On Mon, 26 Apr 2010, Christian Gonzalez wrote:
> Hi,
>
> I have a mailserver running Slackware 12.1 with Postfix, Dovecot,
> Amavis-new, SpamAssassin and Clamav. It has been working fine for more
> than a year. I builded it following a howto from workaround.org. But like
> many others, I suffered Clamav 0.94 EOL process since 16th this month. I
> managed to upgrade it to 0.96 but was not able to use it due to an error:
>
>
> LibClamAV debug: Loaded 117 filetype definitions
> LibClamAV debug: daily.ftm loaded
> LibClamAV debug: daily.db loaded
> LibClamAV Error: cli_caloff: Offset string too long
> LibClamAV Error: cli_bm_addpatt: Can't calculate offset for signature
> Exploit.PDF-11591
> LibClamAV Error: cli_loadmd5: Error adding BM pattern
> LibClamAV Error: cli_loadmd5: Problem parsing database at line 1
> LibClamAV Error: Can't load daily.hdb: Malformed database
> LibClamAV Error: cli_tgzload: Can't load daily.hdb
> LibClamAV Error: Can't load /usr/share/clamav/daily.cvd: Malformed database
> ERROR: Malformed database
> Closing the main socket
[snip..]
That signature "Exploit.PDF-11591" is in the current ClamAV distro and
a proper install of ClamAV 0.96 has no trouble using it.
My guess is that error is caused by an old version of LibClamAV trying
to parse that signature.
I would bet that there are three possible causes of your problem:
1) the update/install did not complete successfuly so the old version
is still installed (not replaced).
2) The ClamAV update/install completed successfully but didn't install it
in the place that Amavis-new uses, so Amavis-new is still using the old
version.
3) Everything is new and where it should be but you didn't restart
Amavis-new so it still has the old library loaded and in use.
Suggestions; completely kill and restart Amavis-new, see if it loads and
uses the new LibClamAV library. If that doesn't fix it, find -all-
instances of LibClamAV on your system, remove them, re-do the 0.96
install and restart. If it still isn't working, ask your question on the
Amavis list as there may be some update for Amavis-new that is also
needed.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
