ClamAV installed in different path
Hi.
We just had an issue where freshclam would run for an hour with high CPU usage on most servers - except for 2.
I read that killing freshclam, deleting daily.cld and starting freshclam again would solve the issue.
When running
, two of our servers said the file didn't exist. I rechecked that ClamAV had been installed in cPanel, and it was installed on both servers. I tried reinstalling it, but that didn't help. It seems like ClamAV is installed in /usr/local/cpanel/3rdparty/bin/ instead of /usr/bin/.
I did check that /usr/local/cpanel/3rdparty/bin/freshclam also existed on the other servers, and it did, so it seems to have existed in two places. /usr/bin/freshclam is not a symlink of /usr/local/cpanel/3rdparty/bin/freshclam on those servers. Are we missing out on anything or is this expected behaviour?
killall /usr/bin/freshclam, two of our servers said the file didn't exist. I rechecked that ClamAV had been installed in cPanel, and it was installed on both servers. I tried reinstalling it, but that didn't help. It seems like ClamAV is installed in /usr/local/cpanel/3rdparty/bin/ instead of /usr/bin/.
[root@server11 ~]# locate freshclam
/usr/local/cpanel/3rdparty/bin/freshclam
/usr/local/cpanel/3rdparty/etc/freshclam.conf
/usr/local/cpanel/3rdparty/share/man/man1/freshclam.1
/usr/local/cpanel/3rdparty/share/man/man5/freshclam.conf.5
I did check that /usr/local/cpanel/3rdparty/bin/freshclam also existed on the other servers, and it did, so it seems to have existed in two places. /usr/bin/freshclam is not a symlink of /usr/local/cpanel/3rdparty/bin/freshclam on those servers. Are we missing out on anything or is this expected behaviour?
-
I've seen this happen when clamav was installed from the epel repo in addition to cpanels. What is the output of rpm -qa|grep clam 0 -
I just tried running freshclam again, and it gets stuck once again after downloading the update: [root@server11 ~]# /usr/local/cpanel/3rdparty/bin/freshclam ClamAV update process started at Wed Mar 6 13:45:17 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.2 Recommended version: 0.101.1 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-25380.cdiff [100%]
Any idea why this happens?0 -
I've seen this happen when clamav was installed from the epel repo in addition to cpanels. What is the output of rpm -qa|grep clam
[root@server11 ~]# rpm -qa|grep clam cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64 clamav-0.100.2-2.el7.x86_64 clamav-filesystem-0.100.2-2.el7.noarch cpanel-clamav-0.100.2-1.cp1170.x86_64 clamav-lib-0.100.2-2.el7.x86_64 clamav-data-0.100.2-2.el7.noarch0 -
I would remove the cpanel plugin for clamav Then remove via yum the extra clamav packages that rpm -qa still shows installed Then reinstall the clamav plugin. 0 -
I see that the problem with the update might be a ClamAV issue and not a local issue: Mailing List Archive: Problem with freshclam updating daily-25380.cdiff I've now uninstalled the cPanel plugin and removed all remaining packages, then reinstalled the cPanel plugin. That didn't solve the issue. Doing yum install clamav did seem to have fixed the issue. I just hope it didn't break anything! 0 -
If you ran yum install clamav after installing the cpanel plugin, you are back to having two copies of clam installed which isn't necessary. 0 -
Alright. But why is the clamav packages installed by default then? And doesn't imunify-antivirus use this clamav installation? I think the issue with freshclam has been fixed. freshclam downloaded a daily.cld (not cvd as normally). Deleting /usr/local/cpanel/3rdparty/share/clamav/daily.cld and then running freshclam again fixes the issue as it downloads the daily.cvd. 0 -
the clamav packages come from epel and a cpanel isntallation does not install them. Perhaps your server provider did that, but generally epel is not even enabled on a fresh minimal centos install. 0 -
The clamav packages that are supplied by cPanel are as follows: # rpm -qa |grep clamav cpanel-clamav-0.100.2-1.cp1170.x86_64 cpanel-clamav-virusdefs-0.100.2-1.cp1170.x86_64
Anything beyond that is not something we provide or can support. I DO have another thread where cpanel-clamav seems to be using an abnormal amount of resources which you can follow along with here: I'll be posting updates in that thread as well. Thanks!0 -
Hi Seems I have the same issue on many of our VPS servers. Quite strange. Only started happening yesterday when we notice our monitoring showing high cpu on the nodes. Then when we checked we found tons of VPS servers with high load, here is one node's top -c results: 577480 1000 20 0 91072 29m 476 R 96.8 0.0 66:04.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577683 1000 20 0 94052 31m 592 R 96.8 0.0 80:55.36 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577688 1000 20 0 95376 34m 1448 R 96.0 0.1 84:26.40 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577652 1000 20 0 93224 31m 896 R 95.7 0.0 74:43.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 784698 32010 20 0 82448 23m 2472 R 94.0 0.0 31:12.03 /usr/local/cpanel/3rdparty/bin/freshclam --quiet -l /var/log/clam-update.log 577675 1000 20 0 97.9m 39m 1340 R 93.4 0.1 73:00.08 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577625 1000 20 0 102m 43m 924 R 92.9 0.1 79:25.78 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577659 1000 20 0 103m 43m 728 R 88.1 0.1 87:05.26 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577471 1000 20 0 94452 32m 1272 R 87.3 0.1 89:13.13 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577660 1000 20 0 105m 45m 720 R 86.7 0.1 87:44.21 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577474 1000 20 0 97.8m 38m 1124 R 85.0 0.1 86:54.61 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577654 1000 20 0 99.6m 39m 860 R 83.3 0.1 86:32.79 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577526 1000 20 0 101m 42m 1016 R 82.2 0.1 79:58.22 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577487 1000 20 0 83824 21m 824 R 74.4 0.0 32:53.38 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577680 1000 20 0 105m 42m 772 R 62.6 0.1 75:09.41 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577594 1000 20 0 102m 43m 1676 R 61.7 0.1 68:44.54 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577618 1000 20 0 92792 29m 172 R 53.6 0.0 64:13.09 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577540 1000 20 0 95508 34m 784 R 50.2 0.1 64:28.00 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings 577603 1000 20 0 87860 25m 908 R 48.0 0.0 57:27.63 /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings very weird as these servers have been running fine for years. Here is one VPS server's results: root@vps01 [/]# /usr/local/cpanel/3rdparty/bin/freshclam -v Current working dir is /usr/local/cpanel/3rdparty/share/clamav Max retries == 3 ClamAV update process started at Thu Mar 7 03:48:03 2019 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1351 Software version from DNS: 0.101.1 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.2 Recommended version: 0.101.1 DON'T PANIC! Read ClamavNet main.cvd version from DNS: 58 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) daily.cvd version from DNS: 25380 Retrieving (IP: 104.16.218.84) Downloading daily-25379.cdiff [100%] cdiff_apply: Parsed 1225 lines and executed 1225 commands Retrieving (IP: 104.16.218.84) Downloading daily-25380.cdiff [100%] I'll continue to investigate myself though. 0 -
Just wanted to add that the same issue is happening on all our servers that just started an update. ClamAV update process started at Wed Mar 6 20:32:22 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.2 Recommended version: 0.101.1 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-25380.cdiff [100%]
I am probably going to delay the updates for our other servers. Any recommendations thus far? Could this just be a large database update that is taking a long time to parse? I found this fix on another site, haven't tried it yet: Bug#923867: Same when running from the command line0 -
It took an hour or more on each server but it finally completed. Looks like it is just a large DB update that takes a while to finish. ClamAV update process started at Wed Mar 6 20:30:38 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.2 Recommended version: 0.101.1 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-25380.cdiff [100%] daily.cld updated (version: 25380, sigs: 1503528, f-level: 63, builder: raynman) bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo) Database updated (6069871 signatures) from database.clamav.net (IP: 104.16.219.84)0 -
From what we've been finding in tickets internally is that the virus database update is what's causing this. The update is really intensive but it shouldn't be causing constant issues unless the server is running out of memory when ClamAV is loading definitions while scanning- this may not be able to be avoided. 0
Please sign in to leave a comment.
Comments
13 comments