ClamAV update script and logging issues

[sneader]

I believe after the v82 update, we started to get daily emails like:

From: Anacron <[email protected]>
Subject: Anacron job 'cron.daily' on host.example.com

/etc/cron.daily/freshclam:

/etc/cron.daily/freshclam: line 15: /usr/bin/freshclam: No such file or directory

Indeed, if you look at /etc/cron.daily/freshclam, it refers to the freshclam executable being at /usr/bin/freshclam but it is not there.... instead, it is at /usr/local/cpanel/3rdparty/bin/freshclam

But, when I fix /etc/cron.daily/freshclam to point to the correct path for freshclam, I get a new error in the daily cron email:

/etc/cron.daily/freshclam:

ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).

The log file is there and, as far as I know, has the right permissions?

-rw-r--r--  1 clam clam     0 Aug 18 03:22 freshclam.log

Ideas?

- Scott

 

[Metro2]

Same problem here.

At first I thought it might be related my CSF/LFD/Mailscanner installation from ConfigServer in which case I'd be hesitant to try any solutions found on forums, so I contacted ConfigServer and they informed me:

"When we install MailScanner currently we use cPanel's clamavconnector, and the errors you are receiving do not relate to that. As long as you're on a supported version of cPanel it shouldn't have any impact on our products. "

So that means either finding a solution together here on the forums, or submitting a ticket to cPanel.

I'm subscribing to this thread and hopefully someone who has experienced / resolved this will chime in (fingers crossed) , but if not than in a couple days I'll submit a ticket to cPanel Support and will update the outcome here.

 

[wintech2003]

The /etc/cron.daily/freshclam should fix any permission issues itself normally

LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clam.clam "$LOG_FILE"
fi

Do you by any chance have the epel repo activated?
Could you check your /var/log/yum.log to see if your clamav package got updated recently?

 

[Metro2]

In my case, grep clam /var/log/yum.log shows:

Aug 16 01:00:37 Installed: clamav-filesystem-0.101.3-1.el6.noarch
Aug 16 01:00:42 Installed: clamav-data-0.101.3-1.el6.noarch
Aug 16 01:00:42 Installed: clamav-lib-0.101.3-1.el6.x86_64
Aug 16 01:00:43 Updated: clamav-0.101.3-1.el6.x86_64

So, it looks like it updated to latest version at 1:00am


However, once again at 3:20am I received:

Anacron job 'cron.daily' on examplehost.example.net
From: Anacron [email protected]
To: [email protected]
Date: Aug 19, 2019, 3:20 AM

/etc/cron.daily/freshclam:

/etc/cron.daily/freshclam: line 15: /usr/bin/freshclam: No such file or directory

Edit - I forgot to mention, I don't see any sign of epel repo in /etc/yum.repos.d

 

[cPanelLauren]

Hello,


Can you show me the output of the following?

rpm -qa |grep -i clamav

 

[Metro2]

Hello,


Can you show me the output of the following?

rpm -qa |grep -i clamav

cpanel-perl-528-File-Scan-ClamAV-1.95-1.cp1178.noarch
cpanel-clamav-0.101.3-1.cp1180.x86_64
clamav-lib-0.101.3-1.el6.x86_64
clamav-db-0.99.4-1.el6.x86_64
clamav-0.101.3-1.el6.x86_64
cpanel-clamav-virusdefs-0.101.3-1.cp1180.x86_64
clamav-filesystem-0.101.3-1.el6.noarch
clamav-data-0.101.3-1.el6.noarch

 

[cPanelLauren]

cpanel-perl-528-File-Scan-ClamAV-1.95-1.cp1178.noarch
cpanel-clamav-0.101.3-1.cp1180.x86_64
clamav-lib-0.101.3-1.el6.x86_64
clamav-db-0.99.4-1.el6.x86_64
clamav-0.101.3-1.el6.x86_64
cpanel-clamav-virusdefs-0.101.3-1.cp1180.x86_64
clamav-filesystem-0.101.3-1.el6.noarch
clamav-data-0.101.3-1.el6.noarch

This shows you're running both the standard and cPanel provided version of ClamAV which is what I was initially curious about. There are a couple of reasons why someone would install separate versions one of which is if you're running CloudLinux or Imunify360 both of which install it.

If you're running CloudLinux or Imunify there is indeed an issue in which /usr/bin/freshclam is missing because the clamav-update package is missing. The current workaround from CloudLinux is to remove clamav-db and install clamav-update. They also let us know that they have a case open and are currently working on a resolution.

 

[Metro2]

@cPanelLauren - thank you, yes indeed I'm running CloudLinux (but not Imunify). Do yo happen to have a link to their work-around instructions? In meantime I'll check CL's site to see if I can find correct steps so that I don't break anything.

