ClamAV installed in different path

DennisMidjord

Well-Known Member
Sep 27, 2016
263
35
28
Denmark
cPanel Access Level
Root Administrator
Hi.
We just had an issue where freshclam would run for an hour with high CPU usage on most servers - except for 2.
I read that killing freshclam, deleting daily.cld and starting freshclam again would solve the issue.
When running
Code:
killall /usr/bin/freshclam
, two of our servers said the file didn't exist.

I rechecked that ClamAV had been installed in cPanel, and it was installed on both servers. I tried reinstalling it, but that didn't help.

It seems like ClamAV is installed in /usr/local/cpanel/3rdparty/bin/ instead of /usr/bin/.
Code:
[[email protected] ~]# locate freshclam
/usr/local/cpanel/3rdparty/bin/freshclam
/usr/local/cpanel/3rdparty/etc/freshclam.conf
/usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
/usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
I did check that /usr/local/cpanel/3rdparty/bin/freshclam also existed on the other servers, and it did, so it seems to have existed in two places. /usr/bin/freshclam is not a symlink of /usr/local/cpanel/3rdparty/bin/freshclam on those servers.

Are we missing out on anything or is this expected behaviour?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I've seen this happen when clamav was installed from the epel repo in addition to cpanels.

What is the output of rpm -qa|grep clam
 
  • Like
Reactions: cPanelLauren

DennisMidjord

Well-Known Member
Sep 27, 2016
263
35
28
Denmark
cPanel Access Level
Root Administrator
I just tried running freshclam again, and it gets stuck once again after downloading the update:
Code:
[[email protected] ~]# /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Wed Mar  6 13:45:17 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-25380.cdiff [100%]
Any idea why this happens?
 

DennisMidjord

Well-Known Member
Sep 27, 2016
263
35
28
Denmark
cPanel Access Level
Root Administrator
I've seen this happen when clamav was installed from the epel repo in addition to cpanels.

What is the output of rpm -qa|grep clam
Code:
[roo[email protected] ~]# rpm -qa|grep clam
cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
clamav-0.100.2-2.el7.x86_64
clamav-filesystem-0.100.2-2.el7.noarch
cpanel-clamav-0.100.2-1.cp1170.x86_64
clamav-lib-0.100.2-2.el7.x86_64
clamav-data-0.100.2-2.el7.noarch
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I would remove the cpanel plugin for clamav

Then remove via yum the extra clamav packages that rpm -qa still shows installed

Then reinstall the clamav plugin.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
263
35
28
Denmark
cPanel Access Level
Root Administrator
I see that the problem with the update might be a ClamAV issue and not a local issue: Mailing List Archive: Problem with freshclam updating daily-25380.cdiff

I've now uninstalled the cPanel plugin and removed all remaining packages, then reinstalled the cPanel plugin. That didn't solve the issue.
Doing yum install clamav did seem to have fixed the issue. I just hope it didn't break anything!
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
If you ran yum install clamav after installing the cpanel plugin, you are back to having two copies of clam installed which isn't necessary.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
263
35
28
Denmark
cPanel Access Level
Root Administrator
Alright. But why is the clamav packages installed by default then? And doesn't imunify-antivirus use this clamav installation?

I think the issue with freshclam has been fixed.
freshclam downloaded a daily.cld (not cvd as normally). Deleting /usr/local/cpanel/3rdparty/share/clamav/daily.cld and then running freshclam again fixes the issue as it downloads the daily.cvd.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,753
311
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
the clamav packages come from epel and a cpanel isntallation does not install them. Perhaps your server provider did that, but generally epel is not even enabled on a fresh minimal centos install.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
The clamav packages that are supplied by cPanel are as follows:

Code:
# rpm -qa |grep clamav
cpanel-clamav-0.100.2-1.cp1170.x86_64
cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
Anything beyond that is not something we provide or can support. I DO have another thread where cpanel-clamav seems to be using an abnormal amount of resources which you can follow along with here: ClamAV constantly failing

I'll be posting updates in that thread as well.


