Can't connect to UNIX socket /var/run/clamav/clamd.socket
 

Hi all,

My configuration is:

kernel: 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:39:22 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux
postfix: 2.3.3-2
dovecot: 1.0-1.1.rc15.fc6
amavisd-new: 2.4.4-2.fc6
clamav: 0.90.1-26.fc6.at

After being up and running for 2 years, or so,
suddenly I get this error message (/var/log/maillog):
...
Aug 1 13:44:42 collaboration amavis[8698]: (08698-02-40) Using (ClamAV-clamd) on dir: CONTSCAN /var/spool/amavisd/tmp/amavis-20080801T134442-08698/parts\n
Aug 1 13:44:42 collaboration amavis[8698]: (08698-02-40) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20080801T134442-08698/parts\n to UNIX socket /var/run/clamav/clamd.socket
Aug 1 13:44:42 collaboration amavis[8698]: (08698-02-40) ClamAV-clamd: Can't send to socket /var/run/clamav/clamd.socket:no such file or directory
...

Have checked the configuration and looks OK.
/etc/amavisd/amavisd.conf:
...
# ### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.socket"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ]
...
/etc/clamd.conf:
...
PidFile /var/run/clamav/clamd.pid
LocalSocket /var/run/clamav/clamd.socket
User amavis
...

When I run:
/etc/init.d/clamav start
it start the clamd daemon but there is no
"clamd.pid" nor "clamd.socket" file in /var/run/clamav
only "freshclam.pid".

Running /etc/init.d/clamav status gives me
"clamd {pid 9073} is running" !!!

Where can be the "clamad.pid" and "clamd.socket" located ??

Any ideas for solving this situation ??

From a running process you could try 'lsof -w -n -p 15799' to see everything, 'lsof -w -n -p 15799 -a -d 0-9' for only file descriptors or if you suspect the socket to be in /var try 'lsof -w -n -p 15799 -a +D /var' else try 'netstat -A unix'. But since it did work, are there any errors in the logs?

Which log ? Do you mean clamav log ? It is not turned on.

Could you at least enable logging for testing purposes?

clamav log
 

It seems that clamd daemon starts but the
"clamd.pid" and "clamd.socket" files are created after a huge delay.

clamd.log :
+++ Started at Fri Aug 1 20:09:10 2008
clamd daemon 0.90.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Reading database from ...

Did anyone encountered this behaviour ?

Yes and that's one of the reasons clamd is a daemon process. If you would strace startup you'd see it spends most of its time in reading signatures from the databases and you know how big those are.

This is a known problem with version .90.x of ClamAV. Upgrade (you are WAY behind) and clamd will make the socket available significantly faster.

Is there any way to speed up this process ?
Upgrade clamav or use of another AV ?

The top command shows 97-100 % use of the CPU!!!
Mostly by multiple (amavis) clamscan command and (amavis) clamd.

I don't understand why clamscan is running... Is it called
by amavis daemon as secondary AV program ?

clamscan is called when clamd is not available to amavis.

As I mentioned, the .90.x versions of clamd took a long time (minutes sometimes) to create the socket.

Amavis falls back to clamscan, further slowing down the creation of the socket as the processor is now more loaded with clamd starting and clamscan(s) running.

Either update clamav, or don't start amavis until clamd has created the socket.