ClamAV version 0.99.2 packages for CentOS 7

9 posts / 0 new
Last post
#1 Sun, 05/22/2016 - 18:12
Joe
Joe's picture

ClamAV version 0.99.2 packages for CentOS 7

Howdy all,

I've just rolled out version 0.99.2 of ClamAV packages for CentOS 7. Nothing particularly new or important about this release, but it'll stop ClamAV from complaining about an old version for a while (a week or two until they roll a new version that'll complain about an old version). There were enough changes in ClamAV to where I wanted to give folks a heads up about the upgrade, just in case it causes problems. I've tested it on our systems, obviously, but there's a pretty wide variety of ways people can be using ClamAV, and there are a couple of things that changed that might effect some of those use cases (I patched it to act like the old version on the command line, but there may be other differences).

Anyway, keep an eye on your anti-virus usage and lemme know if you see any problems.

I'll roll this version out for older CentOS distros soon, as well.

Cheers,

Joe

Mon, 05/23/2016 - 16:13
havfrue
havfrue's picture

Hi,

This broke clamav on our EC2 Centos7. It can't start.

In order to try and start it manually I had to rename the database (main.cvd). Now I can run clamd as /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes and it can start.

I still can't run it from webmin though - I get this in /var/log/messages:

May 23 14:01:20 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 14:01:20 us systemd: Starting Socket for Clam AntiVirus userspace daemon.
May 23 14:01:20 us systemd: Failed to chown socket at step USER: No such process
May 23 14:01:20 us systemd: clamav-daemon.socket control process exited, code=exited status=217
May 23 14:01:20 us systemd: Failed to listen on Socket for Clam AntiVirus userspace daemon.
May 23 14:01:20 us systemd: Dependency failed for Clam AntiVirus userspace daemon.
May 23 14:01:20 us systemd: Job clamav-daemon.service/start failed with result 'dependency'.
May 23 14:01:20 us systemd: Unit clamav-daemon.socket entered failed state.

Looks like a firewall dependancy?

Also - not sure if that's a problem local to our system, but when trying to update with freshclam the "Example" line wasn't commented out in the conf, so that wouldn't run either - commented it out freshclam can run now.

Not sure where to go from here to get clamav to run properly from webmi. :(

Christian

Mon, 05/23/2016 - 17:20 (Reply to #2)
Joe
Joe's picture

Are you sure you haven't had other clamav packages (from sources other than us) installed at some point? freshclam.conf as we distribute it has never had "Example" in it, so it had to come from some other package. Because it is a config file, it's possible for it to not get replaced when upgrading it, so even if you have our package now, you wouldn't necessarily get the freshclam.conf distributed in our package. Our packages have .vm in the version (e.g. clamav-0.99.2-2.el7.centos.vm.x86_64; note the .vm after centos and before x86_64)

If you've enabled the EPEL repository, without being explicit about what packages you want to get from it, you could have gotten their ClamAV package, which is distributed with broken config files all around (all of them have "Example" in them, and the clamd configuration does not enable a socket or port for communication, so it won't start at all). I've filed tickets repeatedly about that package shipping with broken configuration, but they've always been closed without action...so I keep packaging clamav.

In short: Our packages have been tested to work in the general case for Virtualmin (though it's possible uncommon cases might break). But, if you've gotten other packages from other sources along the way, it may have replaced our working configs with broken configs. Check for .rpmnew config files to see if that's what happened.

Edit: There is a bug in our installer, however, recently, where the clamav-scanner and clamav-scanner-systemd packages don't get installed and they need to be for Virtualmin to function with clamd. You need those (but given your command example above, it seems like you do have them).

Edit2: And I guess I wasn't clear about what you should do about it. Copy the .rpmnew config files over the existing ones, or edit them to remove the "Example" line. You'll also need to edit /etc/clamd.d/scan.conf to have LocalSocket set to /var/run/clamd.scan/clamd.sock and LocalSocketGroup set to clamscan). These are the defaults we ship in our packages.

--

Check out the forum guidelines!

Mon, 05/23/2016 - 18:39
havfrue
havfrue's picture

Hi,

I did the changes suggested in your edit, but it didn't change anything when trying to start clamav from Webmin. For now I've solved it by rolling back to 0.98 with yum and it works perfectly again.

