New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClamAV failure #58
Comments
Same here, broken symlinks pointing from /usr/local/maldetect/sigs to non-existing files in tmp. |
In my case it turned out to be a permission problem, related to both file permissions and apparmor. chmod o+x /usr/local/maldetect/{,sigs}
chmod o+r /usr/local/maldetect/sigs/*db
echo "/usr/local/maldetect/sigs/* r," >> /etc/apparmor.d/local/usr.sbin.clamd
service apparmor reload
service clamav-daemon restart The missing lmd.user links where no longer a problem for me after i fixed the permissions. |
the file permission problem probably was homegrown. I think the apparmor stuff should be all you need:
|
I had the same issue. I will try fo fiw with previous comment |
For me, file is missing. Only option is to delete symlink from clamav lib dir until a fix is provided |
Running CentOS 6.7. I ran ./uninstall.sh and then downloaded the current again and ran ./install.sh. That still left the bad symlinks in /var/clamav/ in place
but these ones were not present any longer in sigs
I went ahead and deleted the /var/clamav/ lmd symlinks and restarted clamd and it worked ok. If anyone can confirm that the lmd symlinks are not needed in /var/clamav/ that would be great. The following valid symlinks remain there
It is likely that just deleting the lmd bad symlinks will allow you to restart clamd. For reference, my initial symptoms were email subjects prepended with the string
and the following in the clamd log
|
Symlink in /var/lib/clamav to lmd and rfxn has appears back. But lmd symlin still linked to nothing. Clamav 0.98, debian 8 |
I still have the dangling symlinks pointing from /var/lib/clamav to /usr/local/maldetect/sigs, but no more symlinks pointing from /usr/local/maldetect/sigs to tmp. I do not get errors this way. |
chmod 755 /usr/local/maldetect/tmp This should fix he issue, it is not so much that the file is empty but that clamav cant lsstat the file due to the parent directories permissions when clamd is running as a non-root user. I've made an upstream change in the code that I will commit to address this in a few minutes. |
tried this and the following still happens when I start clamav service clamav-daemon start *Starting ClamAV daemon clamd I also get the same errors as reported above in the maillog (because the daemon isn't running) BTW, thank you for this great package that I use daily on all my servers. Also thank you for looking at this issue so quickly, it's really appreciated! |
@captainwasabi no problem at all, glad to help. In most sane mail configurations, clamd failing should be a fail-open setup so mail keeps moving. That being said, can you answer a few questions: Thanks |
Ubuntu 12.04.5 LTS everything is up to date as of 9/15 Linux version 3.2.0-90-generic (buildd@lgw01-29) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #128-Ubuntu SMP ClamAV 0.98.7/20927/Fri Sep 18 12:41:20 2015 No cpanel, this is a server running on metal. |
this issue still exists on commit 5ad5452 on Ubuntu 14.04.3 LTS. root@admin:/var/lib/clamav# ls -la root@admin:/var/lib/clamav# ls -la /usr/local/maldetect/sigs/ root@admin:~# service clamav-daemon restart
root@admin:~# lsb_release -a |
I've committed update fa1db0a which should now resolve the clamd startup errors on ubuntu. The changelog entry goes into detail: [Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy signatures into clamav data paths instead of linking them |
issue verified resolved for Ubuntu 12.04.5 Thanks! |
For me the lmd.user files or links did not regenerate. I tried uninstall and install and saw this on install as the first few lines:
|
After clean install of lmd clamav-daemon starts correctly. root@admin:~/linux-malware-detect-master# ./install.sh installation completed to /usr/local/maldetect root@admin:~/linux-malware-detect-master# maldet -d -u maldet(28448): {update} checking for available updates... maldet(28448): {sigup} performing signature update check... root@admin:~# maldet -u -d -a /var/www/imscp/gui/ maldet(30475): {sigup} performing signature update check... cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory maldet(30475): {scan} scan completed on /var/www/imscp/gui/: files 5004, malware hits 0, cleaned hits 0, time 1s |
also after uninstall the files in /var/lib/clamav did not removed. |
update done, but link no recreated in clamav lib folder, how to add it again ? |
@jcarnus the rfxn.* signatures should be copied into the clamav lib folder , not linked. The lmd.user* signatures will now only copy into the clamav lib folder when you have custom signatures defined. |
@lgonzalez-silen @nanonettr |
No custom signatures, so great! |
@rfxn thanks for your great efforts. Only one problem left.. $ maldet -u -d -a /var/www/imscp/gui/ $ maldet --report 150919-2019.3725 PATH: /var/www/imscp/gui/ Linux Malware Detect v1.5 < proj@rfxn.com > $ cat /usr/local/maldetect/logs/clamscan_log $ which clamscan $ dpkg -S /usr/bin/clamscan $ aptitude show clamav |
ah sorry. wrong package reported. it did not clamscan, it is "clamdscan" root@admin:~# which clamdscan root@admin:~# dpkg -S clamdscan root@admin:~# aptitude show clamav-daemon |
Ok seems to be good so right now |
I just have one more request. From now on when you update, I don't mind the problems at all, but please respect the sanctity of read-only friday ;) |
@captainwasabi totally understand and read-only friday I usually live and die by but at some point I need to find time to work on maldet and that is usually my weekends :D Will make an effort in the future to limit releases to Monday-Thur cycles. |
Oh if you just work this on weekends then more power to you! Awesome Sent with AquaMail for Android On September 19, 2015 6:31:06 PM Ryan MacDonald notifications@github.com
|
It looks like when maldet updated at midnight as part of my daily scan and backup script it broke ClamAV. As this is on my mail server, and amavis uses clamAV to scan for viruses, this is preventing mail from being sent or delivered.
I've tried running freshclam, maldet -d, maldet -u, restarting clamav-daemon, restarting amavis, etc.
When I try to start ClamAV this is what I get:
service clamav-daemon start
LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb
ERROR: Can't open file or directory [fail]
contents of /var/lib/clamav:
drwxr-xr-x 2 clamav clamav 4096 Sep 19 02:15 ./
drwxr-xr-x 59 root root 4096 Aug 26 07:41 ../
-rw-r--r-- 1 clamav clamav 407040 Aug 20 11:45 bytecode.cld
-rw-r--r-- 1 clamav clamav 101435904 Sep 18 13:52 daily.cld
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb
lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb
-rw-r--r-- 1 clamav clamav 64720632 Sep 17 2013 main.cvd
-rw------- 1 clamav clamav 1196 Sep 19 02:15 mirrors.dat
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb
lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb
contents of /usr/local/maldetect/sigs:
ll /usr/local/maldetect/sigs
total 2584
drwxr-xr-x 3 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
drwxr-xr-x 2 root root 4096 Sep 12 2013 appver/
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.hex.dat
-rw-r--r-- 1 root root 0 Sep 19 00:01 custom.md5.dat
-rw-r--r-- 1 root root 429904 Sep 18 18:18 hex.dat
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.13092.hdb
lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.13092.ndb
-rw-r--r-- 1 root root 14 Sep 19 00:01 maldet.sigs.ver
-rw-r--r-- 1 root root 551001 Sep 18 18:18 md5.dat
-rw-r--r-- 1 root root 602518 Sep 18 18:18 md5v2.dat
-rw-r--r-- 1 root root 598632 Sep 18 18:18 rfxn.hdb
-rw-r--r-- 1 root root 437560 Sep 18 18:18 rfxn.ndb
contents of /usr/local/maldetect/tmp:
ll /usr/local/maldetect/tmp
total 8
drwxr-x--- 2 root root 4096 Sep 19 00:04 ./
drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.alert.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.clean.hits
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.monitor.alert
-rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.susp.hits
so as you can see the .runtime.user.13092.* files are missing.
The error I'm getting in my /var/log/mail.log is:
Sep 19 02:08:52 pigeon amavis[4089]: (04089-06) (!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output="LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb\nLibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb\nERROR: Can't open file or directory"
relevant lines from /var/log/clamav/clamav.log:
Fri Sep 18 22:17:23 2015 -> SelfCheck: Database status OK.
Fri Sep 18 23:21:25 2015 -> SelfCheck: Database status OK.
Sat Sep 19 00:01:35 2015 -> Reading databases from /var/lib/clamav
Sat Sep 19 00:01:38 2015 -> ERROR: reload db failed: Can't open file or director
y
Sat Sep 19 00:01:38 2015 -> Terminating because of a fatal error.
Sat Sep 19 00:01:38 2015 -> Pid file removed.
Sat Sep 19 00:01:38 2015 -> --- Stopped at Sat Sep 19 00:01:38 2015
Sat Sep 19 00:01:38 2015 -> Socket file removed.
relevant lines from /usr/local/maldetect/logs/event_log
Sep 19 00:01:31 pigeon maldet(11534): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11534): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11534): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} completed update v1.4.2 => v1.5, running signature updates...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11619): {sigup} local signature set is version 2015091828029
Sep 19 00:01:31 pigeon maldet(11619): {sigup} latest signature set already installed
Sep 19 00:01:31 pigeon maldet(11237): {update} update and config import completed.
Sep 19 00:01:31 pigeon maldet(11237): {sigup} performing signature update check...
Sep 19 00:01:31 pigeon maldet(11237): {sigup} local signature set is version 2015091516329
Sep 19 00:01:31 pigeon maldet(11237): {sigup} new signature set (2015091828029) available
Sep 19 00:01:32 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
Sep 19 00:01:33 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
Sep 19 00:01:34 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
Sep 19 00:01:35 pigeon maldet(11237): {sigup} signature set update completed
Sep 19 00:01:35 pigeon maldet(11237): {sigup} 10822 signatures (8908 MD5 / 1914 HEX)
Sep 19 00:01:36 pigeon maldet(11791): {scan} launching scan of /root changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress
Sep 19 00:01:36 pigeon maldet(11791): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
Sep 19 00:01:36 pigeon maldet(11791): {scan} building file list for /root of new/modified files from last 1 days, this might take awhile...
Sep 19 00:01:36 pigeon maldet(11791): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
Sep 19 00:01:36 pigeon maldet(11791): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /root /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -6947618c -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0
Sep 19 00:01:37 pigeon maldet(11791): {scan} file list completed in 1s, found 69 files...
Sep 19 00:01:37 pigeon maldet(11791): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
Sep 19 00:01:37 pigeon maldet(11791): {scan} scan of /root (69 files) in progress...
Sep 19 00:01:38 pigeon maldet(11791): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!
relevant lines from /usr/local/maldetect/logs/clamscan_log:
Sep 19 00:01:37 pigeon clamscan start
Sep 19 00:01:37 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --infected -
-no-summary -f /usr/local/maldetect/tmp/.find.11791
ERROR: Communication error
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.
Sep 19 00:01:42 pigeon clamscan start
Sep 19 00:01:42 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesiz
e=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.12047.hdb -d /usr/local/maldetect/tmp/.runtim
e.user.12047.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.12047
WARNING: Ignoring unsupported option --max-filesize
WARNING: Ignoring unsupported option --max-scansize
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --recursive (-r)
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
ERROR: Could not lookup : Servname not supported for ai_socktype
.
.
.
This is a MAJOR issue. for now I have disabled anti-virus checking in amavis like this:
Try this on Debian or Ubuntu:
Add a new file /etc/amavis/conf.d/90-custom
with the following content:
Code:
and restart amavisd.
The text was updated successfully, but these errors were encountered: