Just wanted to close out my report on this. Results of running sigtool -i on daily.cld:
> File: /usr/local/clamXav/share/clamav/daily.cld > Build time: 21 Sep 2015 12:36 -0400 > Version: 20930 > Signatures: 1587117 > Functionality level: 63 > Builder: neo > LibClamAV Warning: ************************************************** > LibClamAV Warning: *** The virus database is older than 7 days! *** > LibClamAV Warning: *** Please update it as soon as possible. *** > LibClamAV Warning: ************************************************** > LibClamAV Error: cli_tgzload: Invalid checksum for file daily.mdb > ERROR: cvdinfo: Verification: Malformed database Reinstalling the scan engine while retaining the signature database did not solve the problem, nor did using a different mirror. Deleting the scan engine, including database, re-installing and downloading fresh .cvd’s finally solved the problem. Still doesn’t seem to explain why three attempts to download daily.cvd from three different mirrors could not be verified during the Sun Oct 18 attempt to update. I don’t think it had anything to do with Shaun’s regex signatures, but I guess we’ll never know for certain how daily.cld was corrupted. -Al- On Mon, Oct 19, 2015 at 06:30 AM, Shaun Hurley wrote: > > All, > > This is a set of regex signatures I published. These lines in the signature > database should have been ignored by ClamAV versions previous to 0.99. > > Given the problems that alternate versions of ClamAV have, I am going to > drop these signatures. > > Thanks, > Shaun Hurley > > On Mon, Oct 19, 2015 at 1:38 AM, Rafael Ferreira <r...@uvasoftware.com> > wrote: > >> Hey folks, just closing the loop on this, unsurprisingly, this turned out >> to be a problem on our side. I had forgotten but we were running a custom >> build of clamav a couple of commits before the 0.98.7 release that >> apparently had a signature parsing regression, upgrading to the release >> commit fixed the issue for us. >> >> Thanks everyone for the help! >> >> On Sun, Oct 18, 2015 at 5:31 PM, Al Varnell <alvarn...@mac.com> wrote: >> >>> I just had a Mac OS X 10.11/ClamXav 2.8.5/ClamAV 0.98.7 user with a >>> similar situation. Appears to be in the US, but I need to get more >>> information to verify that and the results of sigtool -i: >>> >>> Checking official ClamAV definitions >>> -------------------------------------- >>> ClamAV update process started at Sat Oct 17 11:58:34 2015 >>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: >>> neo) >>> Downloading daily-20931.cdiff [100%] >>> Downloading daily-20932.cdiff [100%] >>> Downloading daily-20933.cdiff [100%] >>> Downloading daily-20934.cdiff [100%] >>> Downloading daily-20935.cdiff [100%] >>> Downloading daily-20936.cdiff [100%] >>> Downloading daily-20937.cdiff [100%] >>> Downloading daily-20938.cdiff [100%] >>> Downloading daily-20939.cdiff [100%] >>> Downloading daily-20940.cdiff [100%] >>> Downloading daily-20941.cdiff [100%] >>> Downloading daily-20942.cdiff [100%] >>> Downloading daily-20943.cdiff [100%] >>> Downloading daily-20944.cdiff [100%] >>> Downloading daily-20945.cdiff [100%] >>> Downloading daily-20946.cdiff [100%] >>> Downloading daily-20947.cdiff [100%] >>> Downloading daily-20948.cdiff [100%] >>> Downloading daily-20949.cdiff [100%] >>> Downloading daily-20950.cdiff [100%] >>> Downloading daily-20951.cdiff [100%] >>> Downloading daily-20952.cdiff [100%] >>> Downloading daily-20953.cdiff [100%] >>> Downloading daily-20954.cdiff [100%] >>> Downloading daily-20955.cdiff [100%] >>> Downloading daily-20956.cdiff [100%] >>> Downloading daily-20957.cdiff [100%] >>> Downloading daily-20958.cdiff [100%] >>> Downloading daily-20959.cdiff [100%] >>> Downloading daily-20960.cdiff [100%] >>> Downloading daily-20961.cdiff [100%] >>> Downloading daily-20962.cdiff [100%] >>> Downloading daily-20963.cdiff [100%] >>> Downloading daily-20964.cdiff [100%] >>> Downloading daily-20965.cdiff [100%] >>> Downloading daily-20966.cdiff [100%] >>> Downloading daily-20967.cdiff [100%] >>> Downloading daily-20968.cdiff [100%] >>> Downloading daily-20969.cdiff [100%] >>> Downloading daily-20970.cdiff [100%] >>> Downloading daily-20971.cdiff [100%] >>> Downloading daily-20972.cdiff [100%] >>> Downloading daily-20973.cdiff [100%] >>> Downloading daily-20974.cdiff [100%] >>> Downloading daily-20975.cdiff [100%] >>> Downloading daily-20976.cdiff [100%] >>> Downloading daily-20977.cdiff [100%] >>> ERROR: Failed to load new database: Malformed database >>> ERROR: Failed to load new database >>> -------------------------------------- >>> ClamAV update process started at Sun Oct 18 05:45:07 2015 >>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: >>> neo) >>> Downloading daily-20931.cdiff [100%] >>> Downloading daily-20932.cdiff [100%] >>> Downloading daily-20933.cdiff [100%] >>> Downloading daily-20934.cdiff [100%] >>> Downloading daily-20935.cdiff [100%] >>> Downloading daily-20936.cdiff [100%] >>> Downloading daily-20937.cdiff [100%] >>> Downloading daily-20938.cdiff [100%] >>> Downloading daily-20939.cdiff [100%] >>> Downloading daily-20940.cdiff [100%] >>> Downloading daily-20941.cdiff [100%] >>> Downloading daily-20942.cdiff [100%] >>> ERROR: cdiff_apply: Incorrect digital signature >>> ERROR: getpatch: Can't apply patch >>> Downloading daily.cvd [100%] >>> ERROR: Verification: Can't verify database integrity >>> Trying again in 5 secs... >>> ClamAV update process started at Sun Oct 18 05:52:05 2015 >>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: >>> neo) >>> Downloading daily-20931.cdiff [100%] >>> Downloading daily-20932.cdiff [100%] >>> Downloading daily-20933.cdiff [100%] >>> Downloading daily-20934.cdiff [100%] >>> Downloading daily-20935.cdiff [100%] >>> Downloading daily-20936.cdiff [100%] >>> Downloading daily-20937.cdiff [100%] >>> Downloading daily-20938.cdiff [100%] >>> Downloading daily-20939.cdiff [100%] >>> Downloading daily-20940.cdiff [100%] >>> Downloading daily-20941.cdiff [100%] >>> Downloading daily-20942.cdiff [100%] >>> Downloading daily-20943.cdiff [100%] >>> Downloading daily-20944.cdiff [100%] >>> Downloading daily-20945.cdiff [100%] >>> Downloading daily-20946.cdiff [100%] >>> Downloading daily-20947.cdiff [100%] >>> Downloading daily-20948.cdiff [100%] >>> ERROR: cdiff_cmd_close: Can't apply DEL at line 1493879 of daily.mdb >>> ERROR: cdiff_apply: Can't execute command CLOSE >>> ERROR: cdiff_apply: Error executing command at line 19 >>> ERROR: getpatch: Can't apply patch >>> Downloading daily.cvd [100%] >>> ERROR: Verification: Can't verify database integrity >>> Trying again in 5 secs... >>> ClamAV update process started at Sun Oct 18 05:53:10 2015 >>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: >>> neo) >>> Downloading daily-20931.cdiff [100%] >>> Downloading daily-20932.cdiff [100%] >>> Downloading daily-20933.cdiff [100%] >>> Downloading daily-20934.cdiff [100%] >>> Downloading daily-20935.cdiff [100%] >>> Downloading daily-20936.cdiff [100%] >>> Downloading daily-20937.cdiff [100%] >>> Downloading daily-20938.cdiff [100%] >>> Downloading daily-20939.cdiff [100%] >>> Downloading daily-20940.cdiff [100%] >>> Downloading daily-20941.cdiff [100%] >>> Downloading daily-20942.cdiff [100%] >>> Downloading daily-20943.cdiff [100%] >>> Downloading daily-20944.cdiff [100%] >>> Downloading daily-20945.cdiff [100%] >>> Downloading daily-20946.cdiff [100%] >>> Downloading daily-20947.cdiff [100%] >>> Downloading daily-20948.cdiff [100%] >>> ERROR: cdiff_cmd_close: Can't apply DEL at line 1493879 of daily.mdb >>> ERROR: cdiff_apply: Can't execute command CLOSE >>> ERROR: cdiff_apply: Error executing command at line 19 >>> ERROR: getpatch: Can't apply patch >>> Downloading daily.cvd [100%] >>> ERROR: Verification: Can't verify database integrity >>> Giving up on database.clamav.net... >>> Update failed. Your network may be down or none of the mirrors listed in >>> /usr/local/clamXav/etc/freshclam.conf is working. Check >>> http://www.clamav.net/doc/mirrors-faq.html for possible reasons. >>> >>> -Al- >>> >>> On Thu, Oct 15, 2015 at 01:41 PM, Rafael Ferreira wrote: >>>> >>>> Odd, we run Debian (Jessie) Linux and we see this problem on quite a >> few >>> of our hosts; nothing obviously relevant seems to have changed on our >> side. >>> We will keep looking and report back. >>>> >>>>> On Oct 15, 2015, at 1:15 PM, Steven Morgan <smor...@sourcefire.com> >>> wrote: >>>>> Thanks, that is working for me with ClamAV 0.98.7. It even worked >> using >>>>> http://scanii-assets.s3.amazonaws.com/daily.cvd. What OS and hardware >>> are >>>>> you using? >>>>> >>>>> On Thu, Oct 15, 2015 at 1:30 PM, Rafael Ferreira <r...@uvasoftware.com >>> >>>>> wrote: >>>>>> 0.98.7 >>>>>> >>>>>>>> On Oct 15, 2015, at 8:46 AM, Steven Morgan >>>>>>> wrote: >>>>>>> Rafael, >>>>>>> >>>>>>> I don't see this. Which version of ClamAV are you using? >>>>>>> >>>>>>> Steve >>>>>>> >>>>>>> >>>>>>> On Thu, Oct 15, 2015 at 11:24 AM, Rafael Ferreira >>>>>>> wrote: >>>>>>>> Howdy folks, we started noticing problems with daily.cvd: >>>>>>>> >>>>>>>> Retrieving http://scanii-assets.s3.amazonaws.com/daily.cvd >>>>>>>> >>>>>>>> Trying to download http://scanii-assets.s3.amazonaws.com/daily.cvd >>> (IP: >>>>>>>> 54.231.34.41) >>>>>>>> >>>>>>>> Downloading daily.cvd [100%] >>>>>>>> >>>>>>>> Loading signatures from daily.cvd >>>>>>>> >>>>>>>> WARNING: [LibClamAV] cli_parseadd(): Problem adding signature (1b). >>>>>>>> >>>>>>>> WARNING: [LibClamAV] Problem parsing database at line 1097 >>>>>>>> >>>>>>>> WARNING: [LibClamAV] Can't load daily.ldb: Malformed database >>>>>>>> >>>>>>>> WARNING: [LibClamAV] cli_tgzload: Can't load daily.ldb >>>>>>>> >>>>>>>> WARNING: [LibClamAV] Can't load >>>>>>>> >>> >> /var/lib/clamav/clamav-bde1e525a5ccd73f8aef9d297171cfdc.tmp/clamav-d1391230fbba45ed1a1ab05e2a069102.cvd: >>>>>>>> Malformed database >>>>>>>> >>>>>>>> ERROR: Failed to load new database: Malformed database >>>>>>>> >>>>>>>> ERROR: During database load : WARNING: [LibClamAV] cli_parse_add(): >>>>>>>> Problem >>>>>>>> adding signature (1). [...] ERROR: Failed to load new database: >>>>>>>> Malformed >>>>>>>> database >>>>>>>> >>>>>>>> WARNING: Database load exited with status 55 >>>>>>>> >>>>>>>> ERROR: Failed to load new database >>>>>>>> >>>>>>>> couple of things worth noting, there's no indication of memory >>> pressure >>>>>>>> on >>>>>>>> the hosts, the databases do pass a sigtool dump of its contents and >>> were >>>>>>>> tested for potential in flight corruption. >>>>>>>> >>>>>>>> Anyone else seeing this? >>>>>>>> >>>>>>>> - Rafael >>> >>> >>> >>> >>> _______________________________________________ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> >> >> -- >> Rafael Ferreira >> Uva Software, LLC >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
