The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED clamd can't start after /scripts/upcp --force

Discussion in 'General Discussion' started by urgido, Apr 12, 2017.

Tags:
  1. urgido

    urgido Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    85
    Likes Received:
    3
    Trophy Points:
    158
    cPanel Access Level:
    Root Administrator
    Here is the log:

    Code:
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 9897 duplicate identifier "dump_sales_quote_payment"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11502 duplicate identifier "dump_sales_order"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11506 duplicate identifier "md5_64651cede2467fdeb1b3b7e6ff3f81cb"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11510 duplicate identifier "md5_6bf4910b01aa4f296e590b75a3d25642"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11526 duplicate identifier "eval_post"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11532 duplicate identifier "spam_mailer"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11538 duplicate identifier "md5_0105d05660329704bdb0ecd3fd3a473b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11546 duplicate identifier "md5_0b1bfb0bdc7e017baccd05c6af6943ea"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11552 duplicate identifier "md5_2495b460f28f45b40d92da406be15627"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11556 duplicate identifier "md5_2c37d90dd2c9c743c273cb955dd83ef6"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11560 duplicate identifier "md5_3ccdd51fe616c08daafd601589182d38"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11564 duplicate identifier "md5_4b69af81b89ba444204680d506a8e0a1"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11569 duplicate identifier "md5_71a7c769e644d8cf3cf32419239212c7"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11578 duplicate identifier "md5_825a3b2a6abbe6abcdeda64a73416b3d"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11584 duplicate identifier "md5_87cf8209494eedd936b28ff620e28780"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11600 duplicate identifier "md5_c647e85ad77fd9971ba709a08566935d"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11604 duplicate identifier "md5_fb9e35bf367a106d18eb6aa0fe406437"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11608 duplicate identifier "md5_8e5f7f6523891a5dcefcbb1a79e5bbe9"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11612 duplicate identifier "eval_base64_decode_a"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11615 duplicate identifier "obfuscated_eval"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11626 duplicate identifier "md5_ab63230ee24a988a4a9245c2456e4874"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11629 duplicate identifier "md5_b579bff90970ec58862ea8c26014d643"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11635 duplicate identifier "md5_d30b23d1224438518d18e90c218d7c8b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11639 duplicate identifier "md5_24f2df1b9d49cfb02d8954b08dba471f"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11641 duplicate identifier "base64_hidden_in_image"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11645 duplicate identifier "hide_data_in_jpeg"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11649 duplicate identifier "hidden_file_upload_in_503"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11655 duplicate identifier "md5_fd141197c89d27b30821f3de8627ac38"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11661 duplicate identifier "visbot"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11663 duplicate identifier "md5_39ca2651740c2cef91eb82161575348b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11671 duplicate identifier "md5_4c4b3d4ba5bce7191a5138efa2468679"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11677 duplicate identifier "md5_6eb201737a6ef3c4880ae0b8983398a9"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11681 duplicate identifier "md5_d201d61510f7889f1a47257d52b15fa2"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11685 duplicate identifier "md5_06e3ed58854daeacf1ed82c56a883b04"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11689 duplicate identifier "md5_28690a72362e021f65bb74eecc54255e"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11691 duplicate identifier "overwrite_globals_hack"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11696 duplicate identifier "md5_4adef02197f50b9cc6918aa06132b2f6"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11701 duplicate identifier "obfuscated_globals"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11707 duplicate identifier "ld_preload_backdoor"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11711 duplicate identifier "fake_magentoupdate_site"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11715 duplicate identifier "md5_b3ee7ea209d2ff0d920dfb870bad8ce5"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11721 duplicate identifier "md5_e03b5df1fa070675da8b6340ff4a67c2"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11725 duplicate identifier "md5_023a80d10d10d911989e115b477e42b5"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11731 duplicate identifier "md5_4aa900ddd4f1848a15c61a9b7acd5035"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11735 duplicate identifier "md5_f797dd5d8e13fe5c8898dbe3beb3cc5b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11921 duplicate identifier "onepage_or_checkout"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11930 duplicate identifier "sinlesspleasure_com"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11934 duplicate identifier "amasty_biz"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11938 duplicate identifier "amasty_biz_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11942 duplicate identifier "returntosender"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11946 duplicate identifier "ip_5uu8_com"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11950 duplicate identifier "cloudfusion_me"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11954 duplicate identifier "grelos_v"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11967 duplicate identifier "hacked_domains"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11971 duplicate identifier "mage_cdn_link"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11975 duplicate identifier "credit_card_regex"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11979 duplicate identifier "jquery_code_su"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11983 duplicate identifier "jquery_code_su_multi"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11987 duplicate identifier "Trafficanalyzer_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11991 duplicate identifier "atob_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11995 duplicate identifier "gate_php_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 12001 duplicate identifier "googieplay_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 12004 duplicate identifier "md5_cdn_js_link_js"
    LibClamAV Error: cli_loadyara: failed to parse rules file /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara, error count 63
     
    #1 urgido, Apr 12, 2017
    Last edited by a moderator: Apr 13, 2017
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Try uninstalling then re-installing ClamAv via WHM's Plugin section by un-checking the "ClamAV Connector" then clicking "save" then going back to that page and checking it to re-install ClamAV.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    These error messages appear to relate to custom ClamAV rules. Are you using any third-party applications such as Maldet on this system? Also, check to see if you are using any third-party ClamAV RPMs with a command such as:

    Code:
    rpm -qa|grep clamav
    With the ClamAV plugin offered through cPanel, you should see output like this:

    Code:
    # rpm -qa|grep clamav
    cpanel-clamav-virusdefs-0.99.2-1.cp1164.x86_64
    cpanel-clamav-0.99.2-1.cp1164.x86_64
    
    Thank you.
     
  4. yitwail

    yitwail Registered

    Joined:
    Mar 17, 2013
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I'm seeing the exact same errors as the OP. When I entered `rpm -qa|grep clamav` I got the following response:
    `cpanel-clamav-virusdefs-0.99.2-2.cp1162.x86_64
    cpanel-clamav-0.99.2-2.cp1162.x86_64`

    /usr/local/maldetect/maldet exists, and in addition, CXS (config exploit scanner), is installed. Could that be the issue? I've also seen notices about kernel needing an update.

    I've obviously chosen to add to this thread instead of starting anew. If that's inappropriate I will create a new thread. Thank you.
     
  5. studioblue

    studioblue Registered

    Joined:
    Sep 11, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Same issue here.
    `rpm -qa|grep clamav` returns no results
     
  6. studioblue

    studioblue Registered

    Joined:
    Sep 11, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    correction had a space in it:
    rpm -qa|grep clamav
    cpanel-clamav-0.99.2-2.cp1162.x86_64
    cpanel-clamav-virusdefs-0.99.2-2.cp1162.x86_64

    I also have Maldet installed not cxs
     
  7. mypchost

    mypchost Registered

    Joined:
    Sep 19, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    As the OP had stated, errors. I receive the same when restarting EXIM. I did a quick "rpm -qa|grep clamav" which showed no result at all. I do have maldet installed as well. Then I opted to uninstall the ClamAV via WHM software. After re-installing, I still received the same response (all errors). I ran "/usr/local/cpanel/scripts/check_cpanel_rpms --fix". Then after, I executed:

    root@marge [/var/log]# rpm -qa |grep clamav
    cpanel-clamav-virusdefs-0.99.2-2.cp1162.x86_64
    cpanel-clamav-0.99.2-2.cp1162.x86_64

    Afterwards, I again attempted to restart EXIM (via WHM) and still am receiving errors. Nothing seems to be working correctly.

    Standing by for a response and hopeful resolution ;)
     
  8. mypchost

    mypchost Registered

    Joined:
    Sep 19, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    On a side note, went to edit my previous post, realizing my error with a space at "rpm -qa|grep clamav" only to be presented with this error - just a heads up cPanel forum admin:

    The following error occurred:
    Your content can not be submitted. This is likely because your content is spam-like or contains inappropriate elements. Please change your content or try again later. If you still have problems, please contact an administrator.

    Please resume.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Try moving the custom ClamAV rules out of the way and restarting clamd with the following commands:

    Code:
    mkdir /root/clamav-backup-rules
    mv /usr/local/cpanel/3rdparty/share/clamav/rfxn.* /root/clamav-backup-rules/
    /scripts/restartsrv_clamd
    You may need to report this issue to the developer or support team of the plugin you are using if you'd like to continue using those custom ClamAV rules.

    Thank you.
     
  10. urgido

    urgido Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    85
    Likes Received:
    3
    Trophy Points:
    158
    cPanel Access Level:
    Root Administrator
    Yes, I am using MALDET but I never touched rules of CLAMAV.

