There are altered RPMs - cpanel-clamav-virusdefs

BlueSteam

August 21, 2021 01:46

Hi All, I just got this email this morning. [QUOTE]

[check_cpanel_rpms] There are altered RPMs on "#######".

The system detected problems with the following cPanel-provided files that the RPM controls:

RPM	Status	Additional Information
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/bytecode.cld.xz	Broken	.....UG..
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/daily.cld.xz	Broken	.....UG..
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/main.cld.xz	Broken	.....UG..

If you did not make these changes intentionally, execute the following command as the root user to correct them:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

This notice is the result of a request from "rpmcheck". The system generated this notice on Saturday, August 21, 2021 at 12:14:31 AM UTC. "Altered RPMs Check" notifications are currently configured to have an importance of "High". You can change the importance or disable this type of notification in WHM"s Contact Manager at:

Comments

12 comments

mtindor

August 21, 2021 11:24
I got this notice on my Almalinux 8 cPanel box this morning. May be specific to AlmaLinux / CentOS 8 / RHEL 8
0
mtindor

August 21, 2021 11:31
I did as it said and ran: /usr/local/cpanel/scripts/check_cpanel_rpms --fix Seems to have "fixed" it. [2021-08-21 07:27:14 -0400] The following files were found to be altered from their original RPM: [2021-08-21 07:27:14 -0400] cpanel-clamav-virusdefs,0.101.5,5.cp1198 [2021-08-21 07:27:14 -0400] [2021-08-21 07:27:14 -0400] Removing 1 broken rpms: cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64 [2021-08-21 07:27:14 -0400] Maximum sync children set to 16 based on 24469M available memory. [2021-08-21 07:27:14 -0400] Downloading [2021-08-21 07:27:44 -0400] Disabling service monitoring. [2021-08-21 07:27:44 -0400] Hooks system enabled. [2021-08-21 07:27:44 -0400] Checking for and running RPM::Versions 'pre' hooks for any Packages about to be installed [2021-08-21 07:27:44 -0400] All required 'pre' hooks have been run [2021-08-21 07:27:44 -0400] No packages need to be uninstalled [2021-08-21 07:27:44 -0400] Installing new rpms: cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64.rpm [2021-08-21 07:27:44 -0400] Verifying packages... [2021-08-21 07:27:45 -0400] Preparing packages... [2021-08-21 07:27:45 -0400] cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64 [2021-08-21 07:27:47 -0400] Hooks system enabled. [2021-08-21 07:27:47 -0400] Checking for and running RPM::Versions 'post' hooks for any Packages about to be installed [2021-08-21 07:27:47 -0400] All required 'post' hooks have been run [2021-08-21 07:27:47 -0400] Restoring service monitoring.
0
BlueSteam

August 21, 2021 11:40
I'm also running Alma What I am concerned about by doing this is that it might overwrite the latest virus definitions by putting back the old ones. Anyone who is a cPanel guru able to confirm this?
0
BlueSteam

August 22, 2021 05:58
@mtindor I got this notice again today. Did you get it as well after running the command yesterday? I didn't run it yesterday so I'm wondering if your choice to run it has fixed the problem for good.
0
mtindor

August 22, 2021 10:17
@mtindor I got this notice again today. Did you get it as well after running the command yesterday? I didn't run it yesterday so I'm wondering if your choice to run it has fixed the problem for good.

Mine is working fine. No more warnings. I ran the command yesterday like I said I did and moved on. It's just clamav defs. Mike
0
BlueSteam

August 22, 2021 10:38
yh you say it's fine and it's just the clamav defs but by running the command, doesn't it REVERT the definitions? surely we want the LATEST definitions??
0
cPRex Jurassic Moderator

August 23, 2021 13:00
@mtindor - from the output provided in this thread, it seems to be downloading the same version that the RPM check complained about. @BlueSteam - It would not perform a downgrade with any yum or rpmcheck commands unless it was specifically told to do so.
0
BlueSteam

August 23, 2021 13:15
So then I assume it is safe to run the commands advised in the alert notification? I think the better question then is why has it changed at all? hmm...
0
cPRex Jurassic Moderator