ClamAV Virus Scanning does not start

Hi there!

After the latest update 2014-11-03 20:20 (GMT) ClamAV Virus Scan Server will not start, anyone else experiencing this?

//Lars

Status: 
Active

Comments

Howdy -- hmm, we haven't received any reports of anyone having problems with that.

What error(s) are you receiving when trying to start ClamAV? If there aren't any errors on the command line, do you see any in the logs?

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 13:40

Hi,

Appears nothing, just a refresh of the page and still have not started.
From what I could see through the update seemed to be a warning at any point, the update was declared a success.

//Lars R.

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 13:49

Which log should I look at?

//Lars

After trying to start ClamAV, I would suggest looking in /var/log/maillog, and /var/log/messages, to see what errors are being generated.

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 14:39

Från meddelande Nov 3 21:37:11 h83-209-52-2 saslauthd[1797]: do_auth : auth failure: [user=mountain] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

Från maillog: Nov 3 21:37:06 h83-209-52-2 milter-greylist: smfi_getsymval failed for {if_addr} Nov 3 21:37:11 h83-209-52-2 postfix/smtpd[20520]: warning: s242970652.online.de[212.227.251.187]: SASL LOGIN authentication failed: authentication failure Nov 3 21:37:13 h83-209-52-2 postfix/smtpd[20520]: lost connection after AUTH from s242970652.online.de[212.227.251.187] Nov 3 21:37:13 h83-209-52-2 postfix/smtpd[20520]: disconnect from s242970652.online.de[212.227.251.187]

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 14:47

This was at the time of update!

From clamd log:

Mon Nov 3 20:17:56 2014 -> ERROR: Can't unlink the pid file /var/run/clamav/clamd.pid Mon Nov 3 20:17:56 2014 -> --- Stopped at Mon Nov 3 20:17:56 2014 Mon Nov 3 20:17:56 2014 -> ERROR: Can't unlink the socket file /var/run/clamav/clamd.sock

//Lars

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 14:56

Now this pops up when I try to start, have changed the file permissions on the log files to 777

Configuring and enabling the ClamAV scanning server ..

Starting ClamAV server and enabling at boot ..
.. failed to start : Starting Clam AntiVirus Daemon: ERROR: Can't initialize the internal logger ERROR: Can't open /var/log/clamav/clamd.log in append mode (check permissions!). [FAILED]

.. all done

It sounds like there's some sort of permissions issue that is occurring.

What is the output of these two commands:

ls -la /var/log/clamav/
rpm -qa | grep clam
LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 15:10

OK!

[root@h83-209-52-2 ~]# ls -la /var/log/clamav/
drwxr-xr-x. 2 clamav clamav 4096 17 jun 12.23 .
drwxr-xr-x. 16 root root 4096 3 nov 17.02 ..
-rwxr-xr-x 1 clam clam 27435 3 nov 20.17 clamd.log
-rwxr-xr-x. 1 clam clam 9835 2 nov 03.08 clamd.log-20141102
-rwxr-xr-x 1 clam clam 722 3 nov 03.43 freshclam.log
-rwxr-xr-x. 1 clam clam 9380 2 nov 03.08 freshclam.log-20141102

and

[root@h83-209-52-2 ~]# rpm -qa | grep clam
clamd-0.98.4-1.el6.rf.x86_64
clamav-db-0.98.4-1.el6.rf.x86_64
clamav-0.98.4-1.el6.rf.x86_64

Ah, it looks like your version of ClamAV came from a third party repository named RPMForge.

Unfortunately, packages from third party repositories can cause problems, and in this case, it seems to be preventing ClamAV from being able to start.

My suggestion would be to use the ClamAV packages that come from the Virtualmin repository; using those should resolve the issue you're seeing.

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 23:17

It's just that I do, of previous bad experiences with third parties. Selects now always and only updates coming from Virtualmin.

The 'rf' in the package names of the ClamAV packages means that it came from the RPMForge repository. The packages provided by Virtualmin are a different version than what you have there, and don't have the 'rf' in the names.

What is the output of this command -- this will show which repositories are currently enabled:

ls /etc/yum.repos.d

LarsReimers's picture
Submitted by LarsReimers on Mon, 11/03/2014 - 23:51

Ok, now I'm probably a bit lost, how do I always choose reliable updates, is now very unsure of how to handle the raised updates.

Here are the results:


[root @ h83-209-52-2 ~] # ls /etc/yum.repos.d
CentOS-Base.repo CentOS-SCL.repo mirrors-rpmforge-testing
CentOS-Debuginfo.repo CentOS-Vault.repo rpmforge.repo
CentOS-fasttrack.repo mirrors-rpmforge virtualmin.repo
CentOS-Media.repo mirrors-rpmforge-extras

Ah, it does look like the RPMForge repository is enabled.

I would highly recommend against enabling any third party software repositories.

So long as no third party software repositories are enabled, you shouldn't have to be careful about what updates are installed.

What you would need to do is disable all the RPMForge related repositories, remove the ClamAV packages that came from it, and then install the ClamAV packages that come from Virtualmin's repository.

LarsReimers's picture
Submitted by LarsReimers on Tue, 11/04/2014 - 00:10

There you go, the best and safest way to do this?

I don't have specific steps for how to do that, but I can at least point you in the right direction.

You would want to remove the files mirrors-rpmforge-testing, rpmforge.repo, mirrors-rpmforge, and mirrors-rpmforge-extras.

You would then need to replace these existing RPMForge packages:

clamd-0.98.4-1.el6.rf.x86_64
clamav-db-0.98.4-1.el6.rf.x86_64
clamav-0.98.4-1.el6.rf.x86_64

With these Virtualmin ones:

clamav-0.98.4-1.el6.x86_64
clamav-db-0.98.4-1.el6.x86_64
clamd-0.98.4-1.el6.x86_64
LarsReimers's picture
Submitted by LarsReimers on Tue, 11/04/2014 - 00:18

Ok, I want to try it tonight, gotta go to work now!

Thanks, have a good day!

Regards, Lars Reimers