[Case 82281] issues with clamavconnector

[kisonay]

I'm having issues installing clamavconnector and accessing clamd via ssh.

I have installed it via the plugins area of WHM. Installed and keep updated is checked and the following information is displayed.

Name: clamavconnector 
Author: cPanel Inc.
Installed Version: 
Version: 0.97.8-3.6
Description: Virus Protection for Email and Filemanager Uploads
Price: free

at shell prompt I receive the following:

[email protected] [/]# clamd
-bash: clamd: command not found
[email protected] [/]# which clamd
[email protected] [/]# whereis clamd
clamd:
[email protected] [/]# /scripts/restartsrv_clamd --check
[email protected] [/]# /scripts/restartsrv_clamd --status
clamd (/usr/local/cpanel/3rdparty/bin/clamd) running as root with PID 7378 (process table check method)

I have tried to uninstall and reinstall with little luck.

what am I doing wrong?


CENTOS 6.4 x86_64 xenpv – s1 WHM 11.40.0 (build 16)

 

[cPanelMichael]

Hello

Does the installation of ClamAV complete successfully when installing it via "WHM Home » cPanel » Manage Plugins"? If not, which stage does it hang or fail at?

Thank you.

 

[kisonay]

Figured I would just uninstall / install again to give you the exact output. I didn't see any errors but what do I know.

