Clam issue [SOLVED]

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Clam issue [SOLVED]

Unread post by JnascECSI »

This morning at 4:18 EST, we started getting the following notification every minute from our server, i tried to restart clamd but it fails. It seems to be a issue with the clam honeypot DB i think becuase of the message but not sure how to clear it out or get it to re-download the rule. I rebooted a couple times but it still has the issue & we have not done any updates or anything else to the server since the clam update last week when it came out. It seems to have started when the rules were updated this morning.

Code: Select all

[psmon/xxx-1.xxxxxxxxxx.com] Failed to spawn 'clamd' with '/sbin/service clamd restart'
Command executed: /sbin/service clamd restart Exit value: 1 Signal number: 0 Dumped core?: 0

Stopping Clam AntiVirus Daemon: [FAILED]

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
LibClamAV Error: cli_loadhash: Problem parsing database at line 183974 LibClamAV Error: Can't load /var/clamav/ASL-honeypot.hdb: Malformed database
ERROR: Malformed database
[FAILED]
Also getting this message but not as much as the one above.

Code: Select all

OSSEC HIDS Notification.
2011 Jun 22 07:30:11

Received From: xxx-1->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jun 22 07:30:10 xxx-1 X-Qmail-Scanner-2.08st: [xxx-1.xxxxxxxxxx.com130874220979828301] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2
Last edited by JnascECSI on Wed Jun 22, 2011 2:53 pm, edited 2 times in total.
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Re: Clam issue

Unread post by JnascECSI »

This also now seems to be affecting customers from sending and receiving mail thru the server now.
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Clam issue **Critical** Affecting mail services

Unread post by biggles »

Have you tried removing the offending file, /var/clamav/ASL-honeypot.hdb?
Kalimari
Forum Regular
Forum Regular
Posts: 526
Joined: Wed Jan 02, 2008 3:21 pm
Location: United Kingdom

Re: Clam issue **Critical** Affecting mail services

Unread post by Kalimari »

You could also try updating the clamav signatures (includes Honeynet)... run:

Code: Select all

clamav_updater.sh
freshclam
service clamd restart
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Re: Clam issue **Critical** Affecting mail services

Unread post by JnascECSI »

Well i downloaded the honetpot file and removed the text on line 183974, the line was only partial filled with data which looks like it crapped out some how when it updated and did'nt not complete writing the string.

Once i did that and re-uploaded the file clamd started finally and i also updated the sigs like kalimari recommended and so far seems ok. The only thing is i never noticed that new message now when restarting clam "Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned". " is this something new?
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: Clam issue **Critical** Affecting mail services

Unread post by breun »

I'm seeing Bytecode: Security mode set to "TrustSigned" since the upgrade from 0.97 to 0.97.1.
Lemonbit Internet Dedicated Server Management
Post Reply