Page 1 of 2 12 LastLast
Results 1 to 20 of 23

Thread: ClamAV Died Due to Corrupted DB

  1. #1
    Join Date
    Nov 2006
    Posts
    77

    ClamAV Died Due to Corrupted DB

    hi guys.. i found that the latest version of clamav always die every few days due to the "malformed database" error after freshclam has been called or clamd restart... this happens all the time!

    i googled through and found that many other people have similar issues.. the problem is easily solved though by removing all those clamav signature DB and run freshclam again to get the latest DB and restart clamd.. but it's impossible for us to always check and see whether clamd died or not..

    worse is once clamd died.. exim will not function properly as all emails (incoming / outgoing) are stuck as the virus scanning process cannot initiate! so if we do not know early enough clamd died.. mails of users will have problem coming in or sending out..

    so.. anyone got similar issues? any good suggestion on how to tackle the problem or solve the problem completely? please help! thanks!!!

  2. #2
    Join Date
    Nov 2006
    Posts
    77

    Talking clamd status check script...

    today i picked up the issue again and did some research.. then wrote the following shell script for monitoring clamd and keeping it alive! the script will first try to detect if clamd is running, if not, it'll try to kick start clamd few times (u can define the number of trials).. if this also failed.. it will then try to remove the clamav virus definition database and download it again (this is to handle the common issue of "malformed database" error, at least for me...), then try to kick start clamd again.. if still fails.. then the script will give up and send an email alert to the server admin..

    if u see anything wrong with the codes, please let me know..

    1. first, create a dummy test file for clamd to scan during the check:

    cd /usr/local/directadmin/scripts/custom
    echo "" > clamav.txt

    2. create the "clamdcheck" shell script:

    cat > clamdcheck
    Code:
    #!/bin/sh
    
    # path to an empty dummy test file
    testfile="/usr/local/directadmin/scripts/custom/clamav.txt"
    
    # path to the clamav database files without the ending "/"
    dbfolder="/usr/local/share/clamav"
    
    # path to the clamdscan executable
    scan="/usr/local/bin/clamdscan"
    
    # path to the freshclam executable
    freshdb="/usr/local/bin/freshclam"
    
    # number of times the script tries to kick start clamd
    trial=10
    
    # email of server administrator
    email="user@domain.com"
    
    # server hostname (no modification needed)
    myhost=$(hostname)
    
    # email alert subject on failure
    subject="Clamd on ${myhost} is down!"
    
    # email alert body message on failure
    message="Clamd on ${myhost} is down!"
    
    output=$($scan $testfile | grep "SCAN SUMMARY")
    
    if [ -z "$output" ]; then
    	echo "Clamd is not running!"
    	echo "Now trying to start clamd..."
    	for (( i=1; i<=$trial; i++ ))
    	do
    		echo "Trial $i..."
    		/sbin/service clamd restart
    		output=$($scan $testfile | grep "SCAN SUMMARY")
    		if [ -n "$output" ]; then
    			break
    		else
    			sleep 3
    		fi
    	done
    	if [ -z "$output" ]; then
    		echo "Clamd is still not running!"
    		echo "Now trying to refresh clamav database..."
    		rm -Rf $dbfolder/*
    		$freshdb
    		/sbin/service clamd restart
    		output=$($scan $testfile | grep "SCAN SUMMARY")
    		if [ -z "$output" ]; then
    			echo "Clamd is still not running!"
    			echo "$message" | mail -s "$subject" "$email"
    			echo "Giving up... email alert has been sent to administrator."
    		else
    			echo "Clamd is running now!"
    		fi
    	else
    		echo "Clamd is running now!"
    	fi
    else
    	echo "Clamd is running!"
    fi
    3. make the script executable:

    chmod 755 clamdcheck

    4. add a cron job as root (don't set it too frequent as a complete freshclam process will take some time to complete):

    15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1

    5. done!
    Last edited by ak17_hk; 10-15-2009 at 02:08 AM.

  3. #3
    Join Date
    Nov 2006
    Posts
    77
    ops.. i've forgot to test run it under cron before posting the code.. i've fixed it now to make it work fine under cron.. the above post has been updated! it's only tested under centos 5, so feel free to modify it for your other OSs..
    Last edited by ak17_hk; 10-13-2009 at 05:48 PM.

  4. #4
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    What happens to email delivery on your server if clamd has stopped?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  5. #5
    Join Date
    Nov 2006
    Posts
    77
    the emails will be temporarily delayed if clamd stopped.. it even shows error when trying to send email from the webmail interface.. that's why i need to make such script to keep it working..

  6. #6
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,773
    a suggest,

    on

    # email alert subject on failure
    subject="ClamdAV su host.domain.com is down!"

    could u make it take the hostname of the server automatically?
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  7. #7
    Join Date
    Nov 2006
    Posts
    77
    Quote Originally Posted by SeLLeRoNe View Post
    a suggest,

    on

    # email alert subject on failure
    subject="ClamdAV su host.domain.com is down!"

    could u make it take the hostname of the server automatically?

    yup.. just modify the lines a little will do... i've updated the code above too..

    Code:
    # server hostname (no modification needed)
    myhost=$(hostname)
    
    # email alert subject on failure
    subject="Clamd on ${myhost} is down!"
    
    # email alert body message on failure
    message="Clamd on ${myhost} is down!"

  8. #8
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,773
    nice thanks so i can use the same script for all box without change manually each host ^^

    Last question, do you know how to add the cron by command line without use crontab -e?

    thanks again
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  9. #9
    Join Date
    Aug 2008
    Posts
    4,695
    You cant really do it without crontab -e....unless you add it to /etc/crontab or a file in /etc/cron.d

  10. #10
    Join Date
    Aug 2008
    Posts
    4,695
    I dont see why this script is even needed...if there is a bug with the program then you should be contacting the developers...end users shouldnt have to write scripts to have programs function properly.

  11. #11
    Join Date
    Nov 2006
    Posts
    77
    Quote Originally Posted by scsi View Post
    I dont see why this script is even needed...if there is a bug with the program then you should be contacting the developers...end users shouldnt have to write scripts to have programs function properly.
    it's a commonly known problem that the freshclam function of clamav oftenly kills the virus definition db.. it's been said a lot in their mail list.. so.. that's why i need to write this script to save myself..
    anyway, even the program has no problem at all.. at least this script gives me confident that it's running fine and i dun have to worry about it until i get the mail alert~

  12. #12
    Join Date
    Nov 2006
    Posts
    77
    Quote Originally Posted by SeLLeRoNe View Post
    nice thanks so i can use the same script for all box without change manually each host ^^

    Last question, do you know how to add the cron by command line without use crontab -e?

    thanks again

    i think crontab -e is the better option?

  13. #13
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    If you don't use crontab -e, but rather buld the crontab either manually or by script it won't work until after you restart crond.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  14. #14
    Join Date
    Nov 2006
    Posts
    77
    here's an update about how to allow mail to pass through exim instead of deferred even the AV scanner (clamav in my case) fails...

    in your /etc/exim.conf

    replace the line:
    Code:
    malware = *
    with:
    Code:
    malware = */defer_ok
    then restart exim.

    this setting allows exim to skip the scanning check if the call to the AV_Scanner specified daemon fails..

    now this makes it perfect for me.. which allows mail to pass through all the time.. while there's a script to restart clamd too even it's found dead!

  15. #15
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    Hmmmmm...

    I think I should put this into DirectAdmin's exim.conf file so mail won't be delayed if ClamAV dies.

    Any comments?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  16. #16
    Join Date
    Nov 2006
    Posts
    77
    Quote Originally Posted by jlasman View Post
    Hmmmmm...

    I think I should put this into DirectAdmin's exim.conf file so mail won't be delayed if ClamAV dies.

    Any comments?

    Jeff
    hi jeff,

    yeeeepppp... i think definitely.. u know.. many ppl use clamav these days... that would be a headache if the mails r not passing through...

  17. #17
    Hello,

    Seems ok just as long as you do know somehow that the scanner is down. If there are no bells going off somewhere or obvious signs it's not working, then you'd end up not scanning anything and wouldn't be the wiser.

    John

  18. #18
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    John,

    The way it works now is you find out that ClamAV is down because your mail stops getting delivered, that's not good either.

    Since ClamAV wasn't made an official part of DirectAdmin there's no checking built in for it. The problem with putting ClamAV into the DirectAdmin services monitor is that then it can be turned on and off; if it's turned off, but exim is NOT turned off, then mail will NOT get delivered.

    Perhaps ClamAV should become a standard part of DirectAdmin, and the on-off for it should be in the exim startup/shutdown script. That way the box admin will get notified and can just restart exim to get it running again. We already do it this way on our servers, but it would make it a lot easier for us if DirectAdmin did the install, set up the update into custombuild, and set up the exim startup/shutdown script to manage it.

    I know there's the issue of running DirectAdmin on servers too underpowered to run ClamAV, but I find that if the ClamAV code is left commented out in exim.conf there's no real discernible draw on server resources just having the daemon run.

    What do you think, John? Is this something you can do?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  19. #19
    Hello,

    I think ClamAV would be a great addition to the default install. I've never looked at it myself, but I think it might be a good option for custombuild.

    John

  20. #20
    Join Date
    Nov 2006
    Posts
    77
    yep.. that's a great idea indeed!

Page 1 of 2 12 LastLast

Similar Threads

  1. PHP6 died unborn, will we get 5.4?
    By zEitEr in forum CustomBuild
    Replies: 4
    Last Post: 03-02-2012, 12:16 AM
  2. Proftpd died, wont restart
    By ctnchris in forum System-Level Technical Discussion
    Replies: 17
    Last Post: 04-21-2008, 07:59 PM
  3. Installing DA and died at the end!
    By tim874536 in forum Installation / System Requirements
    Replies: 1
    Last Post: 05-11-2007, 03:52 PM
  4. httpd Died suddenly
    By DragonRift in forum Apache (WWW)
    Replies: 2
    Last Post: 02-10-2006, 11:56 AM
  5. My Directadmin is died due to wrong skin..
    By jeffery in forum DirectAdmin General Discussion
    Replies: 2
    Last Post: 05-03-2004, 12:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •