Freshclam can't write to its logfile, (it used to work). After chowning the offending files, I got another message simply stating that it could not connect. I assume it can't find the correct clamd.sock to connect to, but I yet have to find in which configuration file this is defined.
At the moment I fear that I've got 2 clamd (one through Amavis and one that seemed to be there all of the sudden) daemons and that freshclam gets confused. How should I proceed? Thanks for any insights you might provide me with. Attached below is all relevant information I could find (at the bottom are the smaller config files) ======================================= I'm having an issue with my ClamAV, I was using it in combination with Amavis, but I'm afraid after updating I now have 2 services running which both identify as ClamAV daemons, breaking the freshclam update process and causing other errors. This is a live server, and I don't really have an idea of where to start looking. Attached as much information as I could collect. Error message: -------------- /etc/cron.daily/freshclam: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). Checking out said folder: (the owner is indeed wrong) ------------------------- cd /var/log/clamav/ -rw-r--r--. 1 clam clam 0 jun 2 03:50 clamd.log -rw-r--r--. 1 clamav clamav 59314 mei 12 03:13 clamd.log-20130512 -rw-r--r--. 1 clamav clamav 59926 mei 19 04:41 clamd.log-20130519 -rw-r--r--. 1 clamav clamav 40383 mei 24 16:43 clamd.log-20130526 -rw-r--r--. 1 clamav clamav 3295 mei 29 11:17 clamd.log-20130602 -rw-r--r--. 1 clam clam 0 jun 2 03:50 freshclam.log -rw-r--r--. 1 clamav clamav 6006 mei 12 03:13 freshclam.log-20130512 -rw-r--r--. 1 clamav clamav 5940 mei 19 04:41 freshclam.log-20130519 -rw-r--r--. 1 clamav clamav 3733 mei 26 03:50 freshclam.log-20130526 -rw-r--r--. 1 clamav clamav 6274 jun 2 03:50 freshclam.log-20130602 Troubleshooting attempt as per the FAQ -------------------------------------- [bob@pluto ~]$ whereis freshclam freshclam: /usr/bin/freshclam /etc/freshclam.conf /usr/share/man/man1/freshclam.1.gz [bob@pluto ~]$ whereis clamav clamav: /usr/include/clamav.h /usr/share/clamav [bob@pluto ~]$ whereis clamd clamd: /usr/sbin/clamd /usr/sbin/clamd.amavisd /etc/clamd.d /etc/clamd.conf /usr/share/man/man8/clamd.8.gz =============================================================================== After chown'ing the clamd.log and freshclam.log to clamav:clamav, it would throw another error the next day. But this doesn't treat the problem, just one of its symptoms. (as in time a new 'bad' owned log will pop up) =============================================================================== New error message after chown'ing: (I assume it's trying to connect to the clamd.sock, which isn't where it expects it to be) /etc/cron.daily/freshclam: connect(): No such file or directory =============================================================================== Contents of /etc/cron.daily/freshclam: #!/bin/sh ### A simple update script for the clamav virus database. ### This could as well be replaced by a SysV script. ### fix log file if needed LOG_FILE="/var/log/clamav/freshclam.log" if [ ! -f "$LOG_FILE" ]; then touch "$LOG_FILE" chmod 644 "$LOG_FILE" chown clamav.amavis "$LOG_FILE" fi /usr/bin/freshclam \ --quiet \ --datadir="/var/lib/clamav" \ --log="$LOG_FILE" Contents of related files that might provide insight: --------------------------------------------- /etc/clamd.conf (there's also a clamd.conf.rpmsave, clamd.conf.rpmnew) ## Example config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. # Default: disabled LogFile /var/log/clamav/clamd.log # By default the log file is locked for writing - the lock protects against # running clamd multiple times (if want to run another clamd, please # copy the configuration file, change the LogFile variable, and run # the daemon with --config-file option). # This option disables log file locking. # Default: no #LogFileUnlock yes # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size # in bytes just don't use modifiers. # Default: 1M LogFileMaxSize 0 # Log time with each message. # Default: no LogTime yes # Also log clean files. Useful in debugging but drastically increases the # log size. # Default: no #LogClean yes # Use system logger (can work together with LogFile). # Default: no LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable verbose logging. # Default: no #LogVerbose yes # Log additional information about the infected file, such as its # size and hash, together with the virus name. #ExtendedDetectionInfo yes # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled PidFile /var/run/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). TemporaryDirectory /var/tmp # Path to the database directory. # Default: hardcoded (depends on installation options) DatabaseDirectory /var/clamav # Only load the official signatures published by the ClamAV project. # Default: no #OfficialDatabaseOnly no # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) LocalSocket /var/run/clamav/clamd.sock # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) #LocalSocketGroup virusgroup # Sets the permissions on the unix socket to the specified mode. # Default: disabled (socket is world accessible) #LocalSocketMode 660 # Remove stale socket after unclean shutdown. # Default: yes FixStaleSocket yes # TCP port address. # Default: no #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 200 MaxConnectionQueueLength 30 # Clamd uses FTP-like protocol to receive data from remote clients. # If you are using clamav-milter to balance load between remote clamd daemons # on firewall servers you may need to tune the options below. # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Limit port range. # Default: 1024 #StreamMinPort 30000 # Default: 2048 #StreamMaxPort 32000 # Maximum number of threads running at the same time. # Default: 10 MaxThreads 50 # Waiting for data from a client socket will timeout after this time (seconds). # Default: 120 ReadTimeout 300 # This option specifies the time (in seconds) after which clamd should # timeout if a client doesn't provide any initial command after connecting. # Default: 5 #CommandReadTimeout 5 # This option specifies how long to wait (in miliseconds) if the send buffer is full. # Keep this value low to prevent clamd hanging # # Default: 500 #SendBufTimeout 200 # Maximum number of queued items (including those being processed by MaxThreads threads) # It is recommended to have this value at least twice MaxThreads if possible. # WARNING: you shouldn't increase this too much to avoid running out of file descriptors, # the following condition should hold: # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) # # Default: 100 #MaxQueue 200 # Waiting for a new job will timeout after this time (seconds). # Default: 30 #IdleTimeout 60 # Don't scan files and directories matching regex # This directive can be used multiple times # Default: scan all #ExcludePath ^/proc/ #ExcludePath ^/sys/ # Maximum depth directories are scanned at. # Default: 15 #MaxDirectoryRecursion 20 # Follow directory symlinks. # Default: no #FollowDirectorySymlinks yes # Follow regular file symlinks. # Default: no #FollowFileSymlinks yes # Scan files and directories on other filesystems. # Default: yes #CrossFilesystems yes # Perform a database check. # Default: 600 (10 min) #SelfCheck 600 # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges User clamav # Initialize supplementary group access (clamd must be started by root). # Default: no AllowSupplementaryGroups yes # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Do not remove temporary files (for debug purposes). # Default: no #LeaveTemporaryFiles yes # Detect Possibly Unwanted Applications. # Default: no #DetectPUA yes # Exclude a specific PUA category. This directive can be used multiple times. # See http://www.clamav.net/support/pua for the complete list of PUA # categories. # Default: Load all categories (if DetectPUA is activated) #ExcludePUA NetTool #ExcludePUA PWTool # Only include a specific PUA category. This directive can be used multiple # times. # Default: Load all categories (if DetectPUA is activated) #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT # In some cases (eg. complex malware, exploits in graphic files, and others), # ClamAV uses special algorithms to provide accurate detection. This option # controls the algorithmic detection. # Default: yes #AlgorithmicDetection yes ## ## Executable files ## # PE stands for Portable Executable - it's an executable file format used # in all 32 and 64-bit versions of Windows operating systems. This option allows # ClamAV to perform a deeper analysis of executable files and it's also # required for decompression of popular executable packers such as UPX, FSG, # and Petite. If you turn off this option, the original files will still be # scanned, but without additional processing. # Default: yes ScanPE yes # Executable and Linking Format is a standard format for UN*X executables. # This option allows you to control the scanning of ELF files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanELF yes # With this option clamav will try to detect broken executables (both PE and # ELF) and mark them as Broken.Executable. # Default: no DetectBrokenExecutables yes ## ## Documents ## # This option enables scanning of OLE2 files, such as Microsoft Office # documents and .msi files. # If you turn off this option, the original files will still be scanned, but # without additional processing. # Default: yes ScanOLE2 yes # With this option enabled OLE2 files with VBA macros, which were not # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". # Default: no #OLE2BlockMacros no # This option enables scanning within PDF files. # If you turn off this option, the original files will still be scanned, but # without decoding and additional processing. # Default: yes #ScanPDF yes ## ## Mail files ## # Enable internal e-mail scanner. # If you turn off this option, the original files will still be scanned, but # without parsing individual messages/attachments. # Default: yes ScanMail yes # Scan RFC1341 messages split over many emails. # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. # WARNING: This option may open your system to a DoS attack. # Never use it on loaded servers. # Default: no #ScanPartialMessages yes # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes # Always block SSL mismatches in URLs, even if the URL isn't in the database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockSSLMismatch no # Always block cloaked URLs, even if URL isn't in database. # This can lead to false positives. # # Default: no #PhishingAlwaysBlockCloak no # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ## ## Data Loss Prevention (DLP) ## # Enable the DLP module # Default: No #StructuredDataDetection yes # This option sets the lowest number of Credit Card numbers found in a file # to generate a detect. # Default: 3 #StructuredMinCreditCardCount 5 # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 # With this option enabled the DLP module will search for valid # SSNs formatted as xxx-yy-zzzz # Default: yes #StructuredSSNFormatNormal yes # With this option enabled the DLP module will search for valid # SSNs formatted as xxxyyzzzz # Default: no #StructuredSSNFormatStripped yes ## ## HTML ## # Perform HTML normalisation and decryption of MS Script Encoder code. # Default: yes # If you turn off this option, the original files will still be scanned, but # without additional processing. #ScanHTML yes ## ## Archives ## # ClamAV can scan within archives and compressed files. # If you turn off this option, the original files will still be scanned, but # without unpacking and additional processing. # Default: yes ScanArchive yes # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). # Default: no ArchiveBlockEncrypted no ## ## Limits ## # The options below protect your system against Denial of Service attacks # using archive bombs. # This option sets the maximum amount of data to be scanned for each input file. # Archives and other containers are recursively extracted and scanned up to this # value. # Value of 0 disables the limit # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 100M #MaxScanSize 150M # Files larger than this limit won't be scanned. Affects the input file itself # as well as files contained inside it (when the input file is an archive, a # document or some other kind of container). # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 25M #MaxFileSize 30M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Note: setting this limit too high may result in severe damage to the system. # Default: 16 #MaxRecursion 10 # Number of files to be scanned within an archive, a document, or any other # container file. # Value of 0 disables the limit. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 10000 #MaxFiles 15000 ## ## Clamuko settings ## # Enable Clamuko. Dazuko must be configured and running. Clamuko supports # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS # is the preferred option. For more information please visit www.dazuko.org # Default: no #ClamukoScanOnAccess yes # The number of scanner threads that will be started (DazukoFS only). # Having multiple scanner threads allows Clamuko to serve multiple # processes simultaneously. This is particularly beneficial on SMP machines. # Default: 3 #ClamukoScannerCount 3 # Don't scan files larger than ClamukoMaxFileSize # Value of 0 disables the limit. # Default: 5M #ClamukoMaxFileSize 10M # Set access mask for Clamuko (Dazuko only). # Default: no #ClamukoScanOnOpen yes #ClamukoScanOnClose yes #ClamukoScanOnExec yes # Set the include paths (all files inside them will be scanned). You can have # multiple ClamukoIncludePath directives but each directory must be added # in a seperate line. (Dazuko only) # Default: disabled #ClamukoIncludePath /home #ClamukoIncludePath /students # Set the exclude paths. All subdirectories are also excluded. (Dazuko only) # Default: disabled #ClamukoExcludePath /home/bofh # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files. # This option can be used multiple times (one per line). # Default: disabled #ClamukoExcludeUID 0 # With this option enabled ClamAV will load bytecode from the database. # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. # Default: yes #Bytecode yes # Set bytecode security level. # Possible values: # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS # This value is only available if clamav was built with --enable-debug! # TrustSigned - trust bytecode loaded from signed .c[lv]d files, # insert runtime safety checks for bytecode loaded from other sources # Paranoid - don't trust any bytecode, insert runtime checks for all # Recommended: TrustSigned, because bytecode in .cvd files already has these checks # Note that by default only signed bytecode is loaded, currently you can only # load unsigned bytecode in --enable-debug mode. # # Default: TrustSigned #BytecodeSecurity TrustSigned # Set bytecode timeout in miliseconds. # # Default: 5000 # BytecodeTimeout 1000 /etc/clamd.d/amavisd.conf PidFile /var/run/amavisd/clamd.pid # Remove stale socket after unclean shutdown. # Default: disabled FixStaleSocket yes # Run as a selected user (clamd must be started by root). User amavis # Path to a local socket file the daemon will listen on. LocalSocket /var/spool/amavisd/clamd.sock /etc/sysconfig/clamd.amavisd CLAMD_CONFIGFILE=/etc/clamd.d/amavisd.conf CLAMD_SOCKET=/var/spool/amavisd/clamd.sock CLAMD_OPTIONS= /etc/logrotate.d/clamav /var/log/clamav/clamd.log { missingok notifempty create 644 clam clam postrotate killall -HUP clamd 2>/dev/null || : endscript } /etc/logrotate.d/freshclam /var/log/clamav/freshclam.log { missingok notifempty create 644 clam clam } /etc/init.d/clamd #!/bin/sh # # Startup script for the Clam AntiVirus Daemon # # chkconfig: - 61 39 # description: Clam AntiVirus Daemon is a TCP/IP or socket protocol \ # server. # processname: clamd # pidfile: /var/run/clamav/clamd.pid # config: /etc/clamav.conf # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network [ -x /usr/sbin/clamd ] || exit 0 # See how we were called. case "$1" in start) echo -n "Starting Clam AntiVirus Daemon: " daemon clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd ;; stop) echo -n "Stopping Clam AntiVirus Daemon: " killproc clamd rm -f /var/clamav/clamd.socket rm -f /var/run/clamav/clamav.pid RETVAL=$? echo ### heres the fix... we gotta remove the stale files on restart [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd ;; status) status clamd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; condrestart) [ -e /var/lock/subsys/clamd ] && restart RETVAL=$? ;; *) echo "Usage: clamd {start|stop|status|restart|reload|condrestart}" exit 1 esac exit $RETVAL /etc/clamd.amavisd #!/bin/bash # # chkconfig: - 78 32 # description: The clamd server running for amavisd CLAMD_SERVICE=amavisd . /usr/share/clamav/clamd-wrapper /var/run/clamav empty /var/run/clamd.amavisd empty The directory /var/spool/amavisd/ contains: srwxr-x---. 1 amavis amavis 0 mei 29 03:20 amavisd.sock srw-rw-rw-. 1 amavis amavis 0 mei 29 11:35 clamd.sock drwx------. 2 amavis amavis 4096 mei 29 03:20 db drwx------. 2 amavis amavis 4096 feb 22 01:23 quarantine drwx------. 4 amavis amavis 4096 jun 3 10:45 tmp _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml