Clamavd gone missing

Spotted errors like these in mail.log:

Jan 26 14:04:11 beastie amavis[4126]: (04126-07) (!)run_av
(ClamAV-clamd, built-in i/f): Too many retries to talk to
/var/run/clamav/clamd (Can’t connect to UNIX socket
/var/run/clamav/clamd: No such file or directory) at (eval 99) line

Went for a look to see if the clamavd file was there, and found that
the /var/run/clamav folder was missing

According to Yast clamav was still installed but in an attempt to get
the files back I uninstalled and then reinstalled clamav

Still no clamavd file or /var/run/clamav folder

What provides clamavd if it isn’t clamav?

Any ideas on how I get clamavd back appreciated


Ecky’s Profile:
View this thread:

Typo there, clamd not clamavd … doh at me!

And after re-installing it’s in /usr/sbin not /var/run/clamav so I’m
editing amavisd.conf to suit and seeing how it goes


Ecky’s Profile:
View this thread:

Ecky schrieb:
> Typo there, clamd not clamavd … doh at me!
> And after re-installing it’s in /usr/sbin not /var/run/clamav so I’m
> editing amavisd.conf to suit and seeing how it goes

Don’t. These are two separate things. /usr/sbin/clamd is the actual
program, while /var/run/clamav/clamd is the communication socket for
talking to it. The socket is created by the program once it is running.
So start clamd by entering (as root)

/usr/sbin/rcclamd start

give it a minute or so to get up to speed, and then look again whether
the socket is there with

ls -l /var/run/clamav

If it isn’t, look in in the system log (/var/log/messages) for messages
from clamd telling you why it couldn’t start.


Yeah mate I discovered that didn’t make any difference

Should’ve realised it was a socket, the clue being where it says Can’t
connect to UNIX socket … it’s been one of those days

Restarted clamd a few times and it’s just not creating /var/run/clamd

There are no references to anything related to clam in
/var/log/messages except for some clown on a mongolian ip trying to ssh
in as a user clamd … as well as a hundred or so other users

I’m wondering if maybe clamd has ‘lost’ the privilege to create the
socket somehow

But having said that, when I restart clamd I get this in mail.log

Jan 26 19:45:36 beastie clamd[13498]: Socket file removed.
Jan 26 19:45:36 beastie clamd[13498]: Pid file removed.
Jan 26 19:45:36 beastie clamd[13498]: — Stopped at Mon Jan 26
19:45:36 2009
Jan 26 19:45:41 beastie clamd[16068]: clamd daemon 0.94.2 (OS:
linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 26 19:45:41 beastie clamd[16068]: Running as user root (UID 0, GID

It’s running as root so it should be able to create it, but it’s also
saying it removed a socket file … but what socket file

I haven’t changed anything relating to the mailserver or clamav except
for a couple of blacklist spam regexp’s in amavisd.conf and some
addresses to reject in /etc/postfix/access

None of which ought to affect clamav in this way as far as I’m aware


Ecky’s Profile:
View this thread:

You don’t say what version you are running, but on my older openSUSE
amavis doesn’t talk to a clamav socket file. The communication between
amavis and clamd is via a TCP socket on port 3310, as stated in
amavis.conf. However to confuse things, that clamd does create a Unix
socket but it’s in /var/lib/clamd.

None of this may apply to you as you may be running a more recent
release. But you should look in clamd.conf and amavis.conf to see what
each service is set up to do, and expect, and why you are getting that
line in the log file.

Unfortunately I don’t have a recent release to check for you because I
have put the mailserver upgrade on hold until a kernel with the inotify
bug fix is officially released.


ken_yap’s Profile:
View this thread:

Hi ken

Clamd.conf does have this entry: TCPSocket 3310

I can’t however find anything matching it in amavisd.conf, here are
some entries from amavisd.conf that seem related and may give you some
clue on what I need to do

(I’m running amavisd-new 2.5.1-102.1-x86_64 btw)

$unix_socketname = “$MYHOME/amavisd.sock”; # amavisd-release or

option(s) -p overrides $inet_socket_port and


$inet_socket_port = 10024; # listen on this local TCP port(s)

$inet_socket_port = [10024,10026]; # listen on multiple TCP ports

The $inet_socket_port = 10024 one perhaps?

All it has in the @av_scanners = ( section for clamav is this:

&ask_daemon, "CONTSCAN {}
", “/var/run/clamav/clamd”],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.?: (?!Infected Archive)(.) FOUND$/ ],

Other than the @av_scanners_backup = ( entry I can’t see anything else
that might be related to clamav in there

There is something that seems to indicate it’s still scanning even
though I’m seeing those errors

On starting amavisd:

Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

Then on mail coming in: Passed CLEAN

If I’m understanding that correctly it means the primary scanner’s
failing so it falls back on the secondary which works, even though
they’re both clamav?


Ecky’s Profile:
View this thread:

The path for clamd’s socket is in /etc/clamd.conf, so do look at it.

The 10024 is for amavis <-> postfix communcation. Not relevant here.

The primary scanner is the one where amavis talks to clamd as a peer,
either through a Unix or TCP socket. If that doesn’t work, it falls back
to the secondary scanner, where amavis forks an instance of clamscan for
each email and attachment. Obviously this is less efficient for large
volumes so the primary method is preferred.

It could be a bug in the release (you still haven’t said what version)
that the socket paths don’t match up in the configs. Or your config
files may have been edited.

PS: Could it be simply that you don’t have clamd running?


ken_yap’s Profile:
View this thread:

I thought you meant the amavis version, the clamav version is

Just had another quick look in clamd.conf ans well as the tcp port you
mentioned in your earlier post I found this:

Path to a local socket file the daemon will listen on.

Default: disabled (must be specified by a user)

LocalSocket /var/lib/clamav/clamd-socket

/var/lib/clamav/clamd-socket DOES exist so I’m guessing that’s what I
should be using

Lo and behold I’d already changed the path in amavisd.conf to that
before I went out, so I must have been on the right track somewhere!

Checked the log and there were no errors whilst I was out, have
restarted everything to be sure and will check again tomorrow

So far though it’s looking like it’s sorted :slight_smile:


Ecky’s Profile:
View this thread:

I meant the version of openSUSE, or did I miss that? Sorry if I did, I
read too fast for my own good sometimes.

Strange how port 3310 didn’t work, it doesn’t matter now.


ken_yap’s Profile:
View this thread:

No more errors when I just checked the log again, there were also
freshclam errors I was getting that are also sorted now

It’s Suse 11 x86_64

I still don’t know why it stopped working, but hey, can’t have

You may remember giving me a lot of help getting it all set up in the
first place ken so once again, many thanks :slight_smile:


Ecky’s Profile:
View this thread: