[solved] Clamav / clamd / freshclam database problem - clamav does not work with CentOS 6 32-bit anymore

harro

Verified User
Joined
Oct 15, 2005
Messages
168
Since a long time my clamd is unable to start on most of my servers (installed via Custombuild). I would like your help to make clamd work again, both to have AV scanning and to stop having the long list of warnings in the messages.

In an attempt to resolve this I have:

1 - removed the old databases in the destination directory that is mentioned in the error (/usr/local/share/clamav), without any change/improvement;

2 - followed the instructions on the DirectAdmin help pages: https://help.directadmin.com/item.php?id=444 and https://help.directadmin.com/item.php?id=370 which did not resolve the problem.

3 - To remove the continuous errors, I set the clamd service to 'no' in the services list for DA to check. Every update somehow automatically sets it to 'yes' again, so I gave up on decluttering this way.

4 - using Custombuild, I removed Clamav in the options.conf and uninstalled it completely, then reinstalled it. To no avail, the same error remains.


Some logs below (in the past there used to be an option to format text more legibly as code with a nice box around it, etc. but this seems no longer possible?):

server]# freshclam -v
ClamAV update process started at Thu Jan 16 04:36:04 2020
Current working dir is /usr/local/share/clamav/
Querying current.cvd.clamav.net
TTL: 1725
fc_dns_query_update_info: Software version from DNS: 0.102.1
Current working dir is /usr/local/share/clamav/
check_for_new_database_version: No local copy of "daily" database.
query_remote_database_version: daily.cvd version from DNS: 25696
daily database available for download (remote version: 25696)
Retrieving https://database.clamav.net/daily.cvd
downloadFile: Download source: https://database.clamav.net/daily.cvd
downloadFile: Download destination: /usr/local/share/clamav/tmp/clamav-edf7d394f7f4e9d09ee94f8ca5f4ddd1.tmp
* Trying 104.16.219.84:443...
* TCP_NODELAY set
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NPN, negotiated HTTP2 (h2)
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl392509.cloudflaressl.com
* start date: Aug 24 00:00:00 2019 GMT
* expire date: Mar 1 23:59:59 2020 GMT
* subjectAltName: host "database.clamav.net" matched cert's "*.clamav.net"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8aafd50)
> GET /daily.cvd HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.1 (OS: linux-gnu, ARCH: i386, CPU: i686)
accept: */*
connection: close

* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 16 Jan 2020 03:36:04 GMT
< content-type: application/octet-stream
< content-length: 57426414
< set-cookie: __cfduid=d03eb603bb1123af257a1b7c87fd1bd201579145764; expires=Sat, 15-Feb-20 03:36:04 GMT; path=/; domain=.clamav.net; HttpOnly; SameSite=Lax
< last-modified: Wed, 15 Jan 2020 13:34:00 GMT
< etag: "5e1f14c8-36c41ee"
< expires: Thu, 16 Jan 2020 07:36:04 GMT
< cache-control: public, max-age=14400
< cf-cache-status: HIT
< age: 13765
< accept-ranges: bytes
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 555d0b06ea4a726f-AMS
<
Time: 0.7s, ETA; 0.0s [=======================================>] 54.77MiB/54.77MiB
* Connection #0 to host database.clamav.net left intact
WARNING: [LibClamAV] cli_cvdload: Corrupted CVD header
ERROR: getcvd: Verification: Malformed database

Trying again in 5 secs...
check_for_new_database_version: No local copy of "daily" database.
query_remote_database_version: daily.cvd version from DNS: 25696
daily database available for download (remote version: 25696)
Retrieving https://database.clamav.net/daily.cvd
downloadFile: Download source: https://database.clamav.net/daily.cvd
downloadFile: Download destination: /usr/local/share/clamav/tmp/clamav-fdf85705bfae653846deabb2fe0134da.tmp
* Trying 104.16.219.84:443...
* TCP_NODELAY set
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NPN, negotiated HTTP2 (h2)
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl392509.cloudflaressl.com
* start date: Aug 24 00:00:00 2019 GMT
* expire date: Mar 1 23:59:59 2020 GMT
* subjectAltName: host "database.clamav.net" matched cert's "*.clamav.net"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8438798)
> GET /daily.cvd HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.1 (OS: linux-gnu, ARCH: i386, CPU: i686)
accept: */*
connection: close

* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Thu, 16 Jan 2020 03:37:01 GMT
< content-type: application/octet-stream
< content-length: 57426414
< set-cookie: __cfduid=d7e402ccb18cc62c3e2a9568e5f349fcf1579145821; expires=Sat, 15-Feb-20 03:37:01 GMT; path=/; domain=.clamav.net; HttpOnly; SameSite=Lax
< last-modified: Wed, 15 Jan 2020 13:34:00 GMT
< etag: "5e1f14c8-36c41ee"
< expires: Thu, 16 Jan 2020 07:37:01 GMT
< cache-control: public, max-age=14400
< cf-cache-status: HIT
< age: 13822
< accept-ranges: bytes
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< strict-transport-security: max-age=15552000
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 555d0c6b09dac82b-AMS
<
Time: 0.7s, ETA; 0.0s [=======================================>] 54.77MiB/54.77MiB
* Connection #0 to host database.clamav.net left intact
WARNING: [LibClamAV] cli_cvdload: Corrupted CVD header
ERROR: getcvd: Verification: Malformed database
Giving up on https://database.clamav.net...
ERROR: Update failed for database: daily
WARNING: fc_update_databases: fc_update_database failed: Invalid or corrupted CVD/CLD database (7)
ERROR: Database update process failed: Invalid or corrupted CVD/CLD database (7)

ERROR: Update failed.



And when I try to start clamd manually:

server]# service clamd start
Starting clamd: LibClamAV Error: cli_loaddbdir(): No supported database files found in /usr/local/share/clamav
ERROR: Can't open file or directory [FAILED]



And looking at the folder attributes/rights:

server]# la /usr/local/share/
4 drwxr-xr-x 2 clamav clamav 4096 Jan 16 03:21 clamav



Does anyone have suggestions or experience that could resolve this issue?


Thank you and kind regards,

Harro
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,128
Location
GMT +7.00
Hello,

- Try and remove content of /usr/local/share/clamav/,
- Make sure and disable Clamav mirrors that are not accessible from your server.
- restart freshclam
- and then try and start clamav.
 

harro

Verified User
Joined
Oct 15, 2005
Messages
168
Thank you for your advice, Zeiter.

Your suggestion to remove the content from the /usr/local/share/clamav/ was my first step too - and the folder is still empty because all databases downloaded by freshclam give a corrupted CVD header error:

WARNING: [LibClamAV] cli_cvdload: Corrupted CVD header
ERROR: getcvd: Verification: Malformed database



It does not seem possible to selectively remove servers that freshclam uses because according to the logs and freshclam.conf there is an automatic redirect via https://database.clamav.net

I have also received feedback from DirectAdmin Support, which I will post below.
 

harro

Verified User
Joined
Oct 15, 2005
Messages
168
From DirectAdmin support:

From clamav's page:
"Certain versions on certain OSes will cause failures loading virus database: CentOS 6 32bit: zlib 1.2.3-29
Solution: Update to newer version."

If it's indeed 32bit os and has worked previously, maybe using custom previous clamav's engine would be a solution/workaround somewhat in case it loads current clamav db's: https://help.directadmin.com/item.php?id=565


I downgraded to clamav-0.99.4 and it seems to work again:


ClamAV update process started at Fri Jan 17 20:10:15 2020
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 911
Software version from DNS: 0.102.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.4 Recommended version: 0.102.1
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.219.84)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4564902 signatures from new main.cvd
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Querying main.59.85.1.0.6810DB54.ping.clamav.net
Can't query main.59.85.1.0.6810DB54.ping.clamav.net
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 104.16.219.84)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 2143682 signatures from new daily.cvd
daily.cvd updated (version: 25698, sigs: 2143682, f-level: 63, builder: raynman)
Querying daily.25698.85.1.0.6810DB54.ping.clamav.net
Can't query daily.25698.85.1.0.6810DB54.ping.clamav.net
Retrieving http://database.clamav.net/bytecode.cvd
Trying to download http://database.clamav.net/bytecode.cvd (IP: 104.16.219.84)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 94 signatures from new bytecode.cvd
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Querying bytecode.331.85.1.0.6810DB54.ping.clamav.net
Can't query bytecode.331.85.1.0.6810DB54.ping.clamav.net
Database updated (6708678 signatures) from database.clamav.net (IP: 104.16.219.84)
Restarting freshclam.
Shutting down freshclam: [ OK ]
Starting freshclam: [ OK ]
Restarting clamd.
Shutting down clamd: [ OK ]
Starting clamd: [ OK ]
Restarting exim.
Shutting down exim:
Starting exim:
Done ClamAV.



This is not an ideal situation but at least the root cause seems to have been identified. I will try to work my way up the clamav versions until it stops working again.

Thank you DA Support and Zeiter for your help.
 
Top