Had two 7.2 boxes that recently has trouble with clamav stopping and not restarting. One box this has happened the last five days.
Found it by the message log..
Apr 9 13:40:34 lgedge dansguardian[1022]: scanFile/Memory returned error: -1
Apr 9 13:40:34 lgedge dansguardian[1022]: Error connecting to ClamD socket
Tried restarting content filter, clamav, and rebooting. Yum update found nothing new. Clamav will not start and enters failed state. Had similar issue several months ago that affected all our COS 7 boxes but this appears more limited in nature. Where I had to just reinstall a couple of days.
Only fix found so far is to uninstall Gateway AV, Content Filter, Mail AV, from Marketplace then do a yum remove clamav* to completely uninstall clamav. Then reinstall the components. I get the out of date message in the messages log..
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: **************************************************
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: *** The virus database is older than 7 days! ***
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: *** Please update it as soon as possible. ***
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: **************************************************
..but clamav starts and can scan unencrypted web traffic once again.
Wondered if it were due to a rogue repo but it seems to be the same version of clamav as other boxes.
yum list clamav* --showduplicates
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
Loading mirror speeds from cached hostfile
* clearos: mirror1-newyork.clearos.com
* clearos-centos-sclo-rh: download1.clearsdn.com
* clearos-centos-verified: mirror1-newyork.clearos.com
* clearos-contribs: mirror1-newyork.clearos.com
* clearos-epel-verified: mirror1-newyork.clearos.com
* clearos-fast-updates: download1.clearsdn.com
* clearos-infra: mirror1-newyork.clearos.com
* clearos-verified: mirror1-newyork.clearos.com
* private-clearcenter-ad: download4.clearsdn.com:80
* private-clearcenter-antimalware: download2.clearsdn.com:80
* private-clearcenter-antispam: download1.clearsdn.com:80
* private-clearcenter-business: download2.clearsdn.com:80
* private-clearcenter-content-filter: download2.clearsdn.com:80
* private-clearcenter-dyndns: download4.clearsdn.com:80
* private-clearcenter-dynvpn: download3.clearsdn.com:80
* private-clearcenter-ids: download3.clearsdn.com:80
* private-clearcenter-master-slave: download1.clearsdn.com:80
* private-clearcenter-rbs: download4.clearsdn.com:80
* private-clearcenter-security-audit: download1.clearsdn.com:80
* private-clearcenter-static-vpn: download1.clearsdn.com:80
* private-clearcenter-verified-updates: download2.clearsdn.com:80
Installed Packages
clamav.x86_64 0.99.3-1.v7 @clearos-verified
clamav-data.x86_64 0.99.3-1.v7 @clearos-verified
clamav-filesystem.x86_64 0.99.3-1.v7 @clearos-verified
clamav-lib.x86_64 0.99.3-1.v7 @clearos-verified
clamav-server.x86_64 0.99.3-1.v7 @clearos-verified
Available Packages
clamav.x86_64 0.99.3-1.v7 clearos-verified
clamav.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-data.x86_64 0.99.3-1.v7 clearos-verified
clamav-data.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-devel.x86_64 0.99.3-1.v7 clearos-verified
clamav-devel.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-filesystem.x86_64 0.99.3-1.v7 clearos-verified
clamav-filesystem.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-lib.x86_64 0.99.3-1.v7 clearos-verified
clamav-lib.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-server.x86_64 0.99.3-1.v7 clearos-verified
clamav-server.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
I suspect I'll be dealing with it again in the morning. Looking for wisdom.
Found it by the message log..
Apr 9 13:40:34 lgedge dansguardian[1022]: scanFile/Memory returned error: -1
Apr 9 13:40:34 lgedge dansguardian[1022]: Error connecting to ClamD socket
Tried restarting content filter, clamav, and rebooting. Yum update found nothing new. Clamav will not start and enters failed state. Had similar issue several months ago that affected all our COS 7 boxes but this appears more limited in nature. Where I had to just reinstall a couple of days.
Only fix found so far is to uninstall Gateway AV, Content Filter, Mail AV, from Marketplace then do a yum remove clamav* to completely uninstall clamav. Then reinstall the components. I get the out of date message in the messages log..
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: **************************************************
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: *** The virus database is older than 7 days! ***
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: *** Please update it as soon as possible. ***
Apr 9 13:46:18 lgedge clamd: LibClamAV Warning: **************************************************
..but clamav starts and can scan unencrypted web traffic once again.
Wondered if it were due to a rogue repo but it seems to be the same version of clamav as other boxes.
yum list clamav* --showduplicates
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
Loading mirror speeds from cached hostfile
* clearos: mirror1-newyork.clearos.com
* clearos-centos-sclo-rh: download1.clearsdn.com
* clearos-centos-verified: mirror1-newyork.clearos.com
* clearos-contribs: mirror1-newyork.clearos.com
* clearos-epel-verified: mirror1-newyork.clearos.com
* clearos-fast-updates: download1.clearsdn.com
* clearos-infra: mirror1-newyork.clearos.com
* clearos-verified: mirror1-newyork.clearos.com
* private-clearcenter-ad: download4.clearsdn.com:80
* private-clearcenter-antimalware: download2.clearsdn.com:80
* private-clearcenter-antispam: download1.clearsdn.com:80
* private-clearcenter-business: download2.clearsdn.com:80
* private-clearcenter-content-filter: download2.clearsdn.com:80
* private-clearcenter-dyndns: download4.clearsdn.com:80
* private-clearcenter-dynvpn: download3.clearsdn.com:80
* private-clearcenter-ids: download3.clearsdn.com:80
* private-clearcenter-master-slave: download1.clearsdn.com:80
* private-clearcenter-rbs: download4.clearsdn.com:80
* private-clearcenter-security-audit: download1.clearsdn.com:80
* private-clearcenter-static-vpn: download1.clearsdn.com:80
* private-clearcenter-verified-updates: download2.clearsdn.com:80
Installed Packages
clamav.x86_64 0.99.3-1.v7 @clearos-verified
clamav-data.x86_64 0.99.3-1.v7 @clearos-verified
clamav-filesystem.x86_64 0.99.3-1.v7 @clearos-verified
clamav-lib.x86_64 0.99.3-1.v7 @clearos-verified
clamav-server.x86_64 0.99.3-1.v7 @clearos-verified
Available Packages
clamav.x86_64 0.99.3-1.v7 clearos-verified
clamav.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-data.x86_64 0.99.3-1.v7 clearos-verified
clamav-data.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-devel.x86_64 0.99.3-1.v7 clearos-verified
clamav-devel.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-filesystem.x86_64 0.99.3-1.v7 clearos-verified
clamav-filesystem.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-lib.x86_64 0.99.3-1.v7 clearos-verified
clamav-lib.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
clamav-server.x86_64 0.99.3-1.v7 clearos-verified
clamav-server.x86_64 0.99.3-1.v7 private-clearcenter-verified-updates
I suspect I'll be dealing with it again in the morning. Looking for wisdom.
Share this post:
Responses (9)
-
Accepted Answer
-
Accepted Answer
[root@lgedge ~]# freshclam
ClamAV update process started at Wed Apr 10 08:04:43 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.101.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25415, sigs: 1549346, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
restart of clamd results in clamd not running and content filter unable to connect for scanning again. Had to uninstall the packages, yum remove clamav again and reinstall from Marketplace to get it operational again. -
Accepted Answer
Compared clamav databases to two other sites with similar setup. The daily and main databases were different and clam was owner both. Stopped clamd, copied the daily and main from other boxes replacing the ones in the troubled box. Had to change owner of main database to clam. Restarted clamav, content filtering, and mail AV. Box is working now. Will watch for any changes with morning updates.
Thanks for the input Nick! -
Accepted Answer
-
Accepted Answer
It didn't fail this morning. Fleshclam log shows it checking for updates hourly. Last three hours of updates from freshclam log don't show any changes but the daily.cld did change from version 25415 to 25416 at 04:02 this morning.
ClamAV update process started at Thu Apr 11 07:02:01 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.101.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 25416, sigs: 1550281, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
--------------------------------------
ClamAV update process started at Thu Apr 11 08:02:01 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.101.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 25416, sigs: 1550281, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
--------------------------------------
ClamAV update process started at Thu Apr 11 09:02:01 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.3 Recommended version: 0.101.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 25416, sigs: 1550281, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
Thanks again, Nick. -
Accepted Answer
Spoke too soon. Log shows where ClamD was unavailable again for about an hour Friday morning from 3-4am CDT and then failed to start at all Saturday. Service resolved Sunday morning around 4am.
This morning same "Error connecting to ClamD socket" this morning. Ran the yum clamav* remove and reinstalled Content Filter, CF blacklists, Gateway AntiPhishing/AntiVirus, and Mail AntiVirus from MarketPlace. Install went smoothly, started Content Filtering and can access http websites once again. Permissions appeared correct on databases compared to installation that is working normally.
Not sure where to look next. -
Accepted Answer
Have a look at the man page for clamd.conf. It looks like there is both verbose logging and debug logging available - or just look in the file itself. -
Accepted Answer
Not quite perfect but close enough for to get by. I had increased logging for freshclam.conf and clamd.conf which greatly increased the clamd.log. Also had read about increasing the "TimeoutStartSec" time in clamd.service. Increased this from 120s to 240s and this had a significant impact on it. I still have brief Error connecting to ClamD socket but they are limited in duration to just a couple of minutes and at early morning hours when offices are closed. My guess if where clamd is restarted due to updates or automated system maintenance. Never found much in the verbose logs to be much help but I'm new to the clamav process and have reverted that change to get the log size back down.
Just wanted to share what is working for us and to give a shout out to Nick for his input. Thanks to the community! -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »