ClamAV constantly failing
Hello,
I get tons of notifications that clamAV appears to be down and fails to restart. It says that there is a duplicate database and should be manually removed. I followed the instructions on another thread with this same issue, but did not work, and reverted to previous situation, but now I don't know what to do next. I'm a rookie, and I'll probably always be, I aprecciate some guidance.
This is what happened:
[root@server ~]# mkdir /root/clamav-backup
[root@server ~]# mv /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld /root/clamav-backup
[root@server ~]# /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Wed Feb 20 00:13:02 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read ClamavNet
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-25365.cdiff [100%]
daily.cld updated (version: 25365, sigs: 2254643, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
Database updated (6820986 signatures) from database.clamav.net (IP: 104.16.219.84)
[root@server ~]# /scripts/restartsrv_clamd
Waiting for "clamd" to stop "finished.
info [restartsrv_clamd] systemd failed to start the service "clamd" (The "/usr/bin/systemctl restart clamd.service --no-ask-password" command (process 13010) reported error number 1 when it ended.): Job for clamd.service failed because the control process exited with error code. See "systemctl status clamd.service" and "journalctl -xe" for details.
Waiting for "clamd" to start "failed.
Cpanel::Exception::Services::StartError
Service Status
Service Error
(XID qmcehw) The "clamd" service failed to start.
Startup Log
Feb 20 00:14:00 xxx.xxxxxx.xxx systemd[1]: Starting clamd antivirus daemon...
Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: clamd.service: control process exited, code=exited status=1
Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: Failed to start clamd antivirus daemon.
Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: Unit clamd.service entered failed state.
Feb 20 00:14:19 xxx.xxxxxx.xxx systemd[1]: clamd.service failed.
clamd has failed. Contact your system administrator if the service does not automagically recover.
[root@server ~]# mv /root/clamav-backup/bytecode.cld /usr/local/cpanel/3rdparty/share/clamav
[root@server ~]# /usr/local/cpanel/3rdparty/bin/freshclam
ClamAV update process started at Wed Feb 20 00:17:59 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.1
DON'T PANIC! Read ClamavNet
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 25365, sigs: 2254643, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
[root@server ~]# /scripts/restartsrv_clamd
Service "clamd" is already stopped.
info [restartsrv_clamd] systemd failed to start the service "clamd" (The "/usr/bin/systemctl restart clamd.service --no-ask-password" command (process 13304) reported error number 1 when it ended.): Job for clamd.service failed because the control process exited with error code. See "systemctl status clamd.service" and "journalctl -xe" for details.
Waiting for "clamd" to start "failed.
Cpanel::Exception::Services::StartError
Service Status
Service Error
(XID faxrvx) The "clamd" service failed to start.
Startup Log
Feb 20 00:19:31 xxx.xxxxxx.xxx systemd[1]: Starting clamd antivirus daemon...
Feb 20 00:19:48 xxx.xxxxxx.xxx clamd[13305]: LibClamAV Warning: Detected duplicate databases /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld and /usr/local/cpanel/3rdparty/share/clamav/bytecode.cvd. The /usr/local/cpanel/3rdparty/share/clamav/bytecode.cld database is older and will not be loaded, you should manually remove it from the database directory.
Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: clamd.service: control process exited, code=exited status=1
Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: Failed to start clamd antivirus daemon.
Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: Unit clamd.service entered failed state.
Feb 20 00:19:51 xxx.xxxxxx.xxx systemd[1]: clamd.service failed.
clamd has failed. Contact your system administrator if the service does not automagically recover.
[root@server ~]#
-
How much memory does this system have? Are you sure you aren't running up against a memory limit? ClamAV is a huge memory hog. 0 -
Hi @carolainn Can you tell me what is present in the following? ls -lah /usr/local/cpanel/3rdparty/share/clamav/
My assumption is there's more than one .cld file there. You might try mv'ing them all and if that's not successful I'd suggest reinstalling cpanel-clamav you can do this by doing the following: Here's what I did on my server to remove and reinstall (note you may want to ensure the rpm name specifically first: Identify the specific ClamAV versions:rpm -qa |grep clamav cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
Remove thoserpm -e --nodeps cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
reinstall ClamAV and the virus defs/scripts/check_cpanel_rpms --fix
I'd also be curious to know if you're running on CentOS or CloudLinux and/or do you have Imunify360 installed? Thanks!0 -
How much memory does this system have? Are you sure you aren't running up against a memory limit? ClamAV is a huge memory hog.
Thanks for your reply. The system has 2 GB of memory. (WHM) Home "Server Status "Service Status Service Information Service clamd Version 0.100.2-1 Status down System Information Memory Used 42.2% (794,336 of 1,882,220) (WHM) Home "Server Status "Server Information Memory Information [ 0.000000] Memory: 1860764k/2097008k available (7664k kernel code, 392k absent, 235852k reserved, 6055k data, 1876k init) Current Memory Usage >>>>>>> total - used - free - shared - buff/cache - available Mem: 1882220 - 773744 - 507236 - 25744 - 601240 - 916416 Swap: 0 - 0 - 0 Total: 1882220 - 773744 - 507236 Thanks again.0 -
This is interesting because with ClamAV being down the server is using nearly half of the memory it has allocated to it. @sparek-3 may be on to something as well you might check /var/log/messages for out of memory errors as well. 0 -
Hi @carolainn Can you tell me what is present in the following?
ls -lah /usr/local/cpanel/3rdparty/share/clamav/
My assumption is there's more than one .cld file there. You might try mv'ing them all and if that's not successful I'd suggest reinstalling cpanel-clamav you can do this by doing the following: Here's what I did on my server to remove and reinstall (note you may want to ensure the rpm name specifically first: Identify the specific ClamAV versions:rpm -qa |grep clamav cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
Remove thoserpm -e --nodeps cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
reinstall ClamAV and the virus defs/scripts/check_cpanel_rpms --fix
I'd also be curious to know if you're running on CentOS or CloudLinux and/or do you have Imunify360 installed? Thanks!
Hello! thanks for your reply.ls -lah /usr/local/cpanel/3rdparty/share/clamav/
total 273M drwxrwxr-x 3 clamav clamav 165 Feb 20 04:49 . drwxr-xr-x 79 root root 4.0K Feb 4 14:13 .. -rw-r--r-- 1 root root 314K Feb 17 23:55 bytecode.cld -rw-r--r-- 1 clamav clamav 196K Jan 31 10:40 bytecode.cvd -rw-r--r-- 1 clamav clamav 156 Oct 10 17:01 clamavconnector.conf -rwxr-xr-x 1 root root 15K Oct 10 17:01 copyright -rw-r--r-- 1 clamav clamav 160M Feb 20 00:13 daily.cld drwxr-xr-x 2 clamav clamav 136 Feb 17 23:55 .first-install -rw-r--r-- 1 clamav clamav 113M Feb 17 23:55 main.cvd -rw------- 1 clamav clamav 364 Feb 20 04:49 mirrors.dat There is two .cld but with different names. Which should I remove? Thanks for your time.0 -
Hi @carolainn Both of the .cld files should be removed then try and restart the software. 0 -
Hi @carolainn Both of the .cld files should be removed then try and restart the software.
Ok, I did that and then restarted the service and had no error. I checked the log and there is a lot of this type of messages: Feb 20 17:00:01 server systemd: Started Session 686 of user root. Feb 20 17:00:04 server systemd: Removed slice User Slice of root. What are those about?0 -
Hi @carolainn Ok, I did that and then restarted the service and had no error.
I'm glad to hear that the service started successfully! My hope now is that it continues to run normally. Were you able to check if you had imunify or CloudLinux installed on the server? My concern there is that they have their own version of ClamAV being used for scanning and there have been some cases in which there are conflicts.I checked the log and there is a lot of this type of messages: Feb 20 17:00:01 server systemd: Started Session 686 of user root. Feb 20 17:00:04 server systemd: Removed slice User Slice of root.
These are unrelated to anything occurring with ClamAV or even Out of Memory errors, these occur every time a user logs on and can be dismissed - redhat explains this here as well: Logs flooded with systemd messages: Created slice & Starting Session - Red Hat Customer Portal Thanks!0 -
[QUOTE] My hope now is that it continues to run normally.
I hope that too!. I will post again if something changes. [QUOTE] Were you able to check if you had imunify or CloudLinux installed on the server?
My VPS is running on CentOS, and I don't have Inmunify360 installed. [QUOTE] These are unrelated to anything occurring with ClamAV ...
Oh I see! So I shouldn't worry then. Thanks so much for the help! <30 -
It's happening again... :( I think it started after an automatic system update. 0 -
Hi @carolainn Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks! 0 -
Hello! I also have a 2gig system who clamd is failing constantly. Did you find a solution? Thanks! 0 -
Hello! I also have a 2gig system who clamd is failing constantly. Did you find a solution? Thanks!
Hola! not yet! Still failing. Im gonna send a ticket as Lauren suggested. Tu VPS es de godaddy tambi"n?0 -
Hi @carolainn Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks!
Hello Lauren, I had a problem with the creation of the ticket because when I entered the Server IP that is in Home "Support "Support Center, I received a notification that the IP and ID did not match. So I changed the IP for the IP in the URL, and worked, I don't know why I have different IPs... My Support Request ID is: 11603741 Thanks for your time and help!0 -
Hola! not yet! Still failing. Im gonna send a ticket as Lauren suggested. Tu VPS es de godaddy tambi"n?
Hola como andas? No, my server its on Linode. Im pretty sure it'ss because a lack of ram.0 -
Hello @carolainn Thank you for opening the ticket, I'm watching it and I've linked it (internally) to this thread. When the issue is resolved I'll update this thread with the analyst's findings as well as how the issue was resolved. Thanks! 0 -
Hello, the problem was that I didn't have swap space. We added a swap file of 2 GB, and the issue was solved! Thank you so much! 0 -
Hello! I just want to say removing the multiple *.cld files allowed my clamd to restart as well. (I also did a full exim restart via whm.) I do see in /var/log/messages there was one out of memory event yesterday and it killed clamd. I'm guessing that cause it to leave the extra files and then unable to restart. Hopefully this is a one time event. It has been running a half hour or so with no failures. *knock on virtual wood* :) So thank you for the advice. I would not have realized to remove those files otherwise. 0
Please sign in to leave a comment.
Comments
18 comments