[20131104.204105]   
[20131104.204105]   Problems were detected with cPanel-provided files which are RPM controlled.
[20131104.204105]   If you did not make these changes intentionally, you can correct them by running:
[20131104.204105]   
[20131104.204105]   > /usr/local/cpanel/scripts/check_cpanel_rpms --fix
[20131104.204105]   The following RPMs are missing from your system:
[20131104.204105]   cpanel-clamav-0.97.8-3.cp1140
[20131104.204105]   cpanel-clamav-virusdefs-0.97.8-3.cp1140
[20131104.204105]   cpanel-perl-514-File-Scan-ClamAV-1.91-1.cp1136
[20131104.204105]   Removing 0 broken rpms: 
[20131104.204105]   rpm: no packages given for erase
[20131104.204106]   Downloading http://httpupdate.cpanel.net/RPM/11.40/centos/6/x86_64/rpm.md5
[20131104.204106]   Downloading http://httpupdate.cpanel.net/RPM/11.40/centos/6/x86_64/cpanel-clamav-virusdefs-0.97.8-3.cp1140.x86_64.rpm
[20131104.204113]   Downloading http://httpupdate.cpanel.net/RPM/11.40/centos/6/x86_64/cpanel-perl-514-File-Scan-ClamAV-1.91-1.cp1136.x86_64.rpm
[20131104.204113]   Downloading http://httpupdate.cpanel.net/RPM/11.40/centos/6/x86_64/cpanel-clamav-0.97.8-3.cp1140.x86_64.rpm
[20131104.204116]   Hooks system enabled
[20131104.204116]   Checking for and running RPM::Versions 'pre' hooks for any RPMs about to be installed
[20131104.204116]   All required 'pre' hooks have been run
[20131104.204116]   No RPMS need to be uninstalled
[20131104.204116]   Installing new rpms: cpanel-clamav-virusdefs-0.97.8-3.cp1140.x86_64.rpm cpanel-perl-514-File-Scan-ClamAV-1.91-1.cp1136.x86_64.rpm cpanel-clamav-0.97.8-3.cp1140.x86_64.rpm
[20131104.204117]   Preparing packages for installation...
[20131104.204117]   cpanel-clamav-virusdefs-0.97.8-3.cp1140
[20131104.204119]   groupadd: group 'clamav' already exists
[20131104.204119]   useradd: user 'clamav' already exists
[20131104.204120]   Locking password for user clamav.
[20131104.204120]   passwd: Success
[20131104.204120]   cpanel-clamav-0.97.8-3.cp1140
[20131104.204120]   warning: /etc/chkserv.d/clamd saved as /etc/chkserv.d/clamd.rpmorig
[20131104.204123]   clamd: no process killed
[20131104.204124]   clamd: no process killed
[20131104.204124]   Configuration file passes test!  New configuration file was installed.
[20131104.204124]   
[20131104.204125]   Enabled ACL options in block ACL_MAIL_PRE_BLOCK: default_mail_pre
[20131104.204125]   Enabled ACL options in block ACL_RECIPIENT_POST_BLOCK: default_recipient_post
[20131104.204125]   Enabled ACL options in block ACL_SPAM_SCAN_CHECK_BLOCK: default_spam_scan_check
[20131104.204125]   Enabled ACL options in block ACL_CHECK_MESSAGE_PRE_BLOCK: default_check_message_pre
[20131104.204125]   Enabled ACL options in block ACL_CONNECT_POST_BLOCK: default_connect_post
[20131104.204125]   Enabled ACL options in block ACL_OUTGOING_NOTSMTP_CHECKALL_BLOCK: resolve_vhost_owner|end_default_outgoing_notsmtp_checkall
[20131104.204125]   Enabled ACL options in block ACL_CONNECT_BLOCK: spammerlist
[20131104.204125]   Enabled ACL options in block ACL_TRUSTEDLIST_BLOCK: trustedmailhosts
[20131104.204125]   Enabled ACL options in block ACL_IDENTIFY_SENDER_BLOCK: default_identify_sender|default_message_submission
[20131104.204125]   Enabled ACL options in block ACL_PRE_RECIPIENT_BLOCK: dkim_disable
[20131104.204125]   Enabled ACL options in block ACL_CHECK_MESSAGE_POST_BLOCK: default_check_message_post
[20131104.204125]   Enabled ACL options in block ACL_POST_SPAM_SCAN_CHECK_BLOCK: mailproviders
[20131104.204125]   Enabled ACL options in block ACL_SPAM_SCAN_BLOCK: default_spam_scan
[20131104.204125]   Enabled ACL options in block ACL_RECP_VERIFY_BLOCK: default_recp_verify
[20131104.204125]   Enabled ACL options in block ACL_PRE_SPAM_SCAN: mailproviders
[20131104.204125]   Enabled ACL options in block ACL_RECIPIENT_BLOCK: default_recipient
[20131104.204125]   Enabled ACL options in block ACL_MAIL_POST_BLOCK: default_mail_post
[20131104.204125]   Detected spam handling in acls, disabling spamassassin in routers & transports!.
[20131104.204125]   SpamAssassin method remains unchanged
[20131104.204125]   Configured options list is: 
[20131104.204125]   ACL: acl_not_smtp is active
[20131104.204125]   ACL: acl_smtp_connect is active
[20131104.204125]   ACL: acl_smtp_data is active
[20131104.204125]   ACL: acl_smtp_mail is active
[20131104.204125]   ACL: acl_smtp_rcpt is active
[20131104.204125]   Provided options list is: deliver_queue_load_max|queue_only_load|daemon_smtp_ports|tls_on_connect_ports|system_filter_user|system_filter_group|tls_require_ciphers|hostlist loopback|hostlist senderverifybypass_hosts|hostlist skipsmtpcheck_hosts|hostlist spammeripblocks|hostlist backupmx_hosts|hostlist trustedmailhosts|hostlist relay_hosts|domainlist user_domains|smtp_accept_queue_per_connection|remote_max_parallel|smtp_receive_timeout|ignore_bounce_errors_after|rfc1413_query_timeout|timeout_frozen_after|auto_thaw|callout_domain_negative_expire|callout_negative_expire|acl_not_smtp|acl_smtp_connect|acl_smtp_data|acl_smtp_mail|acl_smtp_rcpt|message_body_newlines|deliver_queue_load_max|queue_only_load|daemon_smtp_ports|tls_on_connect_ports|system_filter_user|system_filter_group|tls_require_ciphers|spamd_address
[20131104.204125]   Exim Insert Regex is: virtual_userdelivery|virtual_aliases|democheck|check_mail_permissions|remote_smtp|address_pipe|virtual_user|localuser|virtual_sa_user
[20131104.204125]   Exim Replace Regex is: virtual_sa_user|sa_localuser|virtual_sa_userdelivery|local_sa_delivery|cpanel_archiver|cpanel_archiver_transport|discover_sender_information|fixed_login|fixed_plain|lookuphost|remote_smtp|secure_login|secure_plain
[20131104.204125]   Exim Match Insert Regex is: 
[20131104.204125]   Skipping boxtrapper_autowhitelist entry in check_mail_permissions insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping boxtrapper_verify_dkim_lookuphost entry in lookuphost replace insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping boxtrapper_verify_lookuphost entry in lookuphost replace insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping virtual_boxtrapper_user entry in virtual_user insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping boxtrapper_localuser entry in localuser insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping boxtrapper_autowhitelist entry in virtual_userdelivery insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping local_boxtrapper_delivery entry in virtual_userdelivery insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Skipping virtual_boxtrapper_userdelivery entry in virtual_userdelivery insert as it requires boxtrapper and it is disabled or unavailable.
[20131104.204125]   Exim version 4.80.1 #2 built 17-Oct-2013 11:04:37
[20131104.204125]   Copyright (c) University of Cambridge, 1995 - 2012
[20131104.204125]   (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
[20131104.204125]   Berkeley DB: Berkeley DB 4.7.25: (April  4, 2012)
[20131104.204125]   Support for: crypteq iconv() IPv6 PAM Perl OpenSSL Content_Scanning DKIM Old_Demime Experimental_SPF Experimental_SRS
[20131104.204125]   Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz passwd
[20131104.204125]   Authenticators: cram_md5 dovecot plaintext spa
[20131104.204125]   Routers: accept dnslookup ipliteral manualroute queryprogram redirect
[20131104.204125]   Transports: appendfile/maildir autoreply pipe smtp
[20131104.204125]   Size of off_t: 8
[20131104.204125]   
[20131104.204125]   Exim Perl Load List is: spamkey|mail_permissions|get_relayhosts_domain|checkuserquota|boxtrapper|fast_checkvalias|email_archiver|fast_isdemo|fast_accountfunc|0_mail_permissions_variables|checkpass_cphulkd|spam_acl_support|encode_string_literal|safefile|cpwrap|checkspam|z_preload_modules|email_send_limits|identify_local_connection
[20131104.204125]   /etc/exim.pl.local installed!
[20131104.204125]   razor2 is installed, enabled in SpamAssassin!
[20131104.204125]   pyzor is not installed, disabling it in SpamAssassin to save memory
[20131104.204125]   SPF is disabled in exim or unavailable, enabling SPF for SpamAssassin
[20131104.204125]   Refreshing SMTP Mail protection.
[20131104.204125]   SMTP Mail protection has been disabled.  All users may make outbound smtp connections.
[20131104.204131]   cpanel-perl-514-File-Scan-ClamAV-1.91-1.cp1136
[20131104.204131]   Prelinking is disabled.
[20131104.204131]   Checking for and running RPM::Versions 'post' hooks for any RPMs just installed
[20131104.204131]   All required 'post' hooks have been run
Done

Process Complete

I do have spamassassin disabled.

 

[cPanelMichael]

Could you elaborate a little more on what's not working with ClamAV? For instance, is it not scanning your emails for viruses?

Thank you.

 

[kisonay]

I'm trying to use it at the ssh command line, take a look at the first post and you will see it can't be found.

 

[cPanelMichael]

ClamAV Scanner installs to the /usr/local/cpanel/3rdparty directory in cPanel version 11.40. You can find it at:

/usr/local/cpanel/3rdparty/bin/clamd

Thank you.

 

[kisonay]

Something still doesn't seem right.

I uninstall/reinstall with the same results.

I have ran the following commands:

[email protected] [~]# ps aux  | grep "clamd"
root      2158  0.6 17.2 529832 330512 ?       Ssl  Nov06  10:03 /usr/local/cpanel/3rdparty/bin/clamd
root     30138  0.0  0.0 103236   856 pts/0    S+   08:19   0:00 grep clamd

[email protected] [~]# service exim restart
Shutting down exim:                                        [  OK  ]
Shutting down spamd:                                       [FAILED]
Starting exim:                                             [  OK  ]
0 processes (antirelayd) sent signal 9

Should the last one be something like the following?

# service exim restart
Shutting down clamd:                                       [  OK  ]
Shutting down exim:                                        [  OK  ]
Shutting down spamd:                                       [FAILED]
Starting clamd:                                            [  OK  ]
Starting exim:                                             [  OK  ]
0 processes (antirelayd) sent signal 9

Perhaps is has to do with a missing symlink in /usr/sbin which directs /usr/sbin/clamd -> /usr/local/cpanel/3rdparty/bin/clamd* ?

 

[cPanelMichael]

Hello

Per the release notes, if the following binaries are present, the upgrade will append .old to their names and they will be symlinked to the binaries that are installed to the /usr/local/cpanel/3rdparty directory:

/usr/sbin/clamd
/usr/local/bin/freshclam
/usr/bin/freshclam

If the binaries were not already present, then no symbolic links are added, and they should not be required. Have you tried simply using the "Virus Scanner" option in cPanel? This should help verify to you that ClamAV is working as intended. It's important to keep in mind that we changed the way ClamAV is installed, so naturally certain functionality will appear differently. This does not mean it's not working as intended.

Thank you.

 

[kisonay]

I'm using a third party ASSP plugin. I let the plugin's author exam the system and he discovered the following. The main issue was that ClamAV was not interacting with EXIM with the normal clam connector install.

If you restart exim service you will see this

[/CODE][email protected] [~]# service exim restart
Shutting down exim: [ OK ]
Shutting down spamd: [FAILED]
Starting exim: [ OK ]
0 processes (antirelayd) sent signal 9
[/CODE]

if I create the symlink

ln -s -f /usr/local/cpanel/3rdparty/bin/clamd /usr/sbin/clamd

and you restart exim you will see this instead

[email protected] [~]# service exim restart
Shutting down clamd:                                       [  OK ]
Shutting down exim:                                        [  OK ]
Shutting down spamd: [FAILED]
Starting clamd:                                            [  OK ]
Starting exim:                                             [  OK ]
0 processes (antirelayd) sent signal 9

It happens because cPanel when created the new clamd location in
/usr/local/cpanel/3rdparty/bin/clamd, forgot to modify the
/etc/init.d/exim with new clamd location (still pointing to /usr/sbin/clamd).

I reported the problem to cPanel Edge mailing list

 

[cPanelMichael]

There is an internal case open to address the issue with /etc/init.d/exim utilizing the wrong path for clamd. For reference, the case number is 82281. A resolution for this case is expected in a future build of cPanel version 11.40 in the near future. Please monitor the change log for the inclusion of this case number:

cPanel Change Log

Thank you.