Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ClamAV freshclam and clamscan binaries are different versions.

Discussion in 'Security' started by jndawson, Sep 14, 2017.

Tags:
  1. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    173
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Western US
    cPanel Access Level:
    DataCenter Provider
    We got an email alert from a server that has had the ClamAV plugin installed for at least 5 years (and Manage Plugins' indicates it's properly installed):

    Code:
    ClamAV freshclam and clamscan binaries are different versions. Install ClamAV within "Manage Plugins".
    We just updated to v.66.0.22 last night during normal update cycle. We've received no binary mismatch notice on any other servers.

    We decided to remove the plugin and reinstall it. Seemed to go well, 'Manage Plugins' indicates it's properly installed and 'Service Status' indicates it's running.

    Just for grins, we restarted clamd to be sure all was copacetic:
    Code:
    [ root@cp2 ~># /scripts/restartsrv_clamd
    Waiting for âclamdâclamdâ
    
    Service Status
            clamd (/usr/local/cpanel/3rdparty/bin/clamd) is running as root with PID 21668 (pidfile+/proc check method).
    
    Startup Log
            LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld, please manually remove one of them
    
    clamd restarted successfully.
    Here's what we've got:

    Code:
    [ root@cp2 ~># ls -l /usr/local/cpanel/3rdparty/share/clamav/main*
    -rw-r--r-- 1 clamav clamav 307499008 Jun  7 21:09 /usr/local/cpanel/3rdparty/share/clamav/main.cld
    -rw-r--r-- 1 clamav clamav 117892267 Sep 14 11:06 /usr/local/cpanel/3rdparty/share/clamav/main.cvd
    
    main.cvd apparently created when reinstalling the plugin; main.cld apparently the old one which should be removed.

    Correct?

    If so, do we need to reinstall the clamAV plugin on the other servers? And any reason/speculation why this occurred?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    40,631
    Likes Received:
    1,550
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Are you sure no other installations of ClamAV exist on this system? For instance, check to see the output of the following commands:

    Code:
    rpm -qa|grep clam
    locate freshclam
    Thank you.
     
  3. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    173
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Western US
    cPanel Access Level:
    DataCenter Provider
    We already did that:
    Code:
    [ root@cp2 ~># rpm -qa|grep clam
    cpanel-clamav-0.99.2-2.cp1164.x86_64
    cpanel-clamav-virusdefs-0.99.2-2.cp1164.x86_64
    
    [ root@cp2 ~># locate freshclam
    /usr/local/cpanel/3rdparty/bin/freshclam
    /usr/local/cpanel/3rdparty/etc/freshclam.conf
    /usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
    /usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
    /var/asl/data/templates/template-freshclam.conf
    
    Still have the same questions, and no, none of our other servers have experienced the same weird error message.
     
  4. John W

    John W Member

    Joined:
    Aug 24, 2007
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    Orlando
    I have this same message after upcp ran this morning. But, nothing is different that I can find.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    40,631
    Likes Received:
    1,550
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look to see why the "ClamAV freshclam and clamscan binaries are different versions" notification was sent on the affected system? It should not be sent if the only installed ClamAV instance was enabled through the "WHM >> Manager Plugins" interface.

    Thank you.
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I just received this same alert overnight.
    CENTOS 6.9 standard - v66.0.27
    Code:
    # rpm -qa|grep clam
    cpanel-clamav-0.99.2-2.cp1164.x86_64
    cpanel-clamav-virusdefs-0.99.2-2.cp1164.x86_64
    # locate freshclam
     /usr/local/cpanel/3rdparty/bin/freshclam
    /usr/local/cpanel/3rdparty/etc/freshclam.conf
    /usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
    /usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
    
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    40,631
    Likes Received:
    1,550
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @verdon,

    Could you open a support ticket using the link in my signature so we can take a closer look?

    Thank you.
     
  8. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm so sorry. I completely missed this reply @cPanelMichael. Is there any point after this amount of time, and an update to v.68. Is there something I can test? I have not received this notification since. Just the one time.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    40,631
    Likes Received:
    1,550
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    We could check to make sure there are no rogue copies of ClamAV or FreshClam installed on the system.

    Thank you.
     
  10. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    No. Thank you :) Ticket ID 9011467
     
  11. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    173
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Western US
    cPanel Access Level:
    DataCenter Provider
    What was the result?
     
  12. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Only that there were no rogue/extra copies of ClamAV or FreshClam on the system. There had been an update to whm v.68 run on the server since the initial incident, and it's possible that any duplicate was cleaned up then. I suppose it's possible it was just a false positive to begin with as well. I don't know, but it is all good now.
     
Loading...

Share This Page