Today I got repeated mails from CSF about Freshclam:
And they keep coming.
This is odd, because freshclam was already present in the csf.pignore file.
I added two lines with a asterisk so now it looks like this:
and again restarted csf and LFD but still I got another mail as you can see above.
Normally csf.pignore is working, but I don't understand as to why since today, this is happening. Normally restarting CSF/LFD should be enough.
Anybody else experiencing this or has a clue on how to fix this without disabling the pt_deleted option of CSF?
P.s. Why is the WHM version not directly visible anymore now when logging in to WH? I really don't like that new interface.
In the tab it says 102.0.17 and with the root command it says 11.102.0. So what's the 102.0.17 in the browser tab for then?
Code:
Time: Thu May 26 20:24:47 2022 +0200
PID: 9680 (Parent PID:9679)
Account: clamav
Uptime: 575270 seconds
Executable:
/usr/local/cpanel/3rdparty/bin/freshclam;628eddb4 (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
This is odd, because freshclam was already present in the csf.pignore file.
I added two lines with a asterisk so now it looks like this:
Code:
exe:/usr/local/cpanel/3rdparty/bin/freshclam
pexe:/usr/local/cpanel/3rdparty/bin/freshclam*
pcmd:/usr/local/cpanel/3rdparty/bin/freshclam*
Normally csf.pignore is working, but I don't understand as to why since today, this is happening. Normally restarting CSF/LFD should be enough.
Anybody else experiencing this or has a clue on how to fix this without disabling the pt_deleted option of CSF?
P.s. Why is the WHM version not directly visible anymore now when logging in to WH? I really don't like that new interface.
In the tab it says 102.0.17 and with the root command it says 11.102.0. So what's the 102.0.17 in the browser tab for then?