 

[cPanelLauren]

Hello,

I don't have a link that I'm able to provide you - it was discussed internally. The workaround though is to remove the clamav-db package which is obsolete and install the clamav-update package which you are missing.

 

[sneader]

We are also running CloudLinux, but are not paying for the full Imunify360 (however, we have the free on-demand scanner version of Imunify360 running, which was installed automatically by CloudLinux).

I'd appreciate any detailed instructions/steps on what the fix is.

- Scott

 

[cPanelLauren]

Hello,

The workaround as it stands right now from CloudLinux is as I mentioned before to remove the clamav-db package and install the clamav-update package.

If the issue is that you're not sure how to add/remove packages you can do the following:

1. Remove the clamav-db package

rpm -e --nodeps clamav-db

or

yum remove clamav-db

2. Then install clamav-update

yum install clamav-update

 

[QuentinC]

A lot of cPanel servers have ImmunifyAV....

Why CloudLinux ask to make a manual workaround for fix yum conflicts/dependencies ?

 

[cPanelLauren]

The workaround is only temporary until they resolve the issue. A means to manage the issue until that time.

 

[sneader]

After running these...

rpm -e --nodeps clamav-db
yum install clamav-update

Now I get cron these new cron emails:

Cron <[email protected]> /usr/share/clamav/freshclam-sleep

LibClamAV Warning: Cannot resolve: /usr/lib64/libclamunrar_iface.so: undefined symbol: libclamunrar_iface_LTX_unrar_peek_file_header (version mismatch?) - unrar support unavailable

Looking in /usr/lib64/:

lrwxrwxrwx 1 root root 22 Jul 24 2013 libclamunrar.so -> libclamunrar.so.6.1.17*
lrwxrwxrwx 1 root root 22 Jul 24 2013 libclamunrar.so.6 -> libclamunrar.so.6.1.17*
-rwxr-xr-x 1 root root 178442 Jul 24 2013 libclamunrar.so.6.1.17*

So, it exists but, indeed, it's pretty old.

- Scott

 

[cPanelLauren]

Hi @sneader

That's not a known part of this issue. If you purchased your CloudLinux or Immunify license through us please feel free to open a ticket with us. If you purchased it through CL or another means you'd need to open a ticket with CloudLinux directly: CloudLinux - Main | New template

Thanks!

 

[CloudLinux Skhristich]

A lot of cPanel servers have ImmunifyAV....

Why CloudLinux ask to make a manual workaround for fix yum conflicts/dependencies ?

Hello!


It all changes when you upgrade. You need to update the repositories.

 

[Metro2]

Now that it appears CloudLinux implemented the fix for the original issue in this thread, I now receive these emails daily from each server:

(I've replaced the actual server names / email addresses with "example" obviously)

----------
Cron <[email protected]> /usr/share/clamav/freshclam-sleep
Cron Daemon <[email protected]>
ERROR: Can't open /var/lib/clamav/mirrors.dat for writing
----------

----------
Anacron job 'cron.daily' on server.example.com
Anacron <[email protected]>
/etc/cron.daily/logrotate:
error: stat of /var/log/freshclam.log failed: No such file or directory
----------

My CloudLinux license is purchased through cPanel, but I'm hoping to avoid opening a ticket if possible. Open to suggestions here first and would be grateful for any, thank you.

 

[cPanelLauren]

Hi @Metro2

Can you provide me the output of the following:

ls -lah /var/lib/clamav/mirrors.dat

For the log error - this is a second issue CloudLinux is currently addressing which I've discussed in this thread Anacron job 'cron.daily' - freshclam.log

The workaround until it's resolved is as follows:

Remove the logrotate config for clamav
or
Add 'missingok' to /etc/logrotate.d/clamav-update or Update /etc/freshclam.conf by removing # from UpdateLogFile line. Then create the log going by clamav documentation @ https://www.clamav.net/documents/configuration#freshclamconf :

touch /var/log/freshclam.log
chmod 664 /var/log/freshclam.log
chown root.clamupdate /var/log/freshclam.log

 

[Metro2]

Hi @Metro2

Can you provide me the output of the following:

ls -lah /var/lib/clamav/mirrors.dat

Thank you for your reply @cPanelLauren

Output of ls -lah /var/lib/clamav/mirrors.dat is:

-rw------- 1 490 486 1.6K Aug 15 03:29 /var/lib/clamav/mirrors.dat

 

[cPanelLauren]

Hi @Metro2

That user/group is incorrect - this should be as discussed here:

errors from freshclam-sleep

Couple of days ago we started getting this kind of emails from all of our servers: Cron /usr/share/clamav/freshclam-sleep ERROR: Can't open /var/lib/clamav/mirrors.dat for writing ERROR: Can't open /var/lib/clamav/mirrors.dat for writing .... (more same lines) /var/lib/clamav/ directory...

forums.cpanel.net