LibClamAV Warning: cli_realpath: Invalid arguments. Using --fdpass --multiscan

[paulhargreaves]

sudo clamdscan --fdpass --multiscan --infected /path
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
LibClamAV Warning: cli_realpath: Invalid arguments.
^C

Clam AntiVirus: Daemon Client 0.104.0

[paulhargreaves]

Removing --multiscan removes the error but limits to a single core.
Removing --fdpass instead allows --multiscan to progress without errors but then gives permissions problems.

[val-ms]

I was unable to reproduce this issue. I'm testing with 0.104.1:

Which OS are you on?

Can you provide the output of clamconf -n please?

[paulhargreaves]

clam.txt
Arch Linux.
Appears to be working correctly with 0.104.1 so I'll close this. Thank you.

[val-ms]

That's great news. Thanks @paulhargreaves

[silentcreek]

I'd like to follow up on this issue as I'm seeing it on Debian 11 with ClamAV version 0.103.3+dfsg-0+deb11u1 and I'd rather see this fixed there than compiling from source myself.

Some observations that may or may not be helpful:

1. I only see this issue when I run clamdscan -m --fdpass / on the entire filesystem hierarchy (with some ExcludePath filters in place to take care of special files, such as sockets, etc.). If I manually execute clamdscan individually for every file or directory inside my root directory, then the error/warning does not occur!

2. When I execute clamdscan with the -v flag, I get a more detailed error message that might actually help:

LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.

So, it seems an empty file descriptor is passed to clamd... Does anyone have a clue what might be going on here?

3. I also encountered this bug on Debian 10 which also ships a patched version of ClamAV 0.103.3 (0.103.3+dfsg-0+deb10u1). I first encountered this problem at the time the regression causing a segmentation fault when using --fdpass --multiscan and ExcludePath filters [1] was introduced and the fix in commit 5adef25 was backported to Debian. Before that, I could run a scan on / just fine (granted I have ExcludPath filters in place that take care of special files such as sockets, etc.).
   [1] https://bugzilla.clamav.net/show_bug.cgi?id=12676

[jonasmalacofilho]

I'm seeing the same warnings on 0.104.1.

clamconf -n

$ clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
AlertExceedsMax = "yes"
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
LocalSocket = "/run/clamav/clamd.ctl"
MaxThreads = "12"
User = "clamav"

Config file: freshclam.conf
---------------------------
PidFile = "/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogTime = "yes"
PidFile = "/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
User = "clamav"

Software settings
-----------------
Version: 0.104.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR 

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 09:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 12:21:51 2021
daily.cvd: version 26389, sigs: 1951385, built on Thu Dec 16 03:02:49 2021
Total number of signatures: 8598904

Platform information
--------------------
uname: Linux 5.15.7-arch1-1 #1 SMP PREEMPT Wed, 08 Dec 2021 14:33:16 +0000 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a218d8d08000000000b0100

Build information
-----------------
GNU C: 11.1.0 (11.1.0)
sizeof(void*) = 8
Engine flevel: 141, dconf: 141

Specifically, I see them when I scan the src folder of the Rust code base:

$ clamdscan --multiscan --fdpass --verbose src 
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
/home/jonas/Code/rust-lang/rust/src/llvm-project/lldb/unittests/SymbolFile/PDB/Inputs/test-pdb.exe: Win.Trojan.Agent-1817571 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 60.671 sec (1 m 0 s)
Start Date: 2021:12:16 21:46:27
End Date:   2021:12:16 21:47:28

But if I let my shell add the immediate descendants of src to the queue, the warnings go away:

$ clamdscan --multiscan --fdpass --verbose src/* 
/home/jonas/Code/rust-lang/rust/src/bootstrap: OK
/home/jonas/Code/rust-lang/rust/src/build_helper: OK
/home/jonas/Code/rust-lang/rust/src/ci: OK
/home/jonas/Code/rust-lang/rust/src/doc: OK
/home/jonas/Code/rust-lang/rust/src/etc: OK
/home/jonas/Code/rust-lang/rust/src/librustdoc: OK
/home/jonas/Code/rust-lang/rust/src/llvm-project/lldb/unittests/SymbolFile/PDB/Inputs/test-pdb.exe: Win.Trojan.Agent-1817571 FOUND
/home/jonas/Code/rust-lang/rust/src/README.md: OK
/home/jonas/Code/rust-lang/rust/src/rustdoc-json-types: OK
/home/jonas/Code/rust-lang/rust/src/stage0.json: OK
/home/jonas/Code/rust-lang/rust/src/test: OK
/home/jonas/Code/rust-lang/rust/src/tools: OK
/home/jonas/Code/rust-lang/rust/src/version: OK

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 59.227 sec (0 m 59 s)
Start Date: 2021:12:16 21:49:46
End Date:   2021:12:16 21:50:45

The tests were executed with rust-lang/rust@27143a9 checked out.

[silentcreek]

@jonasmalacofilho Nice workaround with the glob. It works for me as well. So, when I replace
clamdscan -m --fdpass /
with
clamdscan -m --fdpass /*
The warning/error goes away.

I'm starting to wonder whether the issue is related to the filesystem in use. Do you happen to use btrfs @jonasmalacofilho ?

@micahsnyder Sine Jonas is seeing this issue on the current release version, I guess this bug should be reopened. Is there something else we could try to identify the cause of the issue?

[jonasmalacofilho]

I'm starting to wonder whether the issue is related to the filesystem in use. Do you happen to use btrfs @jonasmalacofilho ?

Actually, I saw those warnings while scanning an etx4 partition.

