Change in Clamscan result as of cPanel 100.0.8

PeteS

Well-Known Member
Jun 8, 2017
303
66
78
Oregon
cPanel Access Level
Root Administrator
Re: /usr/local/cpanel/3rdparty/bin/clamscan -ir /home/ | mail -s "Clamscam results" root

For years I am used to seeing the following result from the above:

LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 26841088 bytes
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 26800128 bytes
LibClamAV Warning: Unsupported message format `global' - if you believe this file contains a virus, submit it to www.clamav.net
LibClamAV Warning: Unsupported message format `global' - if you believe this file contains a virus, submit it to www.clamav.net
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 26808320 bytes

(This is a sample, There are a few more entries than that.)

As of v100.0.8 the run time changed (indicating a changed CRON, I assume), and the output changed to include the following entry types:

LibClamAV info: Suspicious link found!
LibClamAV info: Real URL: http://m.amex
LibClamAV info: Display URL: https://cdaas.americanexpress.com
LibClamAV info: Suspicious link found!
LibClamAV info: Real URL: http://go.amex
LibClamAV info: Display URL: americanexpress.com
LibClamAV Warning: PNG: Unexpected early end-of-file.
LibClamAV info: Suspicious link found!
LibClamAV info: Real URL: https://anqedrepome.com
LibClamAV info: Display URL: http://connect.secure.wellsfargo.com

(This is just a sample of hundreds of new entries. The previous content is also in the middle of the report.)

Also, the two days prior to the update, I got these related error reports from /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

ERROR: getpatch: Can't download daily-26439.cdiff from database.clamav.net
ERROR: getfile: Unknown response from database.clamav.net (IP: 104.16.218.84): HTTP/1.1 403
ERROR: Can't download daily.cvd from database.clamav.net

ERROR: getpatch: Can't download daily-26439.cdiff from database.clamav.net
ERROR: Can't download daily.cvd from database.clamav.net

Is there documentation about this somewhere?

-Pete
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
Hey there! We have more details on the failure, which is fixed on version 100.0.9 here:


and here


I haven't seen any other reports about the output change, and lots of people have been talking about ClamAV because of those issues, so that might be worth submitting a ticket to our team so we can take a look.
 

PeteS

Well-Known Member
Jun 8, 2017
303
66
78
Oregon
cPanel Access Level
Root Administrator
Thanks for the quick reply.

Actually the clamav download bug showed up on 1/31 & 2/1, and the update to 100.0.8 was on 2/3, and to 100.0.9 on 2/4 (for me), but the download bug didn't appear on 2/2 or after. Regardless, it all looks to be fine now.

Your second link on the Clamav version seems really confused! I checked and I see Clamav 0.104.0-1.cp11100 in WHM. Or is this a tweaked older version of Clamav to fool their download server? Can you get me the real answer on which version of Clamav cPanel is supposed to be running now and in which cPanel version it was updated?

As for the report, it simply has a lot more info in it, which I assumed was due to a Clamav update. I'll look into it more once you provide the answers to the above. Then we can go from there - it may just be an update.

-Pete
 
Last edited:
  • Like
Reactions: Metro2

Metro2

Well-Known Member
May 24, 2006
554
90
178
USA
cPanel Access Level
Root Administrator
I checked and I see Clamav 0.104.0-1.cp11100 in WHM. Or is this a tweaked older version of Clamav to fool their download server?
I noticed this as well ;) Even though cPanel 102 has not made it to Release tier yet, on 101.0.8 and 101.0.9 the ClamAV version shows as the latest instead of the outdated. My GUESS is that cPanel developers have been working-in the necessary code for updated ClamAV and that the transitional code has made it to 101.0.8+ , but that's just my guess. Considering that we know it is resolved in cPanel 102, I doubt that cPanel would resort to "fooling" the the ClamAV download server and this is a prep stage as 102 is about to reach Release and the initial fix could possibly be already implemented in CP 101.0.8 / 101.0.9 in a sort of beta capacity. Just giving the benefit of the doubt here, as I wouldn't know for sure, but in any case it's good to know that this long-time issue is about to be put to rest. (And I'll bet the CP devs have worked under pressure / are relieved as well).
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,632
363
cPanel Access Level
Root Administrator
@PeteS - I can confirm we wouldn't try and trick the download servers like that - that would get messy.

The changes in the report are confirmed to be just part of the update.

At this point we're expecting things to work in 100.0.9 and LTS 94. If you're NOT seeing that as the case, please let me know!
 
  • Like
Reactions: PeteS

PeteS

Well-Known Member
Jun 8, 2017
303
66
78
Oregon
cPanel Access Level
Root Administrator
@PeteS - I can confirm we wouldn't try and trick the download servers like that - that would get messy.
I was mostly kidding... ;)

The changes in the report are confirmed to be just part of the update.
Thank you, I assumed so but wanted to confirm.

At this point we're expecting things to work in 100.0.9 and LTS 94. If you're NOT seeing that as the case, please let me know!
All appears well for me with 100.0.9.
 
  • Like
Reactions: cPRex