Good morning.
I’m hoping someone knows about this one, as it’s caused me some headaches with clients the last couple days.
About mid-day yesterday, I was notified that external email was not getting in to the domain mailboxes on our Interworx box. After investigating, I found that at around 4:00am, the clamd service attempted to reload the database and at that time blew up. The message log shows :
Apr 12 04:09:31 shelob clamd[12766]: SelfCheck: Database modification detected.
Forcing reload.
Apr 12 04:09:31 shelob clamd[12766]: Reading databases from /var/lib/clamav
Apr 12 04:09:38 shelob clamd[12766]: reload db failed: Broken or not a CVD file
Apr 12 04:09:38 shelob clamd[12766]: Terminating because of a fatal error.
Apr 12 04:09:39 shelob clamd[12766]: Pid file removed.
Apr 12 04:09:39 shelob clamd[12766]: — Stopped at Thu Apr 12 04:09:39 2007
(As you can tell, this is today’s log so obviously it happened again)
I looked in the /var/lib/clamav directory and found a file called “*.cvd” with a zero byte length. I removed the file, restarted the service and all was well until this morning when it did it again.
As it stops all incoming mail flow until I remove the file, this one is causing issues. I know I could easily script a quick cron job to band-aid it, but I’d really rather find out what’s going on.
All help is greatly appreciated!
Phil Malmstrom
philm@diamondcomputer.com
I’ve seen this before, but haven’t seen it at all since the last round of clamav rpm updates over a month ago - can you confirm which RPM set you have installed, with
rpm -q clamav
when logged in as root?
Thanks,
Paul
Clamav keeps dying…
Hi Paul, and thanks for the rapid response.
The rpm shows : clamav-0.90-106.rhe4x.iworx
I’m running on CentOS 4.4 with automatic updates turned on for both Interworx and the OS.
Thanks!
Phil Malmstrom
philm@diamondcomputer.com
That should be fine. Can you confirm that the ScriptUpdates option in /etc/freshclam.conf is set to “no”? The line should look like:
ScriptedUpdates no
Paul
I found this posted on a clamav forum Phil,
> I had this on 4 different servers that I support.
>
> /var/lib/clamav contained a file with 0 bytes called:
>
> .cvd
>
> That is correct, the asterisk () was actually in the filename.
>
> I deleted this file and re-ran freshclam and restarted clamd.
>
> All is fine now.
I found this file too when I was investigating the problem I talk about in
my post “Clamav suddenly died on several boxes”. I found the the '.cvd’
file is created by a daily cron script, /etc/cron.daily/freshclam, which
issues the command
/bin/touch -a /var/lib/clamav/.cvd
This command creates the file *.cvd (literally) when there’s no .cvd file in
/var/lib/clamav .
It’s clear the the original intention of the command was to protect cvd
files from being deleted by the subsequent command
/usr/sbin/tmpwatch 72 /var/lib/clamav
but since now we’re switching to .inc directories instead of .cvd files,
this command is not correct any more.
I think that the touch command should be substituted by something like
(maybe can done in a more compact):
find /var/lib/clamav/ -type f -name ‘.cvd’ -exec touch -a ‘{}’ ‘;’
find /var/lib/clamav/ -type d -name '.inc’ | while read dir; do find
$dir -exec touch -a ‘{}’ ‘;’ ; done
May want to try deleting that /etc/cron.daily/freshclam file temporarily, or try the solution suggested in that post.
Paul
Hmmm…
Hi again Paul.
Actually, that line doesn’t exist at all in the freshclam.conf file…
I can certainly add it, but does this mean a file didn’t get updated properly? I’d almost rather replace it with the correct file if that’s the case.
Thanks again for the help!
Phil Malmstrom
philm@diamondcomputer.com
See if there’s a /etc/freshclam.conf.rpmnew file. That might be the newer version that has the “ScriptedUpdates no” line in it, although you may need to uncomment the line if that’s the case, and copy it to /etc/freshclam.conf
There probably aren’t a lot of differences, but I believe turning off ScriptedUpdates (and then running: service freshclam restart) will fix the *.cvd corruption issue, and also “fix” the InterWorx interface that reports the information about the virus databases.
Paul
Looks like an answer…
Hi Paul.
I checked, and you’re right…There was a freshclam.conf.rpmnew file. I should have picked up on that myself. Thanks.
Just FYI, I also did clear out the cron.daily routine that did the touch *.cvd file as from what I can tell it’s not very useful since the update and does leave the possibility of this recurring.
Thanks again and have a great day!
Phil Malmstrom
philm@diamondcomputer.com