clamd@scan - can't run

[djcart]

@dmtinc Unfortunately, the instructions did not help me. ClamAV reinstalled, but the service clamd@scan still resets

 

[dmtinc]

@dmtinc Unfortunately, the instructions did not help me. ClamAV reinstalled, but the service clamd@scan still resets

Please can you share the output of:

rpm -qa | grep -i clamav

 

[djcart]

Please can you share the output of:

rpm -qa | grep -i clamav

clamav-0.103.7-1.el8.x86_64
clamav-devel-0.103.7-1.el8.x86_64
clamav-filesystem-0.103.7-1.el8.noarch
clamav-data-0.103.7-1.el8.noarch
clamav-lib-0.103.7-1.el8.x86_64
clamav-update-0.103.7-1.el8.x86_64

 

[dmtinc]

clamav-0.103.7-1.el8.x86_64
clamav-devel-0.103.7-1.el8.x86_64
clamav-filesystem-0.103.7-1.el8.noarch
clamav-data-0.103.7-1.el8.noarch
clamav-lib-0.103.7-1.el8.x86_64
clamav-update-0.103.7-1.el8.x86_64

looks fine, try to re-do only the uninstall and reinstall, considering additionally:

after dnf erase clamav* , execute:

rm -rf /var/lib/clamav

rm -rf /etc/clamd.d

rm -f /etc/freshclam.*

and try to reinstall clamav with custombuild.


This is the reference from my server:

[root@dgh yum.repos.d]# rpm -qa | grep clamav
clamav-0.103.7-1.el8.x86_64
clamav-update-0.103.7-1.el8.x86_64
clamav-devel-0.103.7-1.el8.x86_64
clamav-lib-0.103.7-1.el8.x86_64
clamav-filesystem-0.103.7-1.el8.noarch
clamav-data-0.103.7-1.el8.noarch
[root@dgh yum.repos.d]# ps axu | grep clam
clamupd+   12051  0.0  0.2 215464 17132 ?        Ss   12:06   0:02 /usr/bin/freshclam -d --foreground=true
clamscan   12055  3.6 16.3 1596136 1327736 ?     Ssl  12:06   2:23 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
root       20434  0.0  0.0  12144  1140 pts/0    S+   13:11   0:00 grep --color=auto clam
[root@dgh yum.repos.d]# uname -a
Linux dgh.hostednode.cl 4.18.0-425.13.1.el8_7.x86_64 #1 SMP Thu Feb 2 13:01:45 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@dgh yum.repos.d]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)
[root@dgh yum.repos.d]#

 

[djcart]

looks fine, try to re-do only the uninstall and reinstall, considering additionally:

after dnf erase clamav* , execute:

rm -rf /var/lib/clamav

rm -rf /etc/clamd.d

rm -f /etc/freshclam.*

and try to reinstall clamav with custombuild.


This is the reference from my server:

[root@dgh yum.repos.d]# rpm -qa | grep clamav
clamav-0.103.7-1.el8.x86_64
clamav-update-0.103.7-1.el8.x86_64
clamav-devel-0.103.7-1.el8.x86_64
clamav-lib-0.103.7-1.el8.x86_64
clamav-filesystem-0.103.7-1.el8.noarch
clamav-data-0.103.7-1.el8.noarch
[root@dgh yum.repos.d]# ps axu | grep clam
clamupd+   12051  0.0  0.2 215464 17132 ?        Ss   12:06   0:02 /usr/bin/freshclam -d --foreground=true
clamscan   12055  3.6 16.3 1596136 1327736 ?     Ssl  12:06   2:23 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
root       20434  0.0  0.0  12144  1140 pts/0    S+   13:11   0:00 grep --color=auto clam
[root@dgh yum.repos.d]# uname -a
Linux dgh.hostednode.cl 4.18.0-425.13.1.el8_7.x86_64 #1 SMP Thu Feb 2 13:01:45 EST 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@dgh yum.repos.d]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)
[root@dgh yum.repos.d]#

After reinstalling and trying to run

Redirecting to /bin/systemctl status [email protected]
● [email protected] - clamd scanner (scan) daemon
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor pres>
Active: failed (Result: exit-code) since Wed 2023-03-01 17:18:13 CET; 3s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 58757 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exit>
Main PID: 35245 (code=exited, status=0/SUCCESS)

mar 01 17:18:13 server.server.pl systemd[1]: [email protected]: Service Rest>
mar 01 17:18:13 server.server.pl systemd[1]: [email protected]: Scheduled re>
mar 01 17:18:13 server.server.pl systemd[1]: Stopped clamd scanner (scan) dae>
mar 01 17:18:13 server.server.pl systemd[1]: [email protected]: Start reques>
mar 01 17:18:13 server.server.pl systemd[1]: [email protected]: Failed with >
mar 01 17:18:13 server.server.pl systemd[1]: Failed to start clamd scanner (s>

 

[djcart]

Ok, I was able to start the service. When checking the service status, I get the following message:

clamd@scan

mar 01 17:32:49 server.server.pl freshclam[89085]: See https://docs.clamav.net/faq/faq-eol.html for details.
mar 01 17:32:49 server.server.pl freshclam[89085]: 2. Run FreshClam no more than once an hour to check for updates.
mar 01 17:32:49 server.server.pl freshclam[89085]: FreshClam should check DNS first to see if an update is needed.
mar 01 17:32:49 server.server.pl freshclam[89085]: 3. If you have more than 10 hosts on your network attempting to download,
mar 01 17:32:49 server.server.pl freshclam[89085]: it is recommended that you set up a private mirror on your network using
mar 01 17:32:49 server.server.pl freshclam[89085]: cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
mar 01 17:32:49 server.server.pl freshclam[89085]: CDN and your own network.
mar 01 17:32:49 server.server.pl freshclam[89085]: 4. Please do not open a ticket asking for an exemption from the rate limit,
mar 01 17:32:49 server.server.pl freshclam[89085]: it will not be granted.
mar 01 17:32:49 server.server.pl freshclam[89085]: WARNING: You are still on cool-down until after: 2023-03-01 21:32:18

What does it mean?

 

[amphora]

I'm having the same issue. clamd/clamscan is running with 100% cpu usage.
CentOS 7
Is there a way to see what clamd is actually doing, why it's using 100% cpu?

 

[dmtinc]

I'm having the same issue. clamd/clamscan is running with 100% cpu usage.
CentOS 7
Is there a way to see what clamd is actually doing, why it's using 100% cpu?

Its the same issue, the clamscan process cant start and enter in a loop of trying to start this service and the cpu usage goes up 100% (one core)
But I dont have any centos7 with this problem almost.

 

[Active8]

@dmtinc your suggestion also works on Almalinux 9 , for people who want fast copy paste:

cd
dnf erase clamav* 
rm -rf /var/lib/clamav
rm -rf /etc/clamd.d
rm -f /etc/freshclam.*
cd /usr/local/directadmin/custombuild
./build clamav

 

[Richard G]

I have a very odd situation. As stated I've had the same issue as you before, clamd@scan kept restarting.
So at a certain moment I was fed up and used the STOP button in the service monitor from directadmin and went for dinner.

Now I came back and o wonder..... on one of the Centos 7 servers, the clamd@scan service was running fine again without issues.
The others still had the reset problem.

So I restarted the clamd@scan service via the service monitor on that one server and now the issue is occuring again.

And also this:

[root@server: /var/lib/clamav]# ps faux | grep clamd@scan
root     11102  0.0  0.0 112812   984 pts/0    S+   18:02   0:00          \_ grep --color=auto clamd@scan
root     10986  0.0  0.0 115408  1252 ?        S    18:01   0:00  |   \_ sh -c /usr/bin/systemctl restart [email protected]        >/dev/null 2>/dev/null                     
root     10987  0.0  0.0 134900  1448 ?        S    18:01   0:00  |       \_ /usr/bin/systemctl restart [email protected]
root     11091  0.0  0.0 115408  1456 ?        S    18:02   0:00      \_ sh -c /usr/bin/systemctl start [email protected]        >/dev/null 2>/dev/null                     
root     11092  0.0  0.0 134900  1452 ?        S    18:02   0:00          \_ /usr/bin/systemctl start [email protected]
[root@server /var/lib/clamav]#

When things were running fine on that one server, I didn't see any clamd@scanservice like this. This starts showing when trying to start [email protected] via Directadmin.
And when pushing that button, you will see 2 commands appearing same as this:

root     10987  0.0  0.0 134900  1448 ?        S    18:01   0:00  |       \_ /usr/bin/systemctl restart [email protected]
root     11091  0.0  0.0 115408  1456 ?        S    18:02   0:00      \_ sh -c /usr/bin/systemctl start [email protected]        >/dev/null 2>/dev/null

Is DA trying to start the service twice??

So I stopped it via SSH and now I can't start it anymore at the moment but maybe this points to the root cause of the issue.
ERROR: Can't open/parse the config file /etc/clamd.d/service.conf

So to see what happens I copied the /etc/clamd.d/scan.conf to service.conf and tried starting it again. And yes with 100% cpu now the clamd@scan service want's to try to start again.

So where is this /etc/clamd.d/service.conf error coming from suddenly when trying to start the clamd@scan service?

Also loads of these:

Mar  1 18:19:41 server25 clamd: LibClamAV debug: init_tdb: Signature for Xls.Downloader.Emotet-b600c9ff3ec1c136-9950239-0 not loaded (required f-level
: 150)
Mar  1 18:19:41 server25 clamd: LibClamAV debug: init_tdb: Signature for Xls.Downloader.Emotet-adc2d23d2dc26dd0-9950240-0 not loaded (required f-level
: 150)
Mar  1 18:19:41 server25 clamd: LibClamAV debug: init_tdb: Signature for Xls.Downloader.Emotet-ea85857e7e81817a-9950241-0 not loaded (required f-level
: 150)
Mar  1 18:19:41 server25 clamd: LibClamAV debug: init_tdb: Signature for Xls.Downloader.Emotet-add2d22d2bc26dd0-9950243-0 not loaded (required f-level
: 150)

and

Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7056
Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7062
Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7065
Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7068
Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7083
Mar  1 18:19:42 server25 clamd: LibClamAV debug: Ignoring signature Pdf.Exploit.Agent-7085

etc. etc.

Something very odd is going on.

 

[Richard G]

And at the end:

Mar  1 18:26:49 server25 clamd: LibClamAV debug: bytecode: JIT disabled
Mar  1 18:26:49 server25 clamd: LibClamAV debug: Cannot prepare for JIT, LLVM is not compiled or not linked
Mar  1 18:26:49 server25 clamd: LibClamAV debug: Bytecode: 0 bytecode prepared with JIT, 91 prepared with interpreter, 91 total
Mar  1 18:26:49 server25 clamd: ERROR: TCP: Cannot bind to [127.0.0.1]:3310: Address already in use

Seems something is conflicting or the system service is trying to restart itself and DA is too, causing an address already in use conflict or something like that.
This is on that one centos 7 server by the way.

 

[Richard G]

@Active8 Solution is not working. Looks like it works, but then restart clamd@scan from DA and service will be stopped again afterwards.

 

[dmtinc]

Confirmed same problem on centos7, the same clamav version of rhel8:

0.103.8-3.el7

 

[jigster]

Same issue for us, Almalinux 8. Tried all solutions above but no luck.
/usr/sbin/clamd -c /etc/clamd.d/scan.conf using nearly 100% cpu!

 

[dmtinc]

@Active8 Solution is not working. Looks like it works, but then restart clamd@scan from DA and service will be stopped again afterwards.

Can you try disabling the service monitoring from DA for clamscan at /usr/local/directadmin/data/admin/services.status to OFF
After this change the restart loop of the service has stopped and now it up and running ok on Centos7.

So may be the way used by DA to check the service the problem with the last version of clamav in epel.

 

[jigster]

Hasn't fixed it for us unfortunately (Almalinux 8)

 

[Richard G]

Oke so I found out, if you use the stop function on DA to stop the clamd@scan.
Verify with ps faux | grep clamd that nothing is starting or restarting and if still running use the killall -9 clamd command to stop it running.
Also check with ps faux | grep clamd@scan to see if something is left.

If all is stopped, then manually start the service.
systemctl start clamd@scan
and wait (you can tail the logfile if you have that enabled, I did) and after a little while, the service is started.
systemctl status clamd@scan shows running.
Directadmin service montior shows running too.

Do not use the DA service monitor to stop and start or restart the service, or the same problem will occur again.

@dmtinc I just read your suggestion. Removing the clamd@scan monitor might be a good workaround for the time being.

 

[dmtinc]

Do not use the DA service monitor to stop and start or restart the service, or the same problem will occur again.

This may be a problem, for example if the service goes down by a update the DA service monitor will try to restart the service and the problem will come again.

@fln @smtalk

The problem with the service monitor and the latest version of clamav (epel) needs to be reviewed by the DA Staff.

 

[Richard G]

This may be a problem,

Exactly, also as I've showed above, looks like the service is being started twice at the same time by DA.
Must indeed be looked at by the staff. But it's caused by the clamav update, wasn't a problem before. Clamav update had some security update so maybe that has to do with how it's started, not sure.
I hope they can fix it.

And the last (Centos 7) server showed this:

ERROR: Can't open/parse the config file /etc/clamd.d/service.conf

while this normally is scan.conf.

 

[djcart]

Will share what worked for me:

service clamd@scan stop
service clamav-freshclam stop
dnf erase clamav*

rm -rf /var/lib/clamav
rm -rf /etc/clamd.d
rm -f /etc/freshclam.*

cd /usr/local/directadmin/custombuild
./build clamav