Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ClamAV constantly failing

Discussion in 'Security' started by carolainn, Feb 19, 2019.

  1. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Hello,

    I get tons of notifications that clamAV appears to be down and fails to restart. It says that there is a duplicate database and should be manually removed. I followed the instructions on another thread with this same issue, but did not work, and reverted to previous situation, but now I don't know what to do next. I'm a rookie, and I'll probably always be, I aprecciate some guidance.

    This is what happened:

    [root@server ~]# mkdir /root/clamav-backup
    [root@server ~]# mv /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /root/clamav-backup
    [root@server ~]# /usr/local/cpanel/3rdparty/bin/freshclam
    ClamAV update process started at Wed Feb 20 00:13:02 2019
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read ClamavNet
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily-25365.cdiff [100%]
    daily.cld updated (version: 25365, sigs: 2254643, f-level: 63, builder: raynman)
    bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
    Database updated (6820986 signatures) from database.clamav.net (IP: 104.16.219.84)
    [root@server ~]# /scripts/restartsrv_clamd
    Waiting for “clamd” to stop ………finished.

    info [restartsrv_clamd] systemd failed to start the service “clamd” (The “/usr/bin/systemctl restart clamd.service --no-ask-password” command (process 13010) reported error number 1 when it ended.): Job for clamd.service failed because the control process exited with error code. See "systemctl status clamd.service" and "journalctl -xe" for details.

    Waiting for “clamd” to start ………failed.

    Cpanel::Exception::Services::StartError
    Service Status

    Service Error
    (XID qmcehw) The “clamd” service failed to start.

    Startup Log
    Feb 20 00:14:00 xxx.xxxxxx.xxx systemd[1]: Starting clamd antivirus daemon...
    Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: clamd.service: control process exited, code=exited status=1
    Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: Failed to start clamd antivirus daemon.
    Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: Unit clamd.service entered failed state.
    Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: clamd.service failed.

    clamd has failed. Contact your system administrator if the service does not automagically recover.
    [root@server ~]# mv /root/clamav-backup/bytecode.cld /usr/local/cpanel/3rdparty/share/clamav
    [root@server ~]# /usr/local/cpanel/3rdparty/bin/freshclam
    ClamAV update process started at Wed Feb 20 00:17:59 2019
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read ClamavNet
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cld is up to date (version: 25365, sigs: 2254643, f-level: 63, builder: raynman)
    bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
    [root@server ~]# /scripts/restartsrv_clamd
    Service “clamd” is already stopped.

    info [restartsrv_clamd] systemd failed to start the service “clamd” (The “/usr/bin/systemctl restart clamd.service --no-ask-password” command (process 13304) reported error number 1 when it ended.): Job for clamd.service failed because the control process exited with error code. See "systemctl status clamd.service" and "journalctl -xe" for details.

    Waiting for “clamd” to start ………failed.

    Cpanel::Exception::Services::StartError
    Service Status

    Service Error
    (XID faxrvx) The “clamd” service failed to start.

    Startup Log
    Feb 20 00:19:31 xxx.xxxxxx.xxx systemd[1]: Starting clamd antivirus daemon...
    Feb 20 00:19:48 xxx.xxxxxx.xxx clamd[13305]: LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld and /usr/local/cpanel/3rdparty/share/clamav/bytecode.cvd. The /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld database is older and will not be loaded, you should manually remove it from the database directory.
    Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: clamd.service: control process exited, code=exited status=1
    Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: Failed to start clamd antivirus daemon.
    Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: Unit clamd.service entered failed state.
    Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: clamd.service failed.

    clamd has failed. Contact your system administrator if the service does not automagically recover.
    [root@server ~]#
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,851
    Likes Received:
    141
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    How much memory does this system have?

    Are you sure you aren't running up against a memory limit?

    ClamAV is a huge memory hog.
     
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @carolainn


    Can you tell me what is present in the following?

    Code:
    ls -lah /usr/local/cpanel/3rdparty/share/clamav/
    My assumption is there's more than one .cld file there.

    You might try mv'ing them all and if that's not successful I'd suggest reinstalling cpanel-clamav you can do this by doing the following:

    Here's what I did on my server to remove and reinstall (note you may want to ensure the rpm name specifically first:
    Identify the specific ClamAV versions:
    Code:
    rpm -qa |grep clamav
    cpanel-clamav-0.100.2-1.cp1170.x86_64
    cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
    Remove those
    Code:
    rpm -e --nodeps cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
    reinstall ClamAV and the virus defs
    Code:
    /scripts/check_cpanel_rpms --fix
    I'd also be curious to know if you're running on CentOS or CloudLinux and/or do you have Imunify360 installed?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelLauren, Feb 20, 2019
    Last edited: Feb 20, 2019
  4. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Thanks for your reply.

    The system has 2 GB of memory.

    (WHM) Home »Server Status »Service Status

    Service Information
    Service clamd
    Version 0.100.2-1
    Status down

    System Information
    Memory Used 42.2% (794,336 of 1,882,220)

    (WHM) Home »Server Status »Server Information

    Memory Information
    [ 0.000000] Memory: 1860764k/2097008k available (7664k kernel code, 392k absent, 235852k reserved, 6055k data, 1876k init)

    Current Memory Usage

    >>>>>>> total - used - free - shared - buff/cache - available
    Mem: 1882220 - 773744 - 507236 - 25744 - 601240 - 916416
    Swap: 0 - 0 - 0
    Total: 1882220 - 773744 - 507236

    Thanks again.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This is interesting because with ClamAV being down the server is using nearly half of the memory it has allocated to it. @sparek-3 may be on to something as well you might check /var/log/messages for out of memory errors as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelLauren, Feb 20, 2019
    Last edited: Feb 20, 2019
  6. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Hello! thanks for your reply.

    Code:
    ls -lah /usr/local/cpanel/3rdparty/share/clamav/
    total 273M
    drwxrwxr-x 3 clamav clamav 165 Feb 20 04:49 .
    drwxr-xr-x 79 root root 4.0K Feb 4 14:13 ..
    -rw-r--r-- 1 root root 314K Feb 17 23:55 bytecode.cld
    -rw-r--r-- 1 clamav clamav 196K Jan 31 10:40 bytecode.cvd
    -rw-r--r-- 1 clamav clamav 156 Oct 10 17:01 clamavconnector.conf
    -rwxr-xr-x 1 root root 15K Oct 10 17:01 copyright
    -rw-r--r-- 1 clamav clamav 160M Feb 20 00:13 daily.cld
    drwxr-xr-x 2 clamav clamav 136 Feb 17 23:55 .first-install
    -rw-r--r-- 1 clamav clamav 113M Feb 17 23:55 main.cvd
    -rw------- 1 clamav clamav 364 Feb 20 04:49 mirrors.dat


    There is two .cld but with different names. Which should I remove?

    Thanks for your time.
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @carolainn

    Both of the .cld files should be removed then try and restart the software.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Ok, I did that and then restarted the service and had no error.

    I checked the log and there is a lot of this type of messages:

    Feb 20 17:00:01 server systemd: Started Session 686 of user root.
    Feb 20 17:00:04 server systemd: Removed slice User Slice of root.

    What are those about?
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @carolainn
    I'm glad to hear that the service started successfully! My hope now is that it continues to run normally. Were you able to check if you had imunify or CloudLinux installed on the server? My concern there is that they have their own version of ClamAV being used for scanning and there have been some cases in which there are conflicts.


    These are unrelated to anything occurring with ClamAV or even Out of Memory errors, these occur every time a user logs on and can be dismissed - redhat explains this here as well: Logs flooded with systemd messages: Created slice & Starting Session - Red Hat Customer Portal

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    I hope that too!. I will post again if something changes.

    My VPS is running on CentOS, and I don't have Inmunify360 installed.

    Oh I see! So I shouldn't worry then.

    Thanks so much for the help! <3
     
    cPanelLauren likes this.
  11. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    It's happening again... :(
    I think it started after an automatic system update.
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @carolainn

    Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. benito

    benito Well-Known Member

    Joined:
    Jan 8, 2004
    Messages:
    350
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Mar del Plata - Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello! I also have a 2gig system who clamd is failing constantly. Did you find a solution?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Hola! not yet! Still failing. Im gonna send a ticket as Lauren suggested.
    Tu VPS es de godaddy también?
     
    benito likes this.
  15. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Hello Lauren,

    I had a problem with the creation of the ticket because when I entered the Server IP that is in Home »Support »Support Center, I received a notification that the IP and ID did not match. So I changed the IP for the IP in the URL, and worked, I don't know why I have different IPs...

    My Support Request ID is: 11603741

    Thanks for your time and help!
     
    cPanelLauren likes this.
  16. benito

    benito Well-Known Member

    Joined:
    Jan 8, 2004
    Messages:
    350
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Mar del Plata - Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hola como andas?

    No, my server its on Linode. Im pretty sure it'ss because a lack of ram.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,004
    Likes Received:
    363
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @carolainn


    Thank you for opening the ticket, I'm watching it and I've linked it (internally) to this thread. When the issue is resolved I'll update this thread with the analyst's findings as well as how the issue was resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    benito likes this.
  18. carolainn

    carolainn Active Member

    Joined:
    Feb 22, 2018
    Messages:
    25
    Likes Received:
    9
    Trophy Points:
    3
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Hello, the problem was that I didn't have swap space. We added a swap file of 2 GB, and the issue was solved! Thank you so much!
     
    benito and cPanelLauren like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice