Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ClamAV installed in different path

Discussion in 'General Discussion' started by DennisMidjord, Mar 6, 2019.

  1. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Hi.
    We just had an issue where freshclam would run for an hour with high CPU usage on most servers - except for 2.
    I read that killing freshclam, deleting daily.cld and starting freshclam again would solve the issue.
    When running
    Code:
    killall /usr/bin/freshclam
    , two of our servers said the file didn't exist.

    I rechecked that ClamAV had been installed in cPanel, and it was installed on both servers. I tried reinstalling it, but that didn't help.

    It seems like ClamAV is installed in /usr/local/cpanel/3rdparty/bin/ instead of /usr/bin/.
    Code:
    [root@server11 ~]# locate freshclam
    /usr/local/cpanel/3rdparty/bin/freshclam
    /usr/local/cpanel/3rdparty/etc/freshclam.conf
    /usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
    /usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
    
    I did check that /usr/local/cpanel/3rdparty/bin/freshclam also existed on the other servers, and it did, so it seems to have existed in two places. /usr/bin/freshclam is not a symlink of /usr/local/cpanel/3rdparty/bin/freshclam on those servers.

    Are we missing out on anything or is this expected behaviour?
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,337
    Likes Received:
    139
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    I've seen this happen when clamav was installed from the epel repo in addition to cpanels.

    What is the output of rpm -qa|grep clam
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  3. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    I just tried running freshclam again, and it gets stuck once again after downloading the update:
    Code:
    [root@server11 ~]# /usr/local/cpanel/3rdparty/bin/freshclam
    ClamAV update process started at Wed Mar  6 13:45:17 2019
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily-25380.cdiff [100%]
    Any idea why this happens?
     
  4. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Code:
    [root@server11 ~]# rpm -qa|grep clam
    cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
    clamav-0.100.2-2.el7.x86_64
    clamav-filesystem-0.100.2-2.el7.noarch
    cpanel-clamav-0.100.2-1.cp1170.x86_64
    clamav-lib-0.100.2-2.el7.x86_64
    clamav-data-0.100.2-2.el7.noarch
     
  5. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,337
    Likes Received:
    139
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    I would remove the cpanel plugin for clamav

    Then remove via yum the extra clamav packages that rpm -qa still shows installed

    Then reinstall the clamav plugin.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    I see that the problem with the update might be a ClamAV issue and not a local issue: Mailing List Archive: Problem with freshclam updating daily-25380.cdiff

    I've now uninstalled the cPanel plugin and removed all remaining packages, then reinstalled the cPanel plugin. That didn't solve the issue.
    Doing yum install clamav did seem to have fixed the issue. I just hope it didn't break anything!
     
  7. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,337
    Likes Received:
    139
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    If you ran yum install clamav after installing the cpanel plugin, you are back to having two copies of clam installed which isn't necessary.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    205
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Alright. But why is the clamav packages installed by default then? And doesn't imunify-antivirus use this clamav installation?

    I think the issue with freshclam has been fixed.
    freshclam downloaded a daily.cld (not cvd as normally). Deleting /usr/local/cpanel/3rdparty/share/clamav/daily.cld and then running freshclam again fixes the issue as it downloads the daily.cvd.
     
  9. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,337
    Likes Received:
    139
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    the clamav packages come from epel and a cpanel isntallation does not install them. Perhaps your server provider did that, but generally epel is not even enabled on a fresh minimal centos install.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,707
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The clamav packages that are supplied by cPanel are as follows:

    Code:
    # rpm -qa |grep clamav
    cpanel-clamav-0.100.2-1.cp1170.x86_64
    cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
    Anything beyond that is not something we provide or can support. I DO have another thread where cpanel-clamav seems to be using an abnormal amount of resources which you can follow along with here: ClamAV constantly failing

    I'll be posting updates in that thread as well.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    331
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Hi

    Seems I have the same issue on many of our VPS servers. Quite strange. Only started happening yesterday when we notice our monitoring showing high cpu on the nodes.
    Then when we checked we found tons of VPS servers with high load, here is one node's top -c results:

