"phantom" processes?

Tue Feb 27 15:17:02 MST 2007

I've just stumbled upon something I *really* don't understand.

I'm helping a guy in Finland troubleshoot a problem with his qmail-toaster.
While receiving an email, there is a clamd process that eats the cpu
(apparently looping).

Here's the process tree:
---tcpserver(20201)-+-qmail-smtpd(22487)---simscan(22489)---clamdscan(22491)
                    `-qmail-smtpd(24172)---simscan(24174)---clamdscan(24176)

This appears to be normal. However, 'top' shows two looping processes:
  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
24177 clamav    25   0 25020  21M  1532 R    47.9  2.1  11:03   1 clamd
22492 clamav    25   0 25020  21M  1532 R    45.3  2.1  20:54   1 clamd

I'm wondering, where'd these processes come from? When we do a
"ps -ef | grep clam" they don't show up. They don't show up with
"ps -p 24177" either.

There is a clamd daemon running, but it's PID is 21988.

Just in case you're wondering, I don't yet understand exactly how these
pieces (are supposed to) all fit together.

How can these processes exist, yet ps not see them?
I'm ready for an education now.

-- 
-Eric 'shubes'