# freshclam spinning off zombie procs



## ericx (Dec 10, 2010)

On the face of it, I'm not overly concerned; but since the last upgrade of clamav (0.96.5), freshclam has been generating zombie processes (roughly one per day). Eventually enough accrue that Nagios notices. Restarting the freshclam daemon clears everything out. The only clue I have is from /var/log/clamav/freshclam.log:


```
** ericx@olivia ** ~ ** Fri Dec 10 10:13:38
$ grep -i warning /var/log/clamav/freshclam.log
      ...
Wed Dec  8 20:53:06 2010 -> WARNING: waitpid() failed: Interrupted system call
Thu Dec  9 00:53:07 2010 -> WARNING: waitpid() failed: Interrupted system call
Thu Dec  9 20:53:10 2010 -> WARNING: waitpid() failed: Interrupted system call
Fri Dec 10 00:53:12 2010 -> WARNING: waitpid() failed: Interrupted system call
```

This is happening on 6 or seven servers most of which are running some variant of 8.1-RELEASE.

Anyone seen this before?


----------



## Giraya (Dec 13, 2010)

Same problem here.

On 6.2-RELEASE and 6.3-RELEASE with ClamAV 0.96.5

Thanks nagios for detecting the zombies.


```
Mon Dec 13 05:48:29 2010 -> Downloading safebrowsing-25858.cdiff [100%]
Mon Dec 13 05:48:46 2010 -> WARNING: waitpid() failed: Interrupted system call
Mon Dec 13 05:48:46 2010 -> safebrowsing.cld updated (version: 25858, sigs: 943340, f-level: 58, builder: google)
```


----------



## quintessence (Dec 13, 2010)

Hello , 

On non-production server I don't have any troubles 


```
clamav-0.96.5 
FreeBSD 9.0-CURRENT i386
```

I have to upgrade from 0.96.3 on some amd64 these days , and I'll update my post with result


----------



## ericx (Dec 15, 2010)

*work around*

I have this consistently setting off alarms on 4 machines. The most obvious common item between these machines is myself; so more then likely it's something I've done.

As a work'around, I wrote a quick and dirty daily periodic to restart freshclam: http://pastie.org/1378045


----------



## derwood (Dec 15, 2010)

From the ClamAV-Users list:
http://comments.gmane.org/gmane.comp.security.virus.clamav.user/35922

I'm seeing it as well on 8.1 using Clamav 0.96.5



```
Received signal: wake up
ClamAV update process started at Tue Dec 14 19:30:23 2010
main.cld is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12391.cdiff [100%]
WARNING: waitpid() failed: Interrupted system call
daily.cld updated (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)
bytecode.cld is up to date (version: 95, sigs: 19, f-level: 58, builder: edwin)
Database updated (857403 signatures) from database.clamav.net (IP: 168.143.19.95)
Clamd successfully notified about the update.
```

Like Ericx, I've set up a cron to restart freshclam periodically.


----------



## quintessence (Dec 15, 2010)

Hello,

After 2 days on test PC I started to notice same warning in the log 


```
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Downloading daily-12391.cdiff [100%]
WARNING: waitpid() failed: Interrupted system call
daily.cld updated (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)
```

A workaround also can be "to get the status from all child processes that have terminated, without ever waiting" 

I tested with some changes in /usr/ports/security/clamav/work/clamav-0.96.5/freshclam/manager.c by setting WNOHANG option


```
Received signal: wake up
Max retries == 3
ClamAV update process started at Wed Dec 15 11:01:37 2010
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.96.5
main.cvd version from DNS: 53
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd version from DNS: 12391
daily.cld is up to date (version: 12391, sigs: 11170, f-level: 58, builder: arnaud)
bytecode.cvd version from DNS: 95
bytecode.cld is up to date (version: 95, sigs: 19, f-level: 58, builder: edwin)
```


----------



## ericx (Dec 16, 2010)

I bow to your superior fu. Would you please post the patch when you are comfortable with it?


----------



## Giraya (Dec 16, 2010)

Fixed :

http://www.freebsd.org/cgi/getmsg.cgi?fetch=1163750+0+current/cvs-ports


----------



## quintessence (Dec 17, 2010)

ericx said:
			
		

> I bow to your superior fu. Would you please post the patch when you are comfortable with it?



Hello , didn't post it because it is the opposite ( and may be not correct ? but it works for me ) from the current behaviour ( and it seems the warning were generated because of error in loading new database ) .

Anyway , I'll try the fixed version


----------

