Filter-hub reaches 100% CPU usage and mail flow stops when scanning RAR encrypted files

Article:TECH89903  |  Created: 2008-01-14  |  Updated: 2008-01-06  |  Article URL http://www.symantec.com/docs/TECH89903
Article Type
Technical Solution

Product(s)

Issue



You are using a Symantec Brightmail Gateway Appliance version 7.6.x or earlier, and you noticed that the mail flow stops at certain times.

Symptoms
Common symptoms for this issue are:
  • Messages stuck in the inbound queue.
  • Filterhub process at 100% CPU usage.
  • The appliance stops answering on port 25.
  • If MTA is restarted manually, then the filter-hub crashes on signal 9, and the following notification is sent to the administrator:

    Subject: filter-hub crashed on signal 9 on host.domain.com

    filter-hub crashed on signal 9 on host.domain.com
    exit code: 0x0009

    Program output:
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!
    Warning: recursive semaphore lock detected!

    Storing data in /data/scanner/jobs/filter-hub/2008.07.14-08.50.21
  • Also, the following lines may be found in filter-hub debug log right before it stops:

    2008-07-14T21:39:26+01:00 (INFO:27562.2954075056): [46022] Transforming message with MTE action Deliver.
    2008-07-14T21:39:26+01:00 (INFO:27562.2954075056): [46022] Transforming message with MTE action Strip.
    2008-07-14T21:39:26+01:00 (INFO:27562.2954075056): [24041] Scanning top-level-msg through decomposer at depth 0.
    2008-07-14T21:39:26+01:00 (DEBUG:27562.2954075056): [46040] File top-level-msg is of type Encapsulation Format:MIME
    2008-07-14T21:39:26+01:00 (INFO:27562.2954075056): [24041] Scanning Unknown00000610.data through decomposer at depth 1.
    2008-07-14T21:39:26+01:00 (DEBUG:27562.2954075056): [46040] File Unknown00000610.data is of type Word Processor Document:Text
    2008-07-14T21:39:26+01:00 (INFO:27562.2954075056): [24041] Scanning lavasoft.rar through decomposer at depth 1.
    2008-07-14T21:39:26+01:00 (DEBUG:27562.2954075056): [46040] File lavasoft.rar is of type Encapsulation Format:RAR



Cause



The problem occurs when a compliance policy or the virus policy for encrypted attachments are set to "strip the attachments" on all file types except "archive." For example, the virus policy on encrypted attachments is set to "strip the attachments" for the file types "Executable, Multimedia, Document"

Solution



The problem is fixed in Symantec Brightmail Gateway Software Version 7.7.

Please upgrade to Symantec Brightmail Gateway Software Version 7.7 in order to solve this problem.





Supplemental Materials

SourceETrack
Valuehttp://bugzilla.brightmail.com/show_bug.cgi?id=31967

Legacy ID



2008071415421154


Article URL http://www.symantec.com/docs/TECH89903


Terms of use for this information are found in Legal Notices