[Clamav-users] Clamav suddenly died on several boxes
Hi all I'm new on the list, is this is a FAQ please tell me so. I'm unsure if my problem is related to the other one that today is discussed on the list. I have several clamav installations. I use it with Postfix on CentOS (very similar to Red Hat). I use the clamav RPM packages available on http://crash.fce.vutbr.cz , but recompiled on CentOS. Last night suddenly, on several of my custoers' mail servers, clamd stopped running. In the lo I find: Wed Apr 11 04:02:13 2007 -> SelfCheck: Database status OK. Wed Apr 11 04:38:23 2007 -> SelfCheck: Database modification detected. Forcing reload. Wed Apr 11 04:38:24 2007 -> Reading databases from /var/lib/clamav Wed Apr 11 04:38:24 2007 -> ERROR: reload db failed: Broken or not a CVD file Wed Apr 11 04:38:24 2007 -> Terminating because of a fatal error. Wed Apr 11 04:38:24 2007 -> Socket file removed. Wed Apr 11 04:38:24 2007 -> Pid file removed. Wed Apr 11 04:38:24 2007 -> --- Stopped at Wed Apr 11 04:38:24 2007 This happened on at least 10 different installations, more or less at the same time. I noticed that: 1) the problem seems to occur only on 0.90 installations. Servers still with 0.8x seem not to be affected. 2) In /var/lib/clamav , after clamd stopped running, I find the directories daily.inc, main.inc anche the mirrors.dat file. No .cvd files. I'm looking for the reason of this massive problem, and I'd like to know if this can be an isolated episode (maybe due to a broken update file). I found a minor problem in the RPM package, too. In the rc file, /etc/init.d/clamd, it checks for the existence of /var/lib/clamav/main.cvd and , if not found, it exits echoing "ERROR: Clamav DB missing! Run 'freshclam --verbose' as root." Having main.inc and not main.cvd, my clamd refused to start with this error. Maybe the package author is listening reading this ML, so he can correct his packages. It seems to me that it is sufficient to check for the existence of the file /var/lib/clamav/main.cvd OR the directory /var/lib/clamav/main.inc . Is this be correct (I mean, main.inc took the place of main.cvd)? Thanks for the attention. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
I also saw this on two different servers yesterday...about 13 hours ago actually...didn't catch it until this morningwould really like to know whats going on.Had this happen two days ago on a different server as well... Luigi Iotti wrote: > Hi all > > I'm new on the list, is this is a FAQ please tell me so. I'm unsure if > my problem is related to the other one that today is discussed on the > list. > > I have several clamav installations. I use it with Postfix on CentOS > (very similar to Red Hat). I use the clamav RPM packages available on > http://crash.fce.vutbr.cz , but recompiled on CentOS. > > Last night suddenly, on several of my custoers' mail servers, clamd > stopped running. > In the lo I find: > Wed Apr 11 04:02:13 2007 -> SelfCheck: Database status OK. > Wed Apr 11 04:38:23 2007 -> SelfCheck: Database modification detected. > Forcing reload. > Wed Apr 11 04:38:24 2007 -> Reading databases from /var/lib/clamav > Wed Apr 11 04:38:24 2007 -> ERROR: reload db failed: Broken or not a CVD file > Wed Apr 11 04:38:24 2007 -> Terminating because of a fatal error. > Wed Apr 11 04:38:24 2007 -> Socket file removed. > Wed Apr 11 04:38:24 2007 -> Pid file removed. > Wed Apr 11 04:38:24 2007 -> --- Stopped at Wed Apr 11 04:38:24 2007 > > This happened on at least 10 different installations, more or less at > the same time. > > I noticed that: > 1) the problem seems to occur only on 0.90 installations. Servers > still with 0.8x seem not to be affected. > 2) In /var/lib/clamav , after clamd stopped running, I find the > directories daily.inc, main.inc anche the mirrors.dat file. No .cvd > files. > > I'm looking for the reason of this massive problem, and I'd like to > know if this can be an isolated episode (maybe due to a broken update > file). > > I found a minor problem in the RPM package, too. In the rc file, > /etc/init.d/clamd, it checks for the existence of > /var/lib/clamav/main.cvd and , if not found, it exits echoing "ERROR: > Clamav DB missing! Run 'freshclam --verbose' as root." > Having main.inc and not main.cvd, my clamd refused to start with this > error. Maybe the package author is listening reading this ML, so he > can correct his packages. It seems to me that it is sufficient to > check for the existence of the file /var/lib/clamav/main.cvd OR the > directory /var/lib/clamav/main.inc . Is this be correct (I mean, > main.inc took the place of main.cvd)? > > Thanks for the attention. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
On 4/11/07, Shane Wise <[EMAIL PROTECTED]> wrote: > I also saw this on two different servers yesterday...about 13 hours ago > actually...didn't catch it until this morningwould really like to > know whats going on.Had this happen two days ago on a different > server as well... Same here, three servers. Had this happen a few weeks ago on one of those servers, but I thought it was an isolated incident.. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well, Deleting the database directory and restarting freshclam to get the databases again seems to have fixed the problem on both systems. This problem may be related to getting incremental updates and not being able to update the .CVD database properly. This is the only clue I can give. - -James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGHObJkNLDmnu1kSkRAgHYAJ9Fr2zUdedPA9RUXUxBMx8Vu4zQ9gCdE/cs T+OJjNC65ht0Yi63uwCWKLc= =HHqU -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
On 4/11/07, James Kosin <[EMAIL PROTECTED]> wrote: > Well, > > Deleting the database directory and restarting freshclam to get the > databases again seems to have fixed the problem on both systems. > > This problem may be related to getting incremental updates and not > being able to update the .CVD database properly. This is the only > clue I can give. Agreed. Since my first email I've gone through and read the rest of the clamav mail for the night.. It looks like a new main.cvd released caused some congestion on servers. Coupled with a bug that caused retries to time out, this caused clamd to crash. It's working this morning, so I'm not too distraught over the problem.. :) > - -James -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luigi Iotti wrote: > Hi all > > I'm new on the list, is this is a FAQ please tell me so. I'm unsure if > my problem is related to the other one that today is discussed on the > list. > > I have several clamav installations. I use it with Postfix on CentOS > (very similar to Red Hat). I use the clamav RPM packages available on > http://crash.fce.vutbr.cz , but recompiled on CentOS. > > Last night suddenly, on several of my custoers' mail servers, clamd > stopped running. > In the lo I find: > Wed Apr 11 04:02:13 2007 -> SelfCheck: Database status OK. > Wed Apr 11 04:38:23 2007 -> SelfCheck: Database modification detected. > Forcing reload. > Wed Apr 11 04:38:24 2007 -> Reading databases from /var/lib/clamav > Wed Apr 11 04:38:24 2007 -> ERROR: reload db failed: Broken or not a CVD file > Wed Apr 11 04:38:24 2007 -> Terminating because of a fatal error. > Wed Apr 11 04:38:24 2007 -> Socket file removed. > Wed Apr 11 04:38:24 2007 -> Pid file removed. > Wed Apr 11 04:38:24 2007 -> --- Stopped at Wed Apr 11 04:38:24 2007 > > This happened on at least 10 different installations, more or less at > the same time. > > I noticed that: > 1) the problem seems to occur only on 0.90 installations. Servers > still with 0.8x seem not to be affected. > 2) In /var/lib/clamav , after clamd stopped running, I find the > directories daily.inc, main.inc anche the mirrors.dat file. No .cvd > files. > > I'm looking for the reason of this massive problem, and I'd like to > know if this can be an isolated episode (maybe due to a broken update > file). > > I found a minor problem in the RPM package, too. In the rc file, > /etc/init.d/clamd, it checks for the existence of > /var/lib/clamav/main.cvd and , if not found, it exits echoing "ERROR: > Clamav DB missing! Run 'freshclam --verbose' as root." > Having main.inc and not main.cvd, my clamd refused to start with this > error. Maybe the package author is listening reading this ML, so he > can correct his packages. It seems to me that it is sufficient to > check for the existence of the file /var/lib/clamav/main.cvd OR the > directory /var/lib/clamav/main.inc . Is this be correct (I mean, > main.inc took the place of main.cvd)? > > Thanks for the attention. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > I have the same here... Tue Apr 10 20:19:34 2007 -> Database correctly reloaded (107793 signatures) Wed Apr 11 06:19:21 2007 -> SelfCheck: Database modification detected. Forcing reload. Wed Apr 11 06:19:22 2007 -> Reading databases from /var/lib/clamav Wed Apr 11 06:19:22 2007 -> ERROR: reload db failed: Broken or not a CVD file Wed Apr 11 06:19:22 2007 -> Terminating because of a fatal error.Wed Apr 11 06:19:23 2007 -> Socket file removed. Wed Apr 11 06:19:23 2007 -> Pid file removed. Wed Apr 11 06:19:23 2007 -> --- Stopped at Wed Apr 11 06:19:23 2007 I tried restarting the deamon with the same results. My ClamWin also died today on my personal computer!!! I fixed ClamWin by blowing away the databases and re-downloading them. I'll try the same for clamav on the server to see if it fixes the problem. But this error is CATASTROPHIC. - -James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGHOMokNLDmnu1kSkRAtrXAKCDadn1zNJV6vAapYF/K2sx04ZDWgCfUu0t 1BeA/U5w9rwchiI9ED0IsX4= =u5Vg -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
> Same here, three servers. Had this happen a few weeks ago on one of > those servers, but I thought it was an isolated incident.. Well, on the opposite end of the spectrum, all four of my OpenBSD servers running 0.90.1 got the update just fine, and none of them died. I saw a few complaints in the freshclam log about not being able to download the update, but they all chugged right along and got it a bit later. Since 0.9x, I haven't had _any_ of my clamd or freshclam processes die. Benny -- I've said it before and I'll say it again: If I ever catch a spammer, I will hang him upside down with rusty barbed wire by his nether-regions over a pit of rabid lawyers who haven't eaten in days... -- Benjamin A. Shelton ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
I can verify this worked for me as well. Wipe the database, let freshclam update again, restart the clamd process and everything was running smooth again. Thanks, Michael James Kosin wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Well, > > Deleting the database directory and restarting freshclam to get the > databases again seems to have fixed the problem on both systems. > > This problem may be related to getting incremental updates and not > being able to update the .CVD database properly. This is the only > clue I can give. > > - -James > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGHObJkNLDmnu1kSkRAgHYAJ9Fr2zUdedPA9RUXUxBMx8Vu4zQ9gCdE/cs > T+OJjNC65ht0Yi63uwCWKLc= > =HHqU > -END PGP SIGNATURE- > > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Michael Brown > Sent: Wednesday, April 11, 2007 5:30 PM > To: ClamAV users ML > I can verify this worked for me as well. Wipe the database, let > freshclam update again, restart the clamd process and everything was > running smooth again. I agree that deleting all .cvd and .inc files and dirs, issuing a freshclam and then restarting clamd corrects the problem. I also agree with what other messages say, that the problem only shows in 0.90, since 0.8x do not use .inc incremental updates, it only uses entire .cvd files. But I'd like to concentrate to the original question: in fact, in my opinion the fundamental question about this issue is not how difficult it is to solve the problem, in fact it's very simple (I found it more difficult to be promptly informed that a problem had arised, since mail messages were not being delivered): the question is, is this problem likely to happen again? Should we take precautions not to be waked up in the middle of the night by a phone ringing because mail (ore something else) is not going through, because a clamav update did not go well? I found that last night the problem was rather deterministic: Linux, Clamav >= 0.90, freshclam running => clamd dead. This is a big problem in my opinion, it can affect lots of installations. Thank you to all answered and will answer to this question. > Thanks, > Michael > > James Kosin wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Well, > > > > Deleting the database directory and restarting freshclam to get the > > databases again seems to have fixed the problem on both systems. > > > > This problem may be related to getting incremental updates and not > > being able to update the .CVD database properly. This is the only > > clue I can give. > > > > - -James > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.7 (MingW32) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQFGHObJkNLDmnu1kSkRAgHYAJ9Fr2zUdedPA9RUXUxBMx8Vu4zQ9gCdE/cs > > T+OJjNC65ht0Yi63uwCWKLc= > > =HHqU > > -END PGP SIGNATURE- > > > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
On Wed, 11 Apr 2007 15:07:32 +0200 Luigi Iotti <[EMAIL PROTECTED]> wrote: > Hi all > > I'm new on the list, is this is a FAQ please tell me so. I'm unsure if > my problem is related to the other one that today is discussed on the > list. > > I have several clamav installations. I use it with Postfix on CentOS > (very similar to Red Hat). I use the clamav RPM packages available on > http://crash.fce.vutbr.cz , but recompiled on CentOS. > > Last night suddenly, on several of my custoers' mail servers, clamd > stopped running. > In the lo I find: > Wed Apr 11 04:02:13 2007 -> SelfCheck: Database status OK. > Wed Apr 11 04:38:23 2007 -> SelfCheck: Database modification detected. > Forcing reload. > Wed Apr 11 04:38:24 2007 -> Reading databases from /var/lib/clamav > Wed Apr 11 04:38:24 2007 -> ERROR: reload db failed: Broken or not a CVD > file Wed Apr 11 04:38:24 2007 -> Terminating because of a fatal error. > Wed Apr 11 04:38:24 2007 -> Socket file removed. > Wed Apr 11 04:38:24 2007 -> Pid file removed. > Wed Apr 11 04:38:24 2007 -> --- Stopped at Wed Apr 11 04:38:24 2007 This seems to be caused by some 3rd party cron script, see http://lurker.clamav.net/message/20070411.175950.b7329d9f.en.html -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Apr 12 10:17:44 CEST 2007 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav suddenly died on several boxes
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tomasz Kojm
> Sent: Thursday, April 12, 2007 10:19 AM
> On Wed, 11 Apr 2007 15:07:32 +0200
> Luigi Iotti <[EMAIL PROTECTED]> wrote:
>
> > Hi all
> >
> > I'm new on the list, is this is a FAQ please tell me so. I'm unsure if
> > my problem is related to the other one that today is discussed on the
> > list.
> >
> > I have several clamav installations. I use it with Postfix on CentOS
> > (very similar to Red Hat). I use the clamav RPM packages available on
> > http://crash.fce.vutbr.cz , but recompiled on CentOS.
> >
> > Last night suddenly, on several of my custoers' mail servers, clamd
> > stopped running.
> > In the lo I find:
> > Wed Apr 11 04:02:13 2007 -> SelfCheck: Database status OK.
> > Wed Apr 11 04:38:23 2007 -> SelfCheck: Database modification detected.
> > Forcing reload.
> > Wed Apr 11 04:38:24 2007 -> Reading databases from /var/lib/clamav
> > Wed Apr 11 04:38:24 2007 -> ERROR: reload db failed: Broken or not a CVD
> > file Wed Apr 11 04:38:24 2007 -> Terminating because of a fatal error.
> > Wed Apr 11 04:38:24 2007 -> Socket file removed.
> > Wed Apr 11 04:38:24 2007 -> Pid file removed.
> > Wed Apr 11 04:38:24 2007 -> --- Stopped at Wed Apr 11 04:38:24 2007
>
> This seems to be caused by some 3rd party cron script, see
> http://lurker.clamav.net/message/20070411.175950.b7329d9f.en.html
Yes I know about it.. I'm the author of the message you're pointing me to :)
But there are good news: I verified that the sole presence of an empty file
named literally *.cvd was making clamd exit.
Very good... thanks for making me think about it.
I think that the scripts shipping with the RPM packages from
http://crash.fce.vutbr.cz/ should be corrected with something like:
--- freshclam.orig 2007-03-05 17:56:11.0 +0100
+++ freshclam 2007-04-11 21:54:50.0 +0200
@@ -1,6 +1,8 @@
#!/bin/bash
# Remove garbage occasionally left after unsuccessful updates
-/bin/touch -a /var/lib/clamav/*.cvd
+# /bin/touch -a /var/lib/clamav/*.cvd
+find /var/lib/clamav/ -type f -name '*.cvd' -exec touch -a '{}' ';'
+find /var/lib/clamav/ -type d -name '*.inc' | while read dir; do find
$dir -exec touch -a '{}' ';' ; done
/usr/sbin/tmpwatch 72 /var/lib/clamav
--- clamd.orig 2007-04-11 14:24:58.0 +0200
+++ clamd 2007-04-11 21:48:56.0 +0200
@@ -17,7 +17,7 @@
test -f /etc/clamd.conf || exit 0
-if ! [ -f /var/lib/clamav/main.cvd ]; then
+if ! [ -f /var/lib/clamav/main.cvd -o -d /var/lib/clamav/main.inc ]; then
echo "ERROR: Clamav DB missing! Run 'freshclam --verbose' as root."
exit 0
fi
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
