sunday, March 5, 2017 at 9:49:23 AM UTC
PID 	4329
Process UID 	505
Process Username 	grais40
Process Total Virtual Memory 	664648kB
Process Anonymous Resident Set Size 	162700kB
Process File Resident Set Size 	556kB
Process OOM Score 	87
Status 	Out of Memory ⚠
Memory Information 	
Used 	2.32 GB
Available 	507 MB
Installed 	2.81 GB
Load Information 	9.52 9.78 9.75
Uptime 	25 days, 10 hours, 8 minutes, and 17 seconds
IOStat Information 	avg-cpu: %user %nice %system %iowait %steal %idle 1.33 0.08 1.11 0.12 0.00 97.37 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn sda 12.88 517.75 184.35 1137245548 404926808
Top Processes 	
PID 	Owner 	CPU % 	Memory % 	Command
5275 	grais40 	82.43 	17.04 	/usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail
5338 	grais40 	69.97 	16.53 	/usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail
5147 	grais40 	84.49 	10.72 	/usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail
5056 	grais40 	82.02 	5.17 	/usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail
3841 	grais40 	76.15 	4.54 	/usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail

For addtional details, see the attached dmesg log dump.
Preview of “oom_dmesg.txt”
[2196240.669189] [ 5023] 0 5023 56032 24007 3 0 0 spamd child
[2196240.669192] [ 5050] 505 5050 35470 142 5 0 0 crond
[2196240.669194] [ 5052] 505 5052 26517 92 2 0 0 bash
[2196240.669197] [ 5055] 47 5055 18181 295 5 0 0 exim
[2196240.669200] [ 5056] 505 5056 142264 114177 1 0 0 clamscan
[2196240.669204] [ 5071] 32003 5071 34538 266 0 0 0 cpanel_php_fpm
[2196240.669206] [ 5078] 0 5078 25878 358 0 0 0 sshd
[2196240.669209] [ 5079] 74 5079 16895 251 2 0 0 sshd
[2196240.669212] Out of memory: Kill process 4329 (clamscan) score 87 or sacrifice child
[2196240.671762] Killed process 4329, UID 505, (clamscan) total-vm:664648kB, anon-rss:162700kB, file-rss:556kB
I don't understand why there are five (or more) processes triggered by this one cron job with two commands. Is there something wrong with this? If it is right, the only thing I could do is break it up into smaller jobs I guess? Like, users starting with A-D on Sundays, E-H on Mondays, etc.? 


Minute 	Hour 	Day 	Month 	Weekday 	Command 	Actions
* 	1 	* 	* 	0 	/usr/local/bin/freshclam --quiet; /usr/local/bin/clamscan --recursive --no-summary --infected --remove /home/grais40/mail 2>/dev/null
I'm probably doing something dumb, but don't know what it is. I asked tech support and they ran it by clicking the button in cPanel, and said "works for me". 

Any advice appreciated.


--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug