This appears to be a different problem than the sigtool --list problem on daily
I think it may be a problem with integrity of downloaded file and not an incompatibility of that file with clamav version or something wrong with a sig in the file. Testing the main.cvd file may be good first step. It appears to be reported that the main.cvd downloaded is corrupted: >> Fri Apr 5 14:17:59 2019 -> *Trying to download >>http://db.US.clamav.net/main.cvd (IP: 104.16.219.84) >> Fri Apr 5 14:18:12 2019 -> Downloading main.cvd [100%] >> Fri Apr 5 14:18:12 2019 -> ^[LibClamAV] cli_cvdload: Corrupted CVD header >>Fri Apr 5 14:18:12 2019 -> !Verification: Malformed database Some things that may help debug: # download the main.cvd manually eg if have unix wget or curl wget http://db.US.clamav.net/main.cvd # check the size , is it zero length or improbably small ? Did wget report errors. # Test main.cvd with sigtool look for errors or sensible output as below. sigtool --info main.cvd File: main.cvd Build time: 07 Jun 2017 17:38 -0400 Version: 58 Signatures: 4566249 Functionality level: 60 Builder: sigmgr MD5: 57462fd73f1cfdb356b9dca66da2b732 Digital signature: KWRdhTG+Own6ohh0wn5+vqg1d8ULKCxxxQeKuSA155B3ijxBKgf+bV3IXPcmZrIBUDn1xi8FmyvB63UieykwN/Avq5mTjHIVO8zFnC7wVF7dhdcEYn9Nt+Pmk/HXXx0voylYkidvgZmrxI8jx4a/Re6n3hHQJoCZrkHM15GER8j Verification OK. # examine main.cvd with binary editor eg xxd main.cvd should have a 512 byte header then a gzipped tar file containing the database files and a main.info The header has : separated fields . About the 4th field should look like an md5sum like above 57462fd73f1cfdb356b9dca66da2b732. This is the md5sum of the gz that follows the header. The header seems to end with space padding. about the 5th field should look like a the value of Digital signature: above. You should see the Builder field eg sigmgr above. I think sigtool has verified the signature above. If file has been altered then verification failure might be reported. eg is db.US.clamav.net the real clamav mirror site or an imposter. WARNING if the file isn't verifying it may be malicious eg a compression bomb , a malicious archive , an exploit against some of the tools below and it might be dangerous to run some of the tools below against it. Remember only http was used not https to get the file so site might be bogus and file could be anything. # Extract gz from main.cvd eg with dd and calling the gz main.gz ie strip off the 512 byte header at start dd if=main.cvd of=main.gz skip=1 bs=512 # test the gz gunzip -t main.gz # extract gz (it will be large eg 3 times size of the gz on my example) gunzip main.gz # this should give a tar file called main for my example # test the tar file (my tar reports improbable dates) tar tvf main ---------- 0/0 17992 1970-01-01 10:00 COPYING ---------- 0/0 1060 1970-01-01 10:00 main.info ---------- 0/0 3649543 1970-01-01 10:00 main.hdb ---------- 0/0 24806499 1970-01-01 10:00 main.hsb etc # try extracting main.info and some of the database files tar xf main main.info # main.info contains sha256sum for each database file. # test the extracted database files have same 256 sum eg from main.info main.sfp:87:ded8b3b340e2da8415f1409959abb54725afad137a66e938080c7c95a9413128 sha256sum main.sfp ded8b3b340e2da8415f1409959abb54725afad137a66e938080c7c95a9413128 main.sfp If a sha256 doesn't match that database file is corrupted or altered or main.sfp is wrong You could look at a database file eg main.ndb with text editor or xxd ans should see lines looking like clamav signatures. Try 'file main.ndb' first to make sure is a text file . Corrupted file might be binary and trash your terminal or editor. If the main.cvd appears to be OK then maybe the problem is it isn't compatible with clamav version. You'd need to look at things like version and functionality level from the sigtool output and decide if this is what is expected for a current main.cvd. If it is then I guess that incompatible main.cvd or some faulty sig in main.cvd might be the issue. >> Is there a way to go back to daily-25409, for example, other than using backups? I looked at the FAQ, If the main.cvd is corrupted I doubt freshclam would replace existing database files and sigtool --version may show you are already on daily-25409 or earlier. Note if running freshclam --datadir I think any settings other than database location from freshclam.conf would apply. So if you were just trying to get an example main.cvd you might see side effects you don't want like freshclam writing to a configured log file or trying to HUP your clamd or writing a mirrors.dat David Shrimpton _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
