ClamAV Died Due to Corrupted DB

ak17_hk

Verified User
Joined
Nov 7, 2006
Messages
77
hi guys.. i found that the latest version of clamav always die every few days due to the "malformed database" error after freshclam has been called or clamd restart... this happens all the time! :confused:

i googled through and found that many other people have similar issues.. the problem is easily solved though by removing all those clamav signature DB and run freshclam again to get the latest DB and restart clamd.. but it's impossible for us to always check and see whether clamd died or not..

worse is once clamd died.. exim will not function properly as all emails (incoming / outgoing) are stuck as the virus scanning process cannot initiate! :( so if we do not know early enough clamd died.. mails of users will have problem coming in or sending out..

so.. anyone got similar issues? any good suggestion on how to tackle the problem or solve the problem completely? please help! thanks!!!
 
clamd status check script...

today i picked up the issue again and did some research.. then wrote the following shell script for monitoring clamd and keeping it alive! :D the script will first try to detect if clamd is running, if not, it'll try to kick start clamd few times (u can define the number of trials).. if this also failed.. it will then try to remove the clamav virus definition database and download it again (this is to handle the common issue of "malformed database" error, at least for me...), then try to kick start clamd again.. if still fails.. then the script will give up and send an email alert to the server admin..

if u see anything wrong with the codes, please let me know.. :)

1. first, create a dummy test file for clamd to scan during the check:

cd /usr/local/directadmin/scripts/custom
echo "" > clamav.txt

2. create the "clamdcheck" shell script:

cat > clamdcheck
Code:
#!/bin/sh

# path to an empty dummy test file
testfile="/usr/local/directadmin/scripts/custom/clamav.txt"

# path to the clamav database files without the ending "/"
dbfolder="/usr/local/share/clamav"

# path to the clamdscan executable
scan="/usr/local/bin/clamdscan"

# path to the freshclam executable
freshdb="/usr/local/bin/freshclam"

# number of times the script tries to kick start clamd
trial=10

# email of server administrator
email="[email protected]"

# server hostname (no modification needed)
myhost=$(hostname)

# email alert subject on failure
subject="Clamd on ${myhost} is down!"

# email alert body message on failure
message="Clamd on ${myhost} is down!"

output=$($scan $testfile | grep "SCAN SUMMARY")

if [ -z "$output" ]; then
	echo "Clamd is not running!"
	echo "Now trying to start clamd..."
	for (( i=1; i<=$trial; i++ ))
	do
		echo "Trial $i..."
		/sbin/service clamd restart
		output=$($scan $testfile | grep "SCAN SUMMARY")
		if [ -n "$output" ]; then
			break
		else
			sleep 3
		fi
	done
	if [ -z "$output" ]; then
		echo "Clamd is still not running!"
		echo "Now trying to refresh clamav database..."
		rm -Rf $dbfolder/*
		$freshdb
		/sbin/service clamd restart
		output=$($scan $testfile | grep "SCAN SUMMARY")
		if [ -z "$output" ]; then
			echo "Clamd is still not running!"
			echo "$message" | mail -s "$subject" "$email"
			echo "Giving up... email alert has been sent to administrator."
		else
			echo "Clamd is running now!"
		fi
	else
		echo "Clamd is running now!"
	fi
else
	echo "Clamd is running!"
fi

3. make the script executable:

chmod 755 clamdcheck

4. add a cron job as root (don't set it too frequent as a complete freshclam process will take some time to complete):

15,45 * * * * /usr/local/directadmin/scripts/custom/clamdcheck > /dev/null 2>&1

5. done! :D
 
Last edited:
ops.. i've forgot to test run it under cron before posting the code.. :p i've fixed it now to make it work fine under cron.. the above post has been updated! :) it's only tested under centos 5, so feel free to modify it for your other OSs..
 
Last edited:
What happens to email delivery on your server if clamd has stopped?

Jeff
 
the emails will be temporarily delayed if clamd stopped.. :( it even shows error when trying to send email from the webmail interface.. that's why i need to make such script to keep it working.. :)
 
a suggest,

on

# email alert subject on failure
subject="ClamdAV su host.domain.com is down!"

could u make it take the hostname of the server automatically?
 
a suggest,

on

# email alert subject on failure
subject="ClamdAV su host.domain.com is down!"

could u make it take the hostname of the server automatically?


yup.. just modify the lines a little will do... i've updated the code above too.. :D

Code:
# server hostname (no modification needed)
myhost=$(hostname)

# email alert subject on failure
subject="Clamd on ${myhost} is down!"

# email alert body message on failure
message="Clamd on ${myhost} is down!"
 
nice :) thanks so i can use the same script for all box without change manually each host ^^

Last question, do you know how to add the cron by command line without use crontab -e?

thanks again
 
You cant really do it without crontab -e....unless you add it to /etc/crontab or a file in /etc/cron.d
 
I dont see why this script is even needed...if there is a bug with the program then you should be contacting the developers...end users shouldnt have to write scripts to have programs function properly.
 
I dont see why this script is even needed...if there is a bug with the program then you should be contacting the developers...end users shouldnt have to write scripts to have programs function properly.

it's a commonly known problem that the freshclam function of clamav oftenly kills the virus definition db.. it's been said a lot in their mail list.. so.. that's why i need to write this script to save myself.. :rolleyes:
anyway, even the program has no problem at all.. at least this script gives me confident that it's running fine and i dun have to worry about it until i get the mail alert~ :D
 
nice :) thanks so i can use the same script for all box without change manually each host ^^

Last question, do you know how to add the cron by command line without use crontab -e?

thanks again


i think crontab -e is the better option? :confused:
 
If you don't use crontab -e, but rather buld the crontab either manually or by script it won't work until after you restart crond.

Jeff
 
here's an update about how to allow mail to pass through exim instead of deferred even the AV scanner (clamav in my case) fails...

in your /etc/exim.conf

replace the line:
Code:
malware = *

with:
Code:
malware = */defer_ok

then restart exim.

this setting allows exim to skip the scanning check if the call to the AV_Scanner specified daemon fails..

now this makes it perfect for me.. which allows mail to pass through all the time.. while there's a script to restart clamd too even it's found dead! :D
 
Hmmmmm...

I think I should put this into DirectAdmin's exim.conf file so mail won't be delayed if ClamAV dies.

Any comments?

Jeff
 
Hmmmmm...

I think I should put this into DirectAdmin's exim.conf file so mail won't be delayed if ClamAV dies.

Any comments?

Jeff

hi jeff,

yeeeepppp... i think definitely.. :D u know.. many ppl use clamav these days... that would be a headache if the mails r not passing through... ;)
 
Hello,

Seems ok just as long as you do know somehow that the scanner is down. If there are no bells going off somewhere or obvious signs it's not working, then you'd end up not scanning anything and wouldn't be the wiser.

John
 
John,

The way it works now is you find out that ClamAV is down because your mail stops getting delivered, that's not good either.

Since ClamAV wasn't made an official part of DirectAdmin there's no checking built in for it. The problem with putting ClamAV into the DirectAdmin services monitor is that then it can be turned on and off; if it's turned off, but exim is NOT turned off, then mail will NOT get delivered.

Perhaps ClamAV should become a standard part of DirectAdmin, and the on-off for it should be in the exim startup/shutdown script. That way the box admin will get notified and can just restart exim to get it running again. We already do it this way on our servers, but it would make it a lot easier for us if DirectAdmin did the install, set up the update into custombuild, and set up the exim startup/shutdown script to manage it.

I know there's the issue of running DirectAdmin on servers too underpowered to run ClamAV, but I find that if the ClamAV code is left commented out in exim.conf there's no real discernible draw on server resources just having the daemon run.

What do you think, John? Is this something you can do?

Jeff
 
Hello,

I think ClamAV would be a great addition to the default install. I've never looked at it myself, but I think it might be a good option for custombuild.

John
 
Back
Top