    577480 1000 20 0 91072 29m 476 R 96.8 0.0 66:04.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577683 1000 20 0 94052 31m 592 R 96.8 0.0 80:55.36 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577688 1000 20 0 95376 34m 1448 R 96.0 0.1 84:26.40 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577652 1000 20 0 93224 31m 896 R 95.7 0.0 74:43.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    784698 32010 20 0 82448 23m 2472 R 94.0 0.0 31:12.03 /usr/local/cpanel/3rdparty/bin/freshclam --quiet -l /var/log/clam-update.log
    577675 1000 20 0 97.9m 39m 1340 R 93.4 0.1 73:00.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577625 1000 20 0 102m 43m 924 R 92.9 0.1 79:25.78 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577659 1000 20 0 103m 43m 728 R 88.1 0.1 87:05.26 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577471 1000 20 0 94452 32m 1272 R 87.3 0.1 89:13.13 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577660 1000 20 0 105m 45m 720 R 86.7 0.1 87:44.21 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577474 1000 20 0 97.8m 38m 1124 R 85.0 0.1 86:54.61 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577654 1000 20 0 99.6m 39m 860 R 83.3 0.1 86:32.79 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577526 1000 20 0 101m 42m 1016 R 82.2 0.1 79:58.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577487 1000 20 0 83824 21m 824 R 74.4 0.0 32:53.38 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577680 1000 20 0 105m 42m 772 R 62.6 0.1 75:09.41 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577594 1000 20 0 102m 43m 1676 R 61.7 0.1 68:44.54 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577618 1000 20 0 92792 29m 172 R 53.6 0.0 64:13.09 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577540 1000 20 0 95508 34m 784 R 50.2 0.1 64:28.00 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    577603 1000 20 0 87860 25m 908 R 48.0 0.0 57:27.63 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

    very weird as these servers have been running fine for years.

    Here is one VPS server's results:

    root@vps01 [/]# /usr/local/cpanel/3rdparty/bin/freshclam -v
    Current working dir is /usr/local/cpanel/3rdparty/share/clamav
    Max retries == 3
    ClamAV update process started at Thu Mar 7 03:48:03 2019
    Using IPv6 aware code
    Querying current.cvd.clamav.net
    TTL: 1351
    Software version from DNS: 0.101.1
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read ClamavNet
    main.cvd version from DNS: 58
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cvd version from DNS: 25380
    Retrieving http://database.clamav.net/daily-25379.cdiff
    Trying to download http://database.clamav.net/daily-25379.cdiff (IP: 104.16.218.84)
    Downloading daily-25379.cdiff [100%]
    cdiff_apply: Parsed 1225 lines and executed 1225 commands
    Retrieving http://database.clamav.net/daily-25380.cdiff
    Trying to download http://database.clamav.net/daily-25380.cdiff (IP: 104.16.218.84)
    Downloading daily-25380.cdiff [100%]


    I'll continue to investigate myself though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. aeroweb

    aeroweb Well-Known Member

    Joined:
    Jun 4, 2004
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    156
    Just wanted to add that the same issue is happening on all our servers that just started an update.

    Code:
    ClamAV update process started at Wed Mar  6 20:32:22 2019
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
    main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily-25380.cdiff [100%]
    
    I am probably going to delay the updates for our other servers. Any recommendations thus far? Could this just be a large database update that is taking a long time to parse?

    I found this fix on another site, haven't tried it yet: Bug#923867: Same when running from the command line
     
  13. aeroweb

    aeroweb Well-Known Member

    Joined:
    Jun 4, 2004
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    156
    It took an hour or more on each server but it finally completed. Looks like it is just a large DB update that takes a while to finish.

    Code:
    ClamAV update process started at Wed Mar  6 20:30:38 2019
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.100.2 Recommended version: 0.101.1
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
    main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    Downloading daily-25380.cdiff [100%]
    daily.cld updated (version: 25380, sigs: 1503528, f-level: 63, builder: raynman)
    bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
    Database updated (6069871 signatures) from database.clamav.net (IP: 104.16.219.84)
     
  14. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,707
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    From what we've been finding in tickets internally is that the virus database update is what's causing this. The update is really intensive but it shouldn't be causing constant issues unless the server is running out of memory when ClamAV is loading definitions while scanning- this may not be able to be avoided.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice