Hi, I noticed this evening that one of my third-party databases was corrupt and was causing clamd to start. I have a clamav-0.99.2 system with amavisd-new-2.11.0 on fedora25. I was really hoping someone could go through my logs below and help me understand what's happened. The corruption appears to be isolated to that one database, but time after time clamd would exit and not restart.
Wed Dec 28 19:05:52 2016 -> Downloading securiteinfo.hdb [*] Wed Dec 28 19:05:54 2016 -> WARNING: [LibClamAV] cli_loadhash: Problem parsing database at line 3416821 Wed Dec 28 19:05:54 2016 -> WARNING: [LibClamAV] Can't load /var/lib/clamav/clamav-a0e1b3646bf0af582c18764ec2fd4 e05.tmp/clamav-1f86f88148703d13f13134e2d09d11f3.tmpsecuriteinfo.hdb: Malformed database Wed Dec 28 19:05:54 2016 -> ERROR: Failed to load new database: Malformed database Wed Dec 28 19:05:55 2016 -> ERROR: During database load : ERROR: Failed to load new database: Malformed database Wed Dec 28 19:05:55 2016 -> WARNING: Database load exited with status 55 Wed Dec 28 19:05:55 2016 -> ERROR: Failed to load new database Wed Dec 28 19:05:55 2016 -> securiteinfo.ign2 is up to date (version: custom database) Wed Dec 28 19:05:55 2016 -> javascript.ndb is up to date (version: custom database) Wed Dec 28 19:05:56 2016 -> securiteinfohtml.hdb is up to date (version: custom database) Wed Dec 28 19:05:56 2016 -> securiteinfoascii.hdb is up to date (version: custom database) Wed Dec 28 19:05:56 2016 -> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Wed Dec 28 19:05:56 2016 -> daily.cld is up to date (version: 22794, sigs: 1198086, f-level: 63, builder: neo) Wed Dec 28 19:05:56 2016 -> safebrowsing.cld is up to date (version: 45389, sigs: 2482049, f-level: 63, builder: google) It doesn't appear to specifically say that it caused clamd to stop working, but it did. Dec 28 19:05:54 mail01 freshclam[13338]: [LibClamAV] cli_loadhash: Problem parsing database at line 3416821 Dec 28 19:05:54 mail01 freshclam[13338]: [LibClamAV] Can't load /var/lib/clamav/clamav-a0e1b3646bf0af582c18764ec2fd4e05.tmp/clamav-1f86f88148703d13f13134e2d09d11f3.tmpsecuriteinfo.hdb: Malformed database Dec 28 19:05:54 mail01 freshclam[13338]: Failed to load new database: Malformed database Dec 28 19:05:55 mail01 freshclam[6433]: Database load exited with status 55 Dec 28 19:05:55 mail01 freshclam[6433]: Failed to load new database If the database was malformed, why does it appear to have moved from its temporary location into the production /var/lib/clamav directory below? Dec 28 20:11:19 mail01 freshclam[8168]: ClamAV update process started at Wed Dec 28 20:11:19 2016 Dec 28 20:11:21 mail01 clamd[2544]: Reading databases from /var/lib/clamav Dec 28 20:11:43 mail01 clamd[2544]: reload db failed: Can't open file or directory Dec 28 20:11:44 mail01 clamd[2544]: Terminating because of a fatal error. Dec 28 20:11:44 mail01 clamd[2544]: Pid file removed. Dec 28 20:11:44 mail01 clamd[2544]: --- Stopped at Wed Dec 28 20:11:44 2016 Dec 28 20:11:44 mail01 clamd[2544]: Socket file removed. Dec 28 20:11:44 mail01 amavis[1971]: (01971-04) ClamAV-clamd: Error reading from socket: Connection reset by peer at /usr/sbin/amavisd line 8493., retrying (1) Dec 28 20:11:45 mail01 clamd[8221]: Received 0 file descriptor(s) from systemd. Dec 28 20:11:45 mail01 clamd[8221]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Dec 28 20:11:45 mail01 clamd[8221]: Running as user amavis (UID 988, GID 984) Dec 28 20:11:45 mail01 clamd[8221]: Log file size limited to 20971520 bytes. Dec 28 20:11:45 mail01 clamd[8221]: Reading databases from /var/lib/clamav Dec 28 20:11:45 mail01 clamd[8221]: Bytecode: Security mode set to "TrustSigned". Dec 28 20:11:45 mail01 amavis[1971]: (01971-04) (!)connect to /var/run/clamd.amavisd/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /var/run/clamd.amavisd/clamd.sock: No such file or directory Dec 28 20:11:45 mail01 amavis[1971]: (01971-04) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamd.amavisd/clamd.sock, retrying (2) The databases are downloaded directly from freshclam, as specified in the freshclam.conf file: DatabaseCustomURL http://www.securiteinfo.com/get/signatures/key/securiteinfo.hdb I'm using the clamav-unofficial-sigs shell script to download other third-party databases including sanesecurity, but this one requires the use of a special key that indicates the direct download path that can be used. Please let me know what other information I can provide to help troubleshoot this. Thanks, Alex _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