Epel is not enabled: yum repolist yields:

repo id                             repo name                                                     status
base/7/x86_64                       CentOS-7 - Base                                               9,007
extras/7/x86_64                     CentOS-7 - Extras                                               301
updates/7/x86_64                    CentOS-7 - Updates                                            1,676
virtualmin/7/x86_64                 RHEL/CentOS/Scientific 7 - x86_64 - Virtualmin                  150
virtualmin-universal                Virtualmin Distribution Neutral Packages                         65

This what I get from yum list clam*:

[16:04:39 /etc/clamd.d]# yum list clamav\*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos.lax.quadranet.com
 * extras: centos-distro.cavecreek.net
 * updates: linux.mirrors.es.net
Installed Packages
clamav.x86_64                                     0.99.2-2.el7.centos.vm                     @virtualmin
clamav-data.noarch                                0.99.2-2.el7.centos.vm                     @virtualmin
clamav-devel.x86_64                               0.99.2-2.el7.centos.vm                     @virtualmin
clamav-filesystem.noarch                          0.99.2-2.el7.centos.vm                     @virtualmin
clamav-lib.x86_64                                 0.99.2-2.el7.centos.vm                     @virtualmin
clamav-scanner.noarch                             0.99.2-2.el7.centos.vm                     @virtualmin
clamav-scanner-systemd.noarch                     0.99.2-2.el7.centos.vm                     @virtualmin
clamav-server.x86_64                              0.99.2-2.el7.centos.vm                     @virtualmin
clamav-server-systemd.noarch                      0.99.2-2.el7.centos.vm                     @virtualmin
clamav-update.x86_64                              0.99.2-2.el7.centos.vm                     @virtualmin
Available Packages
clamav-data-empty.noarch                          0.99.2-2.el7.centos.vm                     virtualmin 
clamav-debuginfo.x86_64                           0.99.2-2.el7.centos.vm                     virtualmin 
clamav-milter.x86_64                              0.99.2-2.el7.centos.vm                     virtualmin 
clamav-milter-systemd.noarch                      0.99.2-2.el7.centos.vm                     virtualmin 
clamav-milter-sysvinit.noarch                     0.99.2-2.el7.centos.vm                     virtualmin 
clamav-scanner-sysvinit.noarch                    0.99.2-2.el7.centos.vm                     virtualmin 
clamav-server-sysvinit.noarch                     0.99.2-2.el7.centos.vm                     virtualmin 

All the clamav should be from your repo.

Soo - I tried upgrading it once more after the downgrade - and it's the same result. The upgrade went like this:

May 23 16:32:29 us yum[27048]: Updated: clamav-filesystem-0.99.2-2.el7.centos.vm.noarch
May 23 16:32:30 us yum[27048]: Updated: clamav-data-0.99.2-2.el7.centos.vm.noarch
May 23 16:32:30 us yum[27048]: Updated: clamav-lib-0.99.2-2.el7.centos.vm.x86_64
May 23 16:32:30 us yum[27048]: Updated: clamav-server-0.99.2-2.el7.centos.vm.x86_64
May 23 16:32:30 us yum[27048]: Updated: clamav-server-systemd-0.99.2-2.el7.centos.vm.noarch
May 23 16:32:30 us yum[27048]: Updated: clamav-scanner-systemd-0.99.2-2.el7.centos.vm.noarch
May 23 16:32:31 us yum[27048]: Updated: clamav-scanner-0.99.2-2.el7.centos.vm.noarch
May 23 16:32:31 us yum[27048]: Updated: clamav-update-0.99.2-2.el7.centos.vm.x86_64
May 23 16:32:31 us yum[27048]: Updated: clamav-devel-0.99.2-2.el7.centos.vm.x86_64
May 23 16:32:31 us yum[27048]: Updated: clamav-0.99.2-2.el7.centos.vm.x86_64
May 23 16:32:31 us systemd: Reloading.
May 23 16:32:31 us systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
May 23 16:32:31 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:31 us systemd: Stopping Generic clamav scanner daemon...
May 23 16:32:31 us clamd: --- Stopped at Mon May 23 16:32:31 2016
May 23 16:32:31 us clamd[26384]: --- Stopped at Mon May 23 16:32:31 2016
May 23 16:32:31 us clamd[26384]: Socket file removed.
May 23 16:32:31 us clamd: Socket file removed.
May 23 16:32:31 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:31 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:31 us clamd[27085]: Received 0 file descriptor(s) from systemd.
May 23 16:32:31 us clamd[27085]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:31 us clamd[27085]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:31 us clamd[27085]: Log file size limited to 1048576 bytes.
May 23 16:32:31 us clamd[27085]: Reading databases from /var/lib/clamav
May 23 16:32:31 us clamd[27085]: Not loading PUA signatures.
May 23 16:32:31 us clamd[27085]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:31 us systemd: Reloading.
May 23 16:32:31 us systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
May 23 16:32:32 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:32 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:32 us clamd: ERROR: Can't verify database integrity
May 23 16:32:32 us clamd[27085]: Can't verify database integrity
May 23 16:32:32 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:32 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:32 us systemd: clamd@scan.service failed.
May 23 16:32:32 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:32 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:32 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:32 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:32 us clamd[27108]: Received 0 file descriptor(s) from systemd.
May 23 16:32:32 us clamd[27108]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:32 us clamd[27108]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:32 us clamd[27108]: Log file size limited to 1048576 bytes.
May 23 16:32:32 us clamd[27108]: Reading databases from /var/lib/clamav
May 23 16:32:32 us clamd[27108]: Not loading PUA signatures.
May 23 16:32:32 us clamd[27108]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:32 us clamd[27108]: Can't verify database integrity
May 23 16:32:32 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:32 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:32 us clamd: ERROR: Can't verify database integrity
May 23 16:32:32 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:32 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:32 us systemd: clamd@scan.service failed.
May 23 16:32:33 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:33 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:33 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:33 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:33 us clamd[27117]: Received 0 file descriptor(s) from systemd.
May 23 16:32:33 us clamd[27117]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:33 us clamd[27117]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:33 us clamd[27117]: Log file size limited to 1048576 bytes.
May 23 16:32:33 us clamd[27117]: Reading databases from /var/lib/clamav
May 23 16:32:33 us clamd[27117]: Not loading PUA signatures.
May 23 16:32:33 us clamd[27117]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:33 us clamd[27117]: Can't verify database integrity
May 23 16:32:33 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:33 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:33 us clamd: ERROR: Can't verify database integrity
May 23 16:32:33 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:33 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:33 us systemd: clamd@scan.service failed.
May 23 16:32:33 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:33 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:33 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:33 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:33 us clamd[27132]: Received 0 file descriptor(s) from systemd.
May 23 16:32:33 us clamd[27132]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:33 us clamd[27132]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:33 us clamd[27132]: Log file size limited to 1048576 bytes.
May 23 16:32:33 us clamd[27132]: Reading databases from /var/lib/clamav
May 23 16:32:33 us clamd[27132]: Not loading PUA signatures.
May 23 16:32:33 us clamd[27132]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:34 us clamd[27132]: Can't verify database integrity
May 23 16:32:34 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:34 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:34 us clamd: ERROR: Can't verify database integrity
May 23 16:32:34 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:34 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:34 us systemd: clamd@scan.service failed.
May 23 16:32:34 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:34 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:34 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:34 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:34 us clamd[27141]: Received 0 file descriptor(s) from systemd.
May 23 16:32:34 us clamd[27141]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:34 us clamd[27141]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:34 us clamd[27141]: Log file size limited to 1048576 bytes.
May 23 16:32:34 us clamd[27141]: Reading databases from /var/lib/clamav
May 23 16:32:34 us clamd[27141]: Not loading PUA signatures.
May 23 16:32:34 us clamd[27141]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:34 us clamd[27141]: Can't verify database integrity
May 23 16:32:34 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:34 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:34 us clamd: ERROR: Can't verify database integrity
May 23 16:32:34 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:34 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:34 us systemd: clamd@scan.service failed.
May 23 16:32:35 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:35 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:35 us systemd: Started Generic clamav scanner daemon.
May 23 16:32:35 us systemd: Starting Generic clamav scanner daemon...
May 23 16:32:35 us clamd[27156]: Received 0 file descriptor(s) from systemd.
May 23 16:32:35 us clamd[27156]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
May 23 16:32:35 us clamd[27156]: Running as user clamscan (UID 994, GID 993)
May 23 16:32:35 us clamd[27156]: Log file size limited to 1048576 bytes.
May 23 16:32:35 us clamd[27156]: Reading databases from /var/lib/clamav
May 23 16:32:35 us clamd[27156]: Not loading PUA signatures.
May 23 16:32:35 us clamd[27156]: Bytecode: Security mode set to "TrustSigned".
May 23 16:32:35 us clamd[27156]: Can't verify database integrity
May 23 16:32:35 us clamd: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
May 23 16:32:35 us clamd: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
May 23 16:32:35 us clamd: ERROR: Can't verify database integrity
May 23 16:32:35 us systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
May 23 16:32:35 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:35 us systemd: clamd@scan.service failed.
May 23 16:32:35 us systemd: clamd@scan.service holdoff time over, scheduling restart.
May 23 16:32:35 us systemd: Cannot add dependency job for unit firewalld.service, ignoring: Unit firewalld.service is masked.
May 23 16:32:35 us systemd: start request repeated too quickly for clamd@scan.service
May 23 16:32:35 us systemd: Failed to start Generic clamav scanner daemon.
May 23 16:32:35 us systemd: Unit clamd@scan.service entered failed state.
May 23 16:32:35 us systemd: clamd@scan.service failed.

I hope this helps you. For now I'll roll back to 0.98 and leave it as such.

Tue, 05/24/2016 - 04:22 (Reply to #4)
Joe
Joe's picture

Run freshclam. That should get the virus database back in sync.

--

Check out the forum guidelines!

Tue, 05/24/2016 - 10:31 (Reply to #5)
havfrue
havfrue's picture

No joy. Still can't start clamav - same result as before. I'll stick to 0.98 for now.

Wed, 05/25/2016 - 22:12
havfrue
havfrue's picture

Just a small followup - now I had time to check a bit more detailed what was happening, and I got it to work now with some tweaks:

First I removed all clamav from the system and ran a fresh install. It still didn't work, so I had to make a few edits mostly related to the services: /usr/lib/systemd/system/clamav-daemon.socket had these 2 lines:

SocketUser=clamav
SocketGroup=clamav

No such user existed on the system - might be a local issue though. For now I changed it to clamscan, but I'll instead create a clamav user when I have more time to fiddle. This was primarily what prevented clamav from starting I kept getting a Failed to chown socket at step USER: No such process error.

Both of these:

/usr/lib/systemd/system/clamav-daemon.service
/usr/lib/systemd/system/clamav-freshclam.service

Had --foreground=true in the ExecStart line - which was an unknown option according to the logs. So I commented that out.

Finally I had to run freshclam to update the database. Now it starts, runs and works (apparently - since it removes viruses at least when testing...)

Wed, 05/25/2016 - 22:46
Joe
Joe's picture

Ah! I see what's happening now. Those files aren't really needed...they're new in 0.99.2, and I packaged them without realizing what they were doing.

So, the "old" way is to use clamd@scan

The clamav-daemon and clamav-freshclam units are not needed, and apparently configured incorrectly, by default. It's interesting that ClamAV seems to be trying to fix the problem with their configuration files that has been a thorn in my ass for over a decade by shipping config files that actually do something. But, in this case they end up with the wrong configuration, still.

All that said: I know clamd@scan is working. And the old freshclam cronjob should also be working. You shouldn't need clamav-daemon or clamav-freshclam services, at all; those are red herrings in this case.

The foreground=true thing is a command line change. Older versions used "nofork" instead of "foreground", and so I patched it to behave in the old way so people's old configs would keep working. I didn't update those clamav-daemon and clamav-freshclam services because we don't use them.

Anyway, it looks like I need to either delete those from the package or change the configuration to actually work. In the meantime, use the clamd@scan service and the freshclam cronjob (that part should be automatic; no intervention on your part needed).

--

Check out the forum guidelines!

Thu, 05/26/2016 - 00:56
havfrue
havfrue's picture

Alright - that makes sense. I've removed clamav-[service|socket|freshclam] files from the services for now - it seems to be working with the old clamd@scan service without the new files. It seems whenever the new files were present, webmin on our system started up the new ones instead of clamd@scan. Anyhoo - all good I think.

Cheers.

Topic locked