Thanks!
 

sahostking

Well-Known Member
May 15, 2012
378
10
68
Cape Town, South Africa
cPanel Access Level
Root Administrator
Twitter
Hi

Seems I have the same issue on many of our VPS servers. Quite strange. Only started happening yesterday when we notice our monitoring showing high cpu on the nodes.
Then when we checked we found tons of VPS servers with high load, here is one node's top -c results:

577480 1000 20 0 91072 29m 476 R 96.8 0.0 66:04.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577683 1000 20 0 94052 31m 592 R 96.8 0.0 80:55.36 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577688 1000 20 0 95376 34m 1448 R 96.0 0.1 84:26.40 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577652 1000 20 0 93224 31m 896 R 95.7 0.0 74:43.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
784698 32010 20 0 82448 23m 2472 R 94.0 0.0 31:12.03 /usr/local/cpanel/3rdparty/bin/freshclam --quiet -l /var/log/clam-update.log
577675 1000 20 0 97.9m 39m 1340 R 93.4 0.1 73:00.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577625 1000 20 0 102m 43m 924 R 92.9 0.1 79:25.78 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577659 1000 20 0 103m 43m 728 R 88.1 0.1 87:05.26 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577471 1000 20 0 94452 32m 1272 R 87.3 0.1 89:13.13 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577660 1000 20 0 105m 45m 720 R 86.7 0.1 87:44.21 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577474 1000 20 0 97.8m 38m 1124 R 85.0 0.1 86:54.61 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577654 1000 20 0 99.6m 39m 860 R 83.3 0.1 86:32.79 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577526 1000 20 0 101m 42m 1016 R 82.2 0.1 79:58.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577487 1000 20 0 83824 21m 824 R 74.4 0.0 32:53.38 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577680 1000 20 0 105m 42m 772 R 62.6 0.1 75:09.41 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577594 1000 20 0 102m 43m 1676 R 61.7 0.1 68:44.54 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577618 1000 20 0 92792 29m 172 R 53.6 0.0 64:13.09 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577540 1000 20 0 95508 34m 784 R 50.2 0.1 64:28.00 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
577603 1000 20 0 87860 25m 908 R 48.0 0.0 57:27.63 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

very weird as these servers have been running fine for years.

Here is one VPS server's results:

[email protected] [/]# /usr/local/cpanel/3rdparty/bin/freshclam -v
Current working dir is /usr/local/cpanel/3rdparty/share/clamav
Max retries == 3
ClamAV update process started at Thu Mar 7 03:48:03 2019
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1351
Software version from DNS: 0.101.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read ClamavNet
main.cvd version from DNS: 58
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 25380
Retrieving http://database.clamav.net/daily-25379.cdiff
Trying to download http://database.clamav.net/daily-25379.cdiff (IP: 104.16.218.84)
Downloading daily-25379.cdiff [100%]
cdiff_apply: Parsed 1225 lines and executed 1225 commands
Retrieving http://database.clamav.net/daily-25380.cdiff
Trying to download http://database.clamav.net/daily-25380.cdiff (IP: 104.16.218.84)
Downloading daily-25380.cdiff [100%]


I'll continue to investigate myself though.
 

aeroweb

Well-Known Member
Jun 4, 2004
67
1
156
Just wanted to add that the same issue is happening on all our servers that just started an update.

Code:
ClamAV update process started at Wed Mar  6 20:32:22 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-25380.cdiff [100%]
I am probably going to delay the updates for our other servers. Any recommendations thus far? Could this just be a large database update that is taking a long time to parse?

I found this fix on another site, haven't tried it yet: Bug#923867: Same when running from the command line
 

aeroweb

Well-Known Member
Jun 4, 2004
67
1
156
It took an hour or more on each server but it finally completed. Looks like it is just a large DB update that takes a while to finish.

Code:
ClamAV update process started at Wed Mar  6 20:30:38 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-25380.cdiff [100%]
daily.cld updated (version: 25380, sigs: 1503528, f-level: 63, builder: raynman)
bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
Database updated (6069871 signatures) from database.clamav.net (IP: 104.16.219.84)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,261
313
Houston
From what we've been finding in tickets internally is that the virus database update is what's causing this. The update is really intensive but it shouldn't be causing constant issues unless the server is running out of memory when ClamAV is loading definitions while scanning- this may not be able to be avoided.