[Solved] System virus scan hangs at sys/kernel/notes

[BjorkTork]

I'm not able to get beyond this point when doing a full system scan. Scanning home directory works find. What can be the problem? Avast seems to hang, I have to kill the scanning process or reboot to get Avast running again.

[Lisandro]

If during an avast! scan,

1. avast! freezes or crashes, it's probably avast! problem.
2. The computer freezes or restarts, it could be e.g. a conflict with some other program, or a hardware problem.
3. The computer powers down - it's probably a hardware problem (e.g. overheating). The scan generates a lot of hard disk activity (and is also CPU intensive), which may increase the temperature of your hardware. I suggest to check the coolers in the case.
4. If you get a blue screen, it could have a bug in avast! drivers (but then, there is not a power down).

[zilog]

I'm not able to get beyond this point when doing a full system scan. Scanning home directory works find. What can be the problem? Avast seems to hang, I have to kill the scanning process or reboot to get Avast running again.

Hallo,
scanning /proc or /sys is probably not what you want to - those dirs aren't on your HDD, but they are exported system informations, generated on demand (or access) from the current kernel internal states.

please, check using avastcmd which file was the last one scanned OK. then, do find /sys | less, press '/that_file_name' and find the file - the very next one is the culprit, probably. try to scan this file alone, verify that it really hangs, and tell us, please, the filename.

regards,
pc

[BjorkTork]

Hello again - sorry about the interlude 
Well, I tried to follow your instructions but I'm afraid I don't really understand how to run "avastcmd". If I try that in a terminal window I get "Unknown command". Do you mean the actual Avast! antivirus application?
All the same, I started in directory /sys/kernel/ and Avast scanned the six file in that directory and then hung. (computer still works as normal) Next in line is the directory /sys/debug. Could that be the culprit?

[zilog]

Hello again - sorry about the interlude 
Well, I tried to follow your instructions but I'm afraid I don't really understand how to run "avastcmd". If I try that in a terminal window I get "Unknown command". Do you mean the actual Avast! antivirus application?
All the same, I started in directory /sys/kernel/ and Avast scanned the six file in that directory and then hung. (computer still works as normal) Next in line is the directory /sys/debug. Could that be the culprit?

If you have installed just the Avast4Workstation, then it's named simply 'avast' (and the gui part is 'avastgui'). Avastcmd is its original name in avast4 server package, but both 'avast' and 'avastgui' cmdline utilities are practically identical.

regards,
pc

[BjorkTork]

Ok, "Avast" did the trick. Scanning was halted on the file "sys/kernel/notes" with the error message [invalid argument] (translated from swedish). Does that tell you anything?

[zilog]

Ok, "Avast" did the trick. Scanning was halted on the file "sys/kernel/notes" with the error message [invalid argument] (translated from swedish). Does that tell you anything?

Hallo,
the file is a pseudo-file, generated (~ taken) from the "image" of the running kernel. It contains the "ELF notes" content, which can be built into kernel (and is the accessible through this file). Scanning this file has, thus, no sense (scanning the whole sysfs, mounted under /sys, is questionable).

BUT, when you see "error invalid argument", this means, that the file was abandoned for this reason, and probably the next one is going to be processed. That's why i recommended running find or ls -R, to be able to find which file follows after this one. If you are able to scan that one particular path (/sys/kernel/notes) w/o hanging, it's really the subsequent one.



regards,
pc

[BjorkTork]

Well, I don't know if I quite understand that "find" command. If I type "find /sys|less" all files (a lot!) in the sys directory is listed. I don't know how to "press that filename" in a terminal listing. If I type "find /sys|less /sys|less /sys/kernel/notes" I get a warning that this might be a binary file. And the question "Show anyway?"

All the same, next file in line is the directory /sys/kernel/debug (which is empty). Scanning with the command line version generates the error [invalid argument] and the GUI-version just reports no viruses found an 0 files scanned. No one hangs.

But as said, scanning /sys/kernel with the GUI-version hangs the scanner at once at the file "notes".  The command line version generates the error [invalid argumet], reports 1 file scanned and then returns. It does not hang.

Please help me with the find command and I might be able to come up with something knew. But as I see it for now is that the GUI-version of Avast hangs when scanning the file /sys/kernel/notes

[zilog]

Well, I don't know if I quite understand that "find" command. If I type "find /sys|less" all files (a lot!) in the sys directory is listed. I don't know how to "press that filename" in a terminal listing. If I type "find /sys|less /sys|less /sys/kernel/notes" I get a warning that this might be a binary file. And the question "Show anyway?"

All the same, next file in line is the directory /sys/kernel/debug (which is empty). Scanning with the command line version generates the error [invalid argument] and the GUI-version just reports no viruses found an 0 files scanned. No one hangs.

But as said, scanning /sys/kernel with the GUI-version hangs the scanner at once at the file "notes".  The command line version generates the error [invalid argumet], reports 1 file scanned and then returns. It does not hang.

Please help me with the find command and I might be able to come up with something knew. But as I see it for now is that the GUI-version of Avast hangs when scanning the file /sys/kernel/notes

Hallo,
less understands many vi-like commands, and searching for a string is one of them - press '/', then type the string (control chars might be prefixed by '\'), enter.

Seems that it's some bug in the GUI, or you use different scanner setting in cmdline utility. On my machine, this is not seproducible - try to strace it:

- run avastgui and prepare to scan that file
- with ps -lax, get the PID of the avastgui process (take highest of them), and type: strace -f -p that_pid >outfile 2>&1
- do the scan, till it hangs again
- ctcl-c quit the strace, and in outfile, there should be interesting its tail (where it hangs).

regards,
pc

[BjorkTork]

The strace command generated a file about 3.2 MB big - should I look for anything in particular?

Another thing - every now and then when running the Avast GUI a get a question about removing "stale lock-file". Is that normal?

[BjorkTork]

Here comes a short part of the strace output:

[pid  9040] lstat64("/sys/kernel/debug/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(8, /* 0 entries */, 4096) = 0
[pid  9040] close(                    = 0
[pid  9040] lstat64("/sys/kernel/security", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|0x80000) = 8
[pid  9040] fstat64(8, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(8, /* 4 entries */, 4096) = 104
[pid  9040] lstat64("/sys/kernel/security/.", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security/tpm0", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|0x80000) = 9
[pid  9040] fstat64(9, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(9, /* 4 entries */, 4096) = 144
[pid  9040] lstat64("/sys/kernel/security/tpm0/.", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0/ascii_bios_measurements", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security/tpm0/ascii_bios_measurements", O_RDONLY|O_LARGEFILE <unfinished ...>
[pid  8477] read(5,  <unfinished ...>
[pid  9040] +++ killed by SIGSEGV +++
PANIC: handle_group_exit: 9040 leader 8477
Process 9040 detached
[pid  8477] <... read resumed> 0x843dbd4, 4096) = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] select(6, [5], [5], NULL, NULL) = 1 (out [5])
[pid  8477] writev(5, [{"5\30\4\0_\7 \3\351\6 \3d\0\34\0\235\4\5\0`\7 \3_\7 \3R"..., 3484}, {"H\2\306\0d\7 \3I\1 \3\10\0\30\0\0\0\0\0\0 \0\0\364\366"..., 792}], 2) = 4276
[pid  8477] select(6, [5], [5], NULL, NULL) = 1 (out [5])
[pid  8477] writev(5, [{"\235\4\6\0e\7 \3d\7 \3P\1\0\0\0\1\0\0\1\0\0\0\235\5\4\0"..., 3396}], 1) = 3396
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1892, ...}) = 0

after this point the last line is repeated almost indefinitely ...
Seems like the scanner goes past both "notes" and directory /debug. Trouble starts in directory /security where files are opened but not closed until scanner ultimately hangs on "/sys/kernel/security/tpm0/ascii_bios_measurements"?

Interesting, I hope

[zilog]

Here comes a short part of the strace output:

[pid  9040] lstat64("/sys/kernel/debug/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(8, /* 0 entries */, 4096) = 0
[pid  9040] close(                    = 0
[pid  9040] lstat64("/sys/kernel/security", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|0x80000) = 8
[pid  9040] fstat64(8, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(8, /* 4 entries */, 4096) = 104
[pid  9040] lstat64("/sys/kernel/security/.", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security/tpm0", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|0x80000) = 9
[pid  9040] fstat64(9, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] getdents64(9, /* 4 entries */, 4096) = 144
[pid  9040] lstat64("/sys/kernel/security/tpm0/.", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0/..", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
[pid  9040] lstat64("/sys/kernel/security/tpm0/ascii_bios_measurements", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
[pid  9040] open("/sys/kernel/security/tpm0/ascii_bios_measurements", O_RDONLY|O_LARGEFILE <unfinished ...>
[pid  8477] read(5,  <unfinished ...>
[pid  9040] +++ killed by SIGSEGV +++
PANIC: handle_group_exit: 9040 leader 8477
Process 9040 detached
[pid  8477] <... read resumed> 0x843dbd4, 4096) = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] select(6, [5], [5], NULL, NULL) = 1 (out [5])
[pid  8477] writev(5, [{"5\30\4\0_\7 \3\351\6 \3d\0\34\0\235\4\5\0`\7 \3_\7 \3R"..., 3484}, {"H\2\306\0d\7 \3I\1 \3\10\0\30\0\0\0\0\0\0 \0\0\364\366"..., 792}], 2) = 4276
[pid  8477] select(6, [5], [5], NULL, NULL) = 1 (out [5])
[pid  8477] writev(5, [{"\235\4\6\0e\7 \3d\7 \3P\1\0\0\0\1\0\0\1\0\0\0\235\5\4\0"..., 3396}], 1) = 3396
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] read(5, 0x843dbd4, 4096)    = -1 EAGAIN (Resource temporarily unavailable)
[pid  8477] poll([{fd=3, events=POLLIN}, {fd=5, events=POLLIN}], 2, 0) = 0
[pid  8477] stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1892, ...}) = 0

after this point the last line is repeated almost indefinitely ...
Seems like the scanner goes past both "notes" and directory /debug. Trouble starts in directory /security where files are opened but not closed until scanner ultimately hangs on "/sys/kernel/security/tpm0/ascii_bios_measurements"?

Interesting, I hope

Hallo,
exactly. But for me, it looks like some unfinished sysfs feature - nothing except that open was done, as it seems. What's the contents of the file (ls -l that_file, cat that_file, stat that_file)?

regards,
pc

[BjorkTork]

Greetings!
The ls -l command generated this output:
"-r--r----- 1 root root 0" (date/time)

The cat command returned with the error "Segment error"

And finally stat showed this:
  File: "/sys/kernel/security/tpm0/ascii_bios_measurements"
  Size: 0            Blocks: 0          IO Block: 4096   tom normal fil
Device: 7h/7d   Inode: 7887        Links: 1
Access: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2009-09-01 23:13:33.933604324 +0200
Modify: 2009-09-01 23:13:33.933604324 +0200
Change: 2009-09-01 23:13:33.933604324 +0200

Oddly enough Natilus hung when I tried to enter the directory /tpm0. I don't really know how to log in as "root" i Ubuntu - it's pretty awkward as the system is designed to use "sudo". I have to check ...

[zilog]

Greetings!
The ls -l command generated this output:
"-r--r----- 1 root root 0" (date/time)

The cat command returned with the error "Segment error"

And finally stat showed this:
  File: "/sys/kernel/security/tpm0/ascii_bios_measurements"
  Size: 0            Blocks: 0          IO Block: 4096   tom normal fil
Device: 7h/7d   Inode: 7887        Links: 1
Access: (0440/-r--r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2009-09-01 23:13:33.933604324 +0200
Modify: 2009-09-01 23:13:33.933604324 +0200
Change: 2009-09-01 23:13:33.933604324 +0200

Oddly enough Natilus hung when I tried to enter the directory /tpm0. I don't really know how to log in as "root" i Ubuntu - it's pretty awkward as the system is designed to use "sudo". I have to check ...

Then,
it's clear - your kernel is buggy, and this file, coming from sysfs, can't be simply mmapped -> causes sigsegv crashes, its area is invalid /unpopulated. Btw. just use "sudo passwd root", to change root's password, and go further... in that damn Ubuntu.
<sarcasm>Ubuntu is an old African word for "it doesn't work".</sarcasm>

Those pseudosystems, like sysfs, and also unionfs stack or ovlfs, are quite immature, and contain even deeply conceptual bugs (for example, in unionfs, direntries can disappear when calling getdents syscall silently - but nodoby cared, this FS was used in all mainstream live distros routinely)... ovlfs would crash when used in kernel that utilises memory above 1GB... etc.

Downgrade kernel, or don't mount that sysfs, or don't scan this "cutie-file" there, at least. Avast couldn't be blamed for this flaw .

regards,
pc

[BjorkTork]

Well, I don't know  if I should thank you for that slaughter on Ubuntu  . I thought I had a wonderful OS. Now it seems I have to return to Debian?!

Anyway, thank you very much for your instructive help. I have learn a lot about the Linux system during this session.

/Kind regards, Peter