[NicoPrediger]

If it helps: I'm getting this with 103.5 on two machines using Debian 11 (ext4):

Both machines are almost identical, one major difference is the number of docker containers running. Machine A is a single container, gets only a single warning:

LibClamAV Warning: cli_realpath: Invalid arguments.
WARNING: /var/lib/docker/volumes/backingFsBlockDev: Not supported file type

Machine B has lots of containers and gets loads of warnings, not only complaining about backingFsBlockDev but basically about every single file path like /var/lib/docker/overlay2//dev/...

Edit: I have excluded /var/lib/docker/overlay2/*. "Not supported file type" is now gone, but the amazing number of "invalid arguments" is still there.

This somewhat makes the notification emails unreadable, unless I grep -v it from the output, which wouldn't feel right.

[DGPickett]

I have this on Ubuntu 20.04 LTS running clamav 0.103.6 using clamdscan / with -fdpass --multiscan but not every day!

[DGPickett]

Like many aggravating clamav messages, no indication as to what path it was working! Is there some mystery to multiple lwp mutex operation? It seems like any mutex would work, since one VM, to ensure the threads did not step on each other, assuming they read or copy into local (stack/instance not global/static) variables before releasing the lock? Several pages again today! 749 times scanning / today.

[physkets]

I am on Archlinux as well, and seeing the same messages with the latest v0.105.1 . Also attaching my clamconf.txt.

Unlike described in one of the messages prior, I still see the messages even when I glob the path as follows:

$ clamdscan --infected --allmatch --multiscan --fdpass /home/user/*

[emillumine]

We have the same issue on Debian bullseye and ClamAV 0.103.7 :(

I tried the workaround with the glob, but didn't work for me:
sudo clamdscan --multiscan --fdpass --verbose /opt/*

Here is my clamconf -n :

$ clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
ExcludePath = ".*\.fifo", ".*\.sock", "lost+found"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
MaxRecursion = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.7
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cld: version 26734, sigs: 2012999, built on Mon Nov 28 09:17:05 2022
Total number of signatures: 8660518

Platform information
--------------------
uname: Linux 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Debian GNU/Linux 11 (bullseye)
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a21808008000000000a0201

Build information
-----------------
GNU C: 10.2.1 20210110 (10.2.1)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-7VaIRi/clamav-0.103.7+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-7VaIRi/clamav-0.103.7+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-7VaIRi/clamav-0.103.7+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-7VaIRi/clamav-0.103.7+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-7VaIRi/clamav-0.103.7+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 128, dconf: 128

[sblondon]

The issue is about the depth file tree. It can be reproduced with these steps:

1. No warning:

$ cd /tmp
$ mkdir --parent 01/02/03/04/05/06/07/08/09/10/11/12/13/14/15/16
$ sudo clamdscan --multiscan --fdpass /tmp/01
/tmp/01: OK
[...]

2. Warning displayed when a directory is added:

$ mkdir --parent 01/02/03/04/05/06/07/08/09/10/11/12/13/14/15/16/17
$ sudo clamdscan --multiscan --fdpass /tmp/01
LibClamAV Warning: cli_realpath: Invalid arguments.
/tmp/01: OK
[...]

The issue is not a too big depth from / : it's from the path provided by the --fdpass parameter. With the previous example, the warning is not displayed if the path provided by the --fdpass parameter is deeper:

$ sudo clamdscan --multiscan --fdpass /tmp/01/02/
/tmp/01/02: OK

This explains why using /path/* instead of /path fixes the issue in some cases (in the previous example, /tmp/01/* does not show the warning).

tested with libclamav9 0.103.7+dfsg-0+deb11u1 on debian bullseye (11)

[sblondon]

Adding --verbose parameter provides more data:

$ sudo clamdscan --multiscan --fdpass /tmp/01 --verbose
LibClamAV Warning: cli_realpath: Invalid arguments.
Failed to determine real filename of (null).
Quarantine of the file may fail if file path contains symlinks.
/tmp/01: OK
[...]

The message is more obvious when the directory contents is not scanned in parallel. Removing the --multiscan parameter shows:

$ sudo clamdscan --fdpass /tmp/01
WARNING: Directory recursion limit reached
/tmp/01: OK
[...]

The error can be fixed by changing the configuration. In /etc/clamav/clamd.conf (under Debian and derivatives), increase MaxDirectoryRecursion value.
The default value is 15, incrementing MaxDirectoryRecursion to 16 fixes the warning in the previous example.

It would be nice if the warning message would have been clearer about what occurs.

Our new value:

$ grep MaxDirectory /etc/clamav/clamd.conf 
MaxDirectoryRecursion 30

[xAlpharax]

@sblondon Indeed, at first I thought --fdpass was just throwing the error due to something specific about my OS (Void) but as it so seems, it's just that the error message doesn't express the whole picture and can be easily avoided by incrementing maxrecursion. Thank you.

[danieljai]

Got this error, and came to this page. Changing MaxDirectoryRecursion to 30 did not fix the issue.

[sblondon]

@danieljai can you check what is the maximum depth of the directories scanned by ClamAV (in case it's more than 30)?

[danieljai]

@sblondon Sorry, how do I check that? run in --verbose?

The only thing I can see in my .conf is MaxDirectoryRecursion 30

[sblondon]

My hypothesis is the directory depth is more than 30, so the warning is displayed. You need to check if the hypothesis is true or not. To do that, you need to find the maximum depth of the scanned directories:

cd SCANNED_DIRECTORY
find . | awk 'FS="/" {print(NF)}' | sort --general-numeric-sort | tail --lines 1

(Replace SCANNED_DIRECTORY by each directory passed as parameter to clamdscan.)