Client disconnected (FD 10) after starting clamonacc

[wforumw]

Describe the bug

We have installed the latest version of clamav.
We use clamonacc to use ClamAV's On-Access Scanning feature. After starting the clamonacc daemon we get thousands of Client disconnected (FD 10) in syslog.
But it seams that On-Access Scanning is working. We have tested it with an eicar test file and get
eicar-test.txt: Win.Test.EICAR_HDB-1 FOUND in syslog

Why is syslog filled with with thousands of messages Client disconnected (FD 10) in a very short time?

Tue Sep  3 11:30:01 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:01 2024 -> Client disconnected (FD 11)
Tue Sep  3 11:30:01 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:01 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:01 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:02 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:02 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:02 2024 -> Client disconnected (FD 10)
Tue Sep  3 11:30:02 2024 -> Client disconnected (FD 10)
...

How to reproduce the problem

Run clamd and afterwards run clamonacc daemon

clamconf -n

Config file: clamd.conf

LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
LogVerbose = "yes"
LocalSocket = "/run/clamav/clamd.sock"
OnAccessIncludePath = "/home"
OnAccessExcludeUname = "clamav"
OnAccessPrevention = "yes"

Config file: freshclam.conf

LogTime = "yes"
LogVerbose = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings

Version: 1.4.0
Optional features supported: MEMPOOL AUTOIT_EA06 ICONV RAR

Database information

Database directory: /usr/local/share/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 16:37:24 2024
daily.cld: version 27387, sigs: 2066357, built on Tue Sep 3 10:38:04 2024
Total number of signatures: 8713870

Platform information

uname: Linux 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: No LSB modules are available.
Debian GNU/Linux 12 (bookworm)
zlib version: 1.3.1 (1.3.1), compile flags: a9

Build information

GNU C: 7.5.0 (7.5.0)
sizeof(void*) = 8
Engine flevel: 210, dconf: 210

[wforumw]

Anyone an idea?
Thanks!

[millerick]

I see this happening in response to Kubernetes TCP probes against the the port (definitions below). If there is a way to disable these, I would be very interested to know about them so that they stop filling up our logs.

          ports:
            - name: clamav
              containerPort: 3310
          startupProbe:
            tcpSocket:
              port: clamav
            failureThreshold: 50
            periodSeconds: 2
            initialDelaySeconds: 20
          livenessProbe:
            tcpSocket:
              port: clamav
            failureThreshold: 2
            periodSeconds: 2

[millerick]

If you set LogVerbose = "no" then these Client disconnected messages disappear.

[wforumw]

If you set LogVerbose = "no" then these Client disconnected messages disappear.

Thanks, but I would like to know where these messages are coming from.

[jziftpay]

Any updates on this issue?

I am getting the same thing in my logs on an Oracle Linux 8.9 server. In addition to these error messages my servers CPU utilization starts to spike to the point of the server becoming very unresponsive until I kill the clamonacc process.

I was assuming it was related to the client disconnect messages, but I don't see anyone else mentioning the CPU utilization spikes.

Thank you

[y4kk13]

It's been months. Any updates?

[wforumw]

No, no one can tell me where these errors are coming from