SOLVED [CPANEL-20678] ClamAV freshclam and clamscan binaries are different versions.

jndawson · Sep 14, 2017

We got an email alert from a server that has had the ClamAV plugin installed for at least 5 years (and Manage Plugins' indicates it's properly installed):
Code:
ClamAV freshclam and clamscan binaries are different versions. Install ClamAV within "Manage Plugins".
We just updated to v.66.0.22 last night during normal update cycle. We've received no binary mismatch notice on any other servers.

We decided to remove the plugin and reinstall it. Seemed to go well, 'Manage Plugins' indicates it's properly installed and 'Service Status' indicates it's running.

Just for grins, we restarted clamd to be sure all was copacetic:
Code:
[ root@cp2 ~># /scripts/restartsrv_clamd
Waiting for âclamdâclamdâ

Service Status
        clamd (/usr/local/cpanel/3rdparty/bin/clamd) is running as root with PID 21668 (pidfile+/proc check method).

Startup Log
        LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/main.cvd and /usr/local/cpanel/3rdparty/share/clamav/main.cld, please manually remove one of them

clamd restarted successfully.
Here's what we've got:
Code:
[ root@cp2 ~># ls -l /usr/local/cpanel/3rdparty/share/clamav/main*
-rw-r--r-- 1 clamav clamav 307499008 Jun  7 21:09 /usr/local/cpanel/3rdparty/share/clamav/main.cld
-rw-r--r-- 1 clamav clamav 117892267 Sep 14 11:06 /usr/local/cpanel/3rdparty/share/clamav/main.cvd
main.cvd apparently created when reinstalling the plugin; main.cld apparently the old one which should be removed.

Correct?

If so, do we need to reinstall the clamAV plugin on the other servers? And any reason/speculation why this occurred?

cPanelMichael · Sep 18, 2017

jndawson said: ↑

ClamAV freshclam and clamscan binaries are different versions. Install ClamAV within "Manage Plugins".
Click to expand...

Hello,

Are you sure no other installations of ClamAV exist on this system? For instance, check to see the output of the following commands:
Code:
rpm -qa|grep clam
locate freshclam
Thank you.

jndawson · Sep 18, 2017

cPanelMichael said: ↑
Hello,

Are you sure no other installations of ClamAV exist on this system? For instance, check to see the output of the following commands:
Code:
rpm -qa|grep clam
locate freshclam
Thank you.
Click to expand...
We already did that:
Code:
[ root@cp2 ~># rpm -qa|grep clam
cpanel-clamav-0.99.2-2.cp1164.x86_64
cpanel-clamav-virusdefs-0.99.2-2.cp1164.x86_64

[ root@cp2 ~># locate freshclam
/usr/local/cpanel/3rdparty/bin/freshclam
/usr/local/cpanel/3rdparty/etc/freshclam.conf
/usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
/usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
/var/asl/data/templates/template-freshclam.conf
Still have the same questions, and no, none of our other servers have experienced the same weird error message.

John W · Sep 19, 2017

I have this same message after upcp ran this morning. But, nothing is different that I can find.

cPanelMichael · Sep 19, 2017

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look to see why the "ClamAV freshclam and clamscan binaries are different versions" notification was sent on the affected system? It should not be sent if the only installed ClamAV instance was enabled through the "WHM >> Manager Plugins" interface.

Thank you.

verdon · Oct 26, 2017

I just received this same alert overnight.
CENTOS 6.9 standard - v66.0.27

Code:

# rpm -qa|grep clam
cpanel-clamav-0.99.2-2.cp1164.x86_64
cpanel-clamav-virusdefs-0.99.2-2.cp1164.x86_64
# locate freshclam
 /usr/local/cpanel/3rdparty/bin/freshclam
/usr/local/cpanel/3rdparty/etc/freshclam.conf
/usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
/usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5

cPanelMichael · Oct 27, 2017

Hello @verdon,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.

verdon · Nov 7, 2017

Hi,

I'm so sorry. I completely missed this reply @cPanelMichael. Is there any point after this amount of time, and an update to v.68. Is there something I can test? I have not received this notification since. Just the one time.

cPanelMichael · Nov 7, 2017

verdon said: ↑

I'm so sorry. I completely missed this reply @cPanelMichael. Is there any point after this amount of time, and an update to v.68. Is there something I can test? I have not received this notification since. Just the one time.
Click to expand...

We could check to make sure there are no rogue copies of ClamAV or FreshClam installed on the system.

Thank you.

verdon · Nov 7, 2017

cPanelMichael said: ↑

We could check to make sure there are no rogue copies of ClamAV or FreshClam installed on the system.

Thank you.
Click to expand...

No. Thank you Ticket ID 9011467

jndawson · Nov 14, 2017

verdon said: ↑

No. Thank you Ticket ID 9011467
Click to expand...

What was the result?

verdon · Nov 16, 2017

jndawson said: ↑

What was the result?
Click to expand...

Only that there were no rogue/extra copies of ClamAV or FreshClam on the system. There had been an update to whm v.68 run on the server since the initial incident, and it's possible that any duplicate was cleaned up then. I suppose it's possible it was just a false positive to begin with as well. I don't know, but it is all good now.

PeteS · May 24, 2018

I have the same message. It showed up in the 5/53 upcp. In the 5/22 upcp clamav updated to 0.99.4-3 and cPanel upgraded to v70.0.43. So it looks like clamav and cPanel updated at the same time, then the next upcp raised this error. Is this a bug in the update? I see the v70.0.44 just updated last night.

I can run the above checks and do an un/re-install of clamav (then recheck) but I would like to hear the results of more of the tickets that are opened. (The one that reported above seemed to indicate that the above solution was adequate.)

@cPanelMichael, it would be helpful to have an official report on what this is about and why it (apparently) happens. FYI clamav was only installed on this server through WHM and has been maintained via WHM.

-Pete

NikRB · May 24, 2018

Same alert for me. I installed ClamAV via WHM yesterday on a new server received this message today.

cPanelMichael · May 24, 2018

Hello Everyone,

The Security Advisor State Change notification (configurable in WHM >> Contact Manager) is sent when a change to the state of a security issue is detected as part of the /usr/local/cpanel/scripts/check_security_advice_changes script. This script runs automatically during the cPanel update, and includes an assessment of the freshclam and clanscan versions.

Based on the reports on this thread, it's possible the ClamAV update that occurs during the cPanel update is not completing successfully or is still in-progress when the check_security_advice_changes script runs. However, I've been unable to reproduce this issue on a test system.

Could someone facing this issue recently open a support ticket and post the ticket number here? I'll link the ticket to this forums thread so we can ensure an internal case is opened if necessary.

Thank you.

PeteS · May 24, 2018

NikRB said: ↑

Same alert for me. I installed ClamAV via WHM yesterday on a new server received this message today.
Click to expand...

Thanks for posting that! I think it's a different scenario (not tied to an update cPanel) that's causing this.

Can you post which cPanel version you are on now, and whether it was the same version when you installed clamav?

-Pete

cPanelMichael · May 24, 2018

PeteS said: ↑

Thanks for posting that! I think it's a different scenario (not tied to an update cPanel) that's causing this.
Click to expand...

Hello Pete,

A quick way to verify this is by reviewing the time stamps on the notification history reports:
Code:
ls -al /var/cpanel/user_notifications/root/history
Thank you.

PeteS · May 24, 2018

cPanelMichael said: ↑

Based on the reports on this thread, it's possible the ClamAV update that occurs during the cPanel update is not completing successfully or is still in-progress when the check_security_advice_changes script runs. However, I've been unable to reproduce this issue on a test system.
Click to expand...

My upcp report for 5/24 reports no issues for /usr/local/cpanel/scripts/check_security_advice_changes.

5/22 upcp updated clamav and cPanel v70.0.43, no clamav error, but reported 2 out of date executables running (possibly clamav?) for which I was unable to determine the process (see: Security Advisor notifications should include process name, not just PID), which may explain the lack of a clamav warning

5/23 upcp reported the clamav error

5/23 upcp updated cPanel to v70.0.44 and reported no clamav error

It appears to me that it may be related to cPanel updates.

-Pete

PeteS · May 24, 2018

cPanelMichael said: ↑
Hello Pete,

A quick way to verify this is by reviewing the time stamps on the notification history reports:
Code:
ls -al /var/cpanel/user_notifications/root/history
Thank you.
Click to expand...
We cross posted...

That's what I did, but using the emails from upcp which gives me more detail on the warnings.

-Pete

cPanelMichael · May 24, 2018

Hello Pete,

Could you open a support ticket to report that this continues to happen and post the ticket number here? I'll link the ticket to this forums thread so we can ensure an internal case is opened if necessary.

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-20678] ClamAV freshclam and clamscan binaries are different versions.

jndawson Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

jndawson Well-Known Member

John W Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

jndawson Well-Known Member

verdon Well-Known Member

PeteS Well-Known Member

NikRB Member

cPanelMichael Technical Support Community Manager Staff Member

PeteS Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

PeteS Well-Known Member

PeteS Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

In Progress [CPANEL-25892] No repository exists for MariaDB103 with RHEL

In Progress [CPANEL-26813] Mailman 2.1.27

In Progress [CPANEL-18704] cPanel contact address is stored in the home directory

Pending Publication [CPANEL-26599] cphulk is shown as down in initial install

In Progress [CPANEL-21627] Monitoring reports failed for services that are up

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-20678] ClamAV freshclam and clamscan binaries are different versions.

jndawson Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

jndawson Well-Known Member

John W Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

verdon Well-Known Member

jndawson Well-Known Member

verdon Well-Known Member

PeteS Well-Known Member

NikRB Member

cPanelMichael Technical Support Community Manager Staff Member

PeteS Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

PeteS Well-Known Member

PeteS Well-Known Member

cPanelMichael Technical Support Community Manager Staff Member

In Progress [CPANEL-25892] No repository exists for MariaDB103 with RHEL

In Progress [CPANEL-26813] Mailman 2.1.27

In Progress [CPANEL-18704] cPanel contact address is stored in the home directory

Pending Publication [CPANEL-26599] cphulk is shown as down in initial install

In Progress [CPANEL-21627] Monitoring reports failed for services that are up

Share This Page