Announcement

Collapse
No announcement yet.

clamd keeps dying...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • clamd keeps dying...

    Good morning.

    I'm hoping someone knows about this one, as it's caused me some headaches with clients the last couple days.

    About mid-day yesterday, I was notified that external email was not getting in to the domain mailboxes on our Interworx box. After investigating, I found that at around 4:00am, the clamd service attempted to reload the database and at that time blew up. The message log shows :

    Apr 12 04:09:31 shelob clamd[12766]: SelfCheck: Database modification detected.
    Forcing reload.
    Apr 12 04:09:31 shelob clamd[12766]: Reading databases from /var/lib/clamav
    Apr 12 04:09:38 shelob clamd[12766]: reload db failed: Broken or not a CVD file
    Apr 12 04:09:38 shelob clamd[12766]: Terminating because of a fatal error.
    Apr 12 04:09:39 shelob clamd[12766]: Pid file removed.
    Apr 12 04:09:39 shelob clamd[12766]: --- Stopped at Thu Apr 12 04:09:39 2007

    (As you can tell, this is today's log so obviously it happened again)

    I looked in the /var/lib/clamav directory and found a file called "*.cvd" with a zero byte length. I removed the file, restarted the service and all was well until this morning when it did it again.

    As it stops all incoming mail flow until I remove the file, this one is causing issues. I know I could easily script a quick cron job to band-aid it, but I'd really rather find out what's going on.

    All help is greatly appreciated!

    Phil Malmstrom
    philm@diamondcomputer.com

  • #2
    I've seen this before, but haven't seen it at all since the last round of clamav rpm updates over a month ago - can you confirm which RPM set you have installed, with

    rpm -q clamav

    when logged in as root?

    Thanks,
    Paul
    Paul Oehler
    InterWorx-CP | http://interworx.com
    InterWorx Control Panel

    Comment


    • #3
      Clamav keeps dying....

      Hi Paul, and thanks for the rapid response.

      The rpm shows : clamav-0.90-106.rhe4x.iworx

      I'm running on CentOS 4.4 with automatic updates turned on for both Interworx and the OS.

      Thanks!

      Phil Malmstrom
      philm@diamondcomputer.com

      Comment


      • #4
        That should be fine. Can you confirm that the ScriptUpdates option in /etc/freshclam.conf is set to "no"? The line should look like:

        ScriptedUpdates no

        Paul
        Paul Oehler
        InterWorx-CP | http://interworx.com
        InterWorx Control Panel

        Comment


        • #5
          I found this posted on a clamav forum Phil,

          > I had this on 4 different servers that I support.
          >
          > /var/lib/clamav contained a file with 0 bytes called:
          >
          > *.cvd
          >
          > That is correct, the asterisk (*) was actually in the filename.
          >
          > I deleted this file and re-ran freshclam and restarted clamd.
          >
          > All is fine now.

          I found this file too when I was investigating the problem I talk about in
          my post "Clamav suddenly died on several boxes". I found the the '*.cvd'
          file is created by a daily cron script, /etc/cron.daily/freshclam, which
          issues the command
          /bin/touch -a /var/lib/clamav/*.cvd

          This command creates the file *.cvd (literally) when there's no .cvd file in
          /var/lib/clamav .

          It's clear the the original intention of the command was to protect cvd
          files from being deleted by the subsequent command
          /usr/sbin/tmpwatch 72 /var/lib/clamav

          but since now we're switching to .inc directories instead of .cvd files,
          this command is not correct any more.
          I think that the touch command should be substituted by something like
          (maybe can done in a more compact):
          find /var/lib/clamav/ -type f -name '*.cvd' -exec touch -a '{}' ';'
          find /var/lib/clamav/ -type d -name '*.inc' | while read dir; do find
          $dir -exec touch -a '{}' ';' ; done
          May want to try deleting that /etc/cron.daily/freshclam file temporarily, or try the solution suggested in that post.

          Paul
          Paul Oehler
          InterWorx-CP | http://interworx.com
          InterWorx Control Panel

          Comment


          • #6
            Hmmm....

            Hi again Paul.

            Actually, that line doesn't exist at all in the freshclam.conf file....

            I can certainly add it, but does this mean a file didn't get updated properly? I'd almost rather replace it with the correct file if that's the case.

            Thanks again for the help!

            Phil Malmstrom
            philm@diamondcomputer.com

            Comment


            • #7
              See if there's a /etc/freshclam.conf.rpmnew file. That might be the newer version that has the "ScriptedUpdates no" line in it, although you may need to uncomment the line if that's the case, and copy it to /etc/freshclam.conf

              There probably aren't a lot of differences, but I believe turning off ScriptedUpdates (and then running: service freshclam restart) will fix the *.cvd corruption issue, and also "fix" the InterWorx interface that reports the information about the virus databases.

              Paul
              Paul Oehler
              InterWorx-CP | http://interworx.com
              InterWorx Control Panel

              Comment


              • #8
                Looks like an answer...

                Hi Paul.

                I checked, and you're right...There was a freshclam.conf.rpmnew file. I should have picked up on that myself. Thanks.

                Just FYI, I also did clear out the cron.daily routine that did the touch *.cvd file as from what I can tell it's not very useful since the update and does leave the possibility of this recurring.

                Thanks again and have a great day!

                Phil Malmstrom
                philm@diamondcomputer.com

                Comment

                Working...
                X