    Code:
     rpm -qa|grep clamav
    cpanel-clamav-virusdefs-0.99.2-1.cp1164.x86_64
    cpanel-clamav-0.99.2-1.cp1164.x86_64
    
    I reinstalled clamav but the problem still present.
     
  11. urgido

    urgido Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    85
    Likes Received:
    3
    Trophy Points:
    158
    cPanel Access Level:
    Root Administrator

    OUTPUT:

    Code:
    Waiting for âclamdâ
    
    Cpanel::Exception::Services::StartError
    Service Error
            (XID epufbx) El servicio âclamdâ
                                                    The âclamdâ
    
    clamd has failed. Contact your system administrator if the service does not automagically recover.
    
    Code:
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 9897 duplicate identifier "dump_sales_quote_payment"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11502 duplicate identifier "dump_sales_order"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11506 duplicate identifier "md5_64651cede2467fdeb1b3b7e6ff3f81cb"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11510 duplicate identifier "md5_6bf4910b01aa4f296e590b75a3d25642"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11526 duplicate identifier "eval_post"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11532 duplicate identifier "spam_mailer"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11538 duplicate identifier "md5_0105d05660329704bdb0ecd3fd3a473b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11546 duplicate identifier "md5_0b1bfb0bdc7e017baccd05c6af6943ea"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11552 duplicate identifier "md5_2495b460f28f45b40d92da406be15627"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11556 duplicate identifier "md5_2c37d90dd2c9c743c273cb955dd83ef6"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11560 duplicate identifier "md5_3ccdd51fe616c08daafd601589182d38"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11564 duplicate identifier "md5_4b69af81b89ba444204680d506a8e0a1"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11569 duplicate identifier "md5_71a7c769e644d8cf3cf32419239212c7"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11578 duplicate identifier "md5_825a3b2a6abbe6abcdeda64a73416b3d"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11584 duplicate identifier "md5_87cf8209494eedd936b28ff620e28780"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11600 duplicate identifier "md5_c647e85ad77fd9971ba709a08566935d"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11604 duplicate identifier "md5_fb9e35bf367a106d18eb6aa0fe406437"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11608 duplicate identifier "md5_8e5f7f6523891a5dcefcbb1a79e5bbe9"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11612 duplicate identifier "eval_base64_decode_a"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11615 duplicate identifier "obfuscated_eval"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11626 duplicate identifier "md5_ab63230ee24a988a4a9245c2456e4874"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11629 duplicate identifier "md5_b579bff90970ec58862ea8c26014d643"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11635 duplicate identifier "md5_d30b23d1224438518d18e90c218d7c8b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11639 duplicate identifier "md5_24f2df1b9d49cfb02d8954b08dba471f"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11641 duplicate identifier "base64_hidden_in_image"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11645 duplicate identifier "hide_data_in_jpeg"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11649 duplicate identifier "hidden_file_upload_in_503"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11655 duplicate identifier "md5_fd141197c89d27b30821f3de8627ac38"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11661 duplicate identifier "visbot"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11663 duplicate identifier "md5_39ca2651740c2cef91eb82161575348b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11671 duplicate identifier "md5_4c4b3d4ba5bce7191a5138efa2468679"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11677 duplicate identifier "md5_6eb201737a6ef3c4880ae0b8983398a9"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11681 duplicate identifier "md5_d201d61510f7889f1a47257d52b15fa2"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11685 duplicate identifier "md5_06e3ed58854daeacf1ed82c56a883b04"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11689 duplicate identifier "md5_28690a72362e021f65bb74eecc54255e"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11691 duplicate identifier "overwrite_globals_hack"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11696 duplicate identifier "md5_4adef02197f50b9cc6918aa06132b2f6"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11701 duplicate identifier "obfuscated_globals"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11707 duplicate identifier "ld_preload_backdoor"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11711 duplicate identifier "fake_magentoupdate_site"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11715 duplicate identifier "md5_b3ee7ea209d2ff0d920dfb870bad8ce5"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11721 duplicate identifier "md5_e03b5df1fa070675da8b6340ff4a67c2"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11725 duplicate identifier "md5_023a80d10d10d911989e115b477e42b5"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11731 duplicate identifier "md5_4aa900ddd4f1848a15c61a9b7acd5035"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11735 duplicate identifier "md5_f797dd5d8e13fe5c8898dbe3beb3cc5b"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11921 duplicate identifier "onepage_or_checkout"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11930 duplicate identifier "sinlesspleasure_com"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11934 duplicate identifier "amasty_biz"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11938 duplicate identifier "amasty_biz_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11942 duplicate identifier "returntosender"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11946 duplicate identifier "ip_5uu8_com"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11950 duplicate identifier "cloudfusion_me"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11954 duplicate identifier "grelos_v"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11967 duplicate identifier "hacked_domains"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11971 duplicate identifier "mage_cdn_link"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11975 duplicate identifier "credit_card_regex"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11979 duplicate identifier "jquery_code_su"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11983 duplicate identifier "jquery_code_su_multi"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11987 duplicate identifier "Trafficanalyzer_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11991 duplicate identifier "atob_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 11995 duplicate identifier "gate_php_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 12001 duplicate identifier "googieplay_js"
    LibClamAV Error: yyerror(): /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara line 12004 duplicate identifier "md5_cdn_js_link_js"
    LibClamAV Error: cli_loadyara: failed to parse rules file /usr/local/cpanel/3rdparty/share/clamav/rfxn.yara, error count 63
    
     
    #11 urgido, Apr 13, 2017
    Last edited by a moderator: Apr 14, 2017
  12. mikefromnz

    mikefromnz Active Member

    Joined:
    Feb 9, 2017
    Messages:
    28
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    New Zealand
    cPanel Access Level:
    Root Administrator
    Having the exact same problem here since last update
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The custom ClamAV rules are referenced in the application's most recent change log:

    You can remove the custom rules using the commands referenced in my earlier response:

    Code:
    mkdir /root/clamav-backup-rules
    mv /usr/local/cpanel/3rdparty/share/clamav/rfxn.* /root/clamav-backup-rules/
    /scripts/restartsrv_clamd
    You may want also to report this as an issue on their GitHub page:

    Issues · rfxn/linux-malware-detect · GitHub

    Thank you.
     
  14. rfxn

    rfxn Active Member

    Joined:
    Apr 27, 2003
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    153
    This issue was brought to my attention a few minutes ago regarding this thread.

    An issue with the 3rd party YARA rule generation resulted in duplicates being injected as the upstream provider changed certain formatting. This has been resolved as of this writing and rules are now consistent / without duplicates.

    The new rules will automagically push out with standard daily updates to LMD and/or you can force a manual signature update with the '-u|--update-sigs' option followed by restarting clamd with '/scripts/restartsrv_clamd'.

    e.g:
    Code:
    [root@boomer ~]# maldet -u
    Linux Malware Detect v1.6
                (C) 2002-2017, R-fx Networks <proj@rfxn.com>
                (C) 2017, Ryan MacDonald <ryan@rfxn.com>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(17027): {sigup} performing signature update check...
    maldet(17027): {sigup} local signature set is version 2017041129590
    maldet(17027): {sigup} new signature set (2017041410039) available
    maldet(17027): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
    maldet(17027): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
    maldet(17027): {sigup} verified md5sum of maldet-sigpack.tgz
    maldet(17027): {sigup} unpacked and installed maldet-sigpack.tgz
    maldet(17027): {sigup} verified md5sum of maldet-clean.tgz
    maldet(17027): {sigup} unpacked and installed maldet-clean.tgz
    maldet(17027): {sigup} signature set update completed
    maldet(17027): {sigup} 12451 signatures (9721 MD5 | 1951 HEX | 779 YARA | 0 USER)
    
    [root@boomer ~]# /scripts/restartsrv_clamd
    Waiting for “clamd” to restart ………waiting for “clamd” to initialize ………finished.
    
    Service Status
            clamd (/usr/local/cpanel/3rdparty/bin/clamd) is running as root with PID 17231 (systemd check method).
    
    Startup Log
            Apr 14 15:15:43 boomer.rfxn.com systemd[1]: Starting clamd antivirus daemon...
            Apr 14 15:15:57 boomer.rfxn.com systemd[1]: Started clamd antivirus daemon.
    
    clamd restarted successfully.
    
    I've added additional tests against the YARA rule file generation to ensure this does not happen again. This includes stricter testing for duplicates and better exit code detection when testing the rules with clamd.

    Thanks!
     
    Infopro and cPanelMichael like this.
  15. yitwail

    yitwail Registered

    Joined:
    Mar 17, 2013
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    @rfxn, much obliged. I restarted clamd successfully with the 2 commands you provided.
     
    cPanelMichael likes this.
Loading...

Share This Page