Koozali.org formerly Contribs.org

workaround for clamav update problem

Offline stephdl

  • *
  • 1,511
    • Linux et Geekeries
workaround for clamav update problem
« on: February 25, 2013, 10:37:20 PM »
In this moment we have a lot of messages of clamav which does'nt want to be updated.
In the bugzilla there is a workaround to provide a solution. http://bugs.contribs.org/show_bug.cgi?id=7353

thank to  Graeme Fleming http://bugs.contribs.org/show_bug.cgi?id=7353#c51

Code: [Select]
I'm documenting an update process that has worked without fail everytime I've used it, regardless of Clam version & update status; it follows most of what the previous few posters have said with a few additions for completeness & clarity:

# Shutdown clam so clamd.socket file is removed
service clamd stop

# Navigate to clamav folder
cd /var/clamav

# Remove ALL files from folder to provide clean slate for update process
rm -f /var/clamav/* (you could skip the -f & confirm every file delete for safety)

# Current Clamav version is clamav-0.97.6

rpm -q clamav

clamav-0.97.6-1.el5.rf

# Update clamav to latest version if required
# Not downloading clamav-db
yum update clamav

# Restart clam
service clamd start

# Update sigs
freshclam -v (--no-dns can be used if just -v fails tho I haven't struck this issue)

Check output from freshclam to make sure update completes sucessfully.

Current working dir is /var/clamav
Max retries == 6
ClamAV update process started at Sun Feb 24 15:14:02 2013
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 900
Software version from DNS: 0.97.6
main.cvd version from DNS: 54
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd version from DNS: 16731
daily.cld is up to date (version: 16731, sigs: 829102, f-level: 63, builder: guitar)
bytecode.cvd version from DNS: 214
bytecode.cvd is up to date (version: 214, sigs: 41, f-level: 63, builder: neo)

which showed as just 5 files in the /var/clamav folder:

-rw-r--r--  1 clamav clamav    60125 Feb 17 12:11 bytecode.cvd
srw-rw-rw-  1 clamav clamav        0 Feb 24 14:27 clamd.socket
-rw-r--r--  1 clamav clamav 52101120 Feb 24 11:46 daily.cld
-rw-r--r--  1 clamav clamav 30750647 Oct 11  2011 main.cvd
-rw-------  1 clamav clamav      104 Feb 24 14:46 mirrors.dat

Note:  if you are bandwidth poor or on slow connection then don't delete main.cvd

For completeness & to be absolutely sure signal-event post-update; signal-event reboot, then go through the logs post reboot to make sure everything started correctly.  This is not necessary for this procedure but doesn't hurt.
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Re: workaround for clamav update problem
« Reply #1 on: March 10, 2013, 12:32:40 AM »
Works for me. Maybe a sticky? Or a wiki add?

Re: workaround for clamav update problem
« Reply #2 on: March 10, 2013, 10:56:12 AM »
This will work everytime. For me, the million dollar question is 'why do we need to do this' (rhetorical).

For my own server, I needed to do this once maybe 4-6 weeks ago. I have a friend down country who also had to do it once 4-6 weeks ago. I have several servers across town belonging to severable not for profit organisations I donate my time to. I have had to do  it to these servers 3 or 4 times over recent weeks. One, as recently as yesterday.I know of another server nearby that has never needed it doing. I have logged into that server and checked the AV is working.

I have read extensivley on this issue and believe I understand why it has happened. If I am understanding all this correctly, it is not an issue with SME but an upstream issue with the CLAM Team and the integrity of the update files they are pushing out.

What I dont understand is that there seems to be no pattern and different servers at different locations, some with different ISP are behaving very differently.

The only way I am able to rationalise this in my own mind is by embarking on the very unsafe practice of assumption. My assumption is that different servers in different locations or with different ISP are are ending up at different mirrors with varying integrities. I cant prove this, I dont even know if I am right but there is nothing else I can think of that explains this random behaviour.

For clarity, I should also state that (a) when I delete the files, the situation is resolved for days. I have checked this in the logs and files.  (b) I always delete the mirrors.dat file so the mirror list gets replaced/updated.

The only way I can think to sort it is to run a daily cron job tp delete these files so they get replace. However, I dont think the volume of additional traffic upstream would be appreciated ! Could also have the effect of compounding the problem.


...

Offline stephdl

  • *
  • 1,511
    • Linux et Geekeries
See http://wiki.contribs.org/Koozali_Foundation
irc : Freenode #sme_server #sme-fr

!!! Please write your knowledge to the Wiki !!!

Re: workaround for clamav update problem
« Reply #4 on: March 10, 2013, 10:22:43 PM »
I, too, have been getting hourly emails.  I have tried the workaround several times and am still getting emails.
Here is the output from command line:
[root@provue-server ~]# freshclam -v
Current working dir is /var/clamav
Max retries == 6
ClamAV update process started at Sun Mar 10 15:54:08 2013
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 844
Software version from DNS: 0.97.6
main.cvd version from DNS: 54
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd version from DNS: 16825
daily.cvd is up to date (version: 16825, sigs: 915586, f-level: 63, builder: neo)
bytecode.cvd version from DNS: 214
bytecode.cvd is up to date (version: 214, sigs: 41, f-level: 63, builder: neo)
[root@provue-server ~]#

All seems well, however, I got this email shortly after:

2013-03-10 16:18:39.149484500 ClamAV update process started at Sun Mar 10 16:18:39 2013
2013-03-10 16:18:39.149914500 main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
2013-03-10 16:18:40.130638500 WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.131407500 WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.132159500 WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.132899500 WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.133645500 WARNING: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.134402500 ERROR: getpatch: Can't download daily-16682.cdiff from database.clamav.net
2013-03-10 16:18:40.169794500 WARNING: Incremental update failed, trying to download daily.cvd
2013-03-10 16:18:40.170672500 ERROR: Can't download daily.cvd from database.clamav.net
2013-03-10 16:18:40.170836500 Giving up on database.clamav.net...
2013-03-10 16:18:40.170857500 Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.

I am wondering if I have another problem.  My server is 8.0, fully updated.  Any suggestions?

Re: workaround for clamav update problem
« Reply #5 on: March 10, 2013, 10:40:01 PM »
Follow the instructions listed above and your problem WILL resolve itself.
...

Re: workaround for clamav update problem
« Reply #6 on: March 10, 2013, 10:45:16 PM »
Thanks.  I have run the fix probably 10 times over the last two or threee weeks, but so far emails continue.  I'll just give it more time.

Re: workaround for clamav update problem
« Reply #7 on: March 10, 2013, 10:47:12 PM »
Else cut and paste below to a command prompt and it will also achieve the desired result. (Putty is helpful here)



# Shutdown clam so clamd.socket file is removed
service clamd stop
# Navigate to clamav folder
cd /var/clamav
# Remove ALL files from folder to provide clean slate for update process
rm -f /var/clamav/*
# (you could skip the -f & confirm every file delete for safety)
# Restart clam
service clamd start
# Update sigs
freshclam -v
#(--no-dns can be used if just -v fails tho I haven't struck this issue)
...

Re: workaround for clamav update problem
« Reply #8 on: March 10, 2013, 10:52:13 PM »
Thanks, again.  I did exactly that today (and earlier) using Putty.  Any thing else I should try?

Re: workaround for clamav update problem
« Reply #9 on: March 10, 2013, 10:55:34 PM »
No that shud do it. Has ALWAYS worked for me but may need to do it again a day latter. That is just the nature of the problem. You can also delete all the files with WinSCP  (you wont be able to delete the socket file) and run freshclam - v . That will do it also.

Just note I have modified the above script ever so slightly to make it command prompt friendly.
« Last Edit: March 10, 2013, 10:58:38 PM by p-jones »
...

Re: workaround for clamav update problem
« Reply #10 on: March 10, 2013, 10:57:51 PM »
Thank you.  I will keep trying the workaround.

Re: workaround for clamav update problem
« Reply #11 on: March 11, 2013, 07:39:18 AM »
@bclayton: I presume that the clamav mirror used is the default one, db.local.clamav.net:
Code: [Select]
# config getprop clamav DatabaseMirror
db.local.clamav.net

Try this (worked for me). Set the DatabaseMirror to the one of your one country. DatabaseMirror has the format db.XY.clamav.net, where XY is the country code of your country. For example, if you are from the US, then most likely the mirror is named db.us.clamav.net.

So first, check that the mirror server does exist, by using a dig:
Code: [Select]
# dig db.us.clamav.net

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> db.us.clamav.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64013
;; flags: qr rd ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;db.us.clamav.net.              IN      A

;; ANSWER SECTION:
db.us.clamav.net.       1200    IN      CNAME   db.us.big.clamav.net.
db.us.big.clamav.net.   60      IN      A       64.6.100.177
db.us.big.clamav.net.   60      IN      A       64.22.33.90
db.us.big.clamav.net.   60      IN      A       65.19.179.67
db.us.big.clamav.net.   60      IN      A       69.12.162.28
db.us.big.clamav.net.   60      IN      A       69.163.100.14
db.us.big.clamav.net.   60      IN      A       78.46.84.244
db.us.big.clamav.net.   60      IN      A       128.177.8.248
db.us.big.clamav.net.   60      IN      A       129.21.171.98
db.us.big.clamav.net.   60      IN      A       150.214.142.197
db.us.big.clamav.net.   60      IN      A       155.98.64.87
db.us.big.clamav.net.   60      IN      A       168.143.19.95
db.us.big.clamav.net.   60      IN      A       194.8.197.22
db.us.big.clamav.net.   60      IN      A       194.186.47.19
db.us.big.clamav.net.   60      IN      A       200.236.31.1
db.us.big.clamav.net.   60      IN      A       207.57.106.31
db.us.big.clamav.net.   60      IN      A       208.72.56.53
db.us.big.clamav.net.   60      IN      A       209.198.147.20

;; Query time: 192 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Mon Mar 11 08:34:42 2013
;; MSG SIZE  rcvd: 330

Seems ok, so configure it:
Code: [Select]
# config setprop clamav DatabaseMirror db.us.clamav.net
# signal-event clamav-update

After doing these, try the hints given by the posters above.

Again, changing the database mirror is what helped in my case, YMMV. :)

Re: workaround for clamav update problem
« Reply #12 on: March 11, 2013, 04:59:09 PM »
Thanks, Michail. 
My default mirror was set to local.  I tried your suggestion and set it to US and reran the code provided earlier, but I'm still getting emails.  I'm a bit baffled as these workarounds seem to have worked for others.

Re: workaround for clamav update problem
« Reply #13 on: March 11, 2013, 06:07:43 PM »
Can you try a:
Code: [Select]
freshclam -v --no-dns

Re: workaround for clamav update problem
« Reply #14 on: March 11, 2013, 10:33:59 PM »
Tried that a couple of hours ago, and still getting emails.  I welcome any other suggestions.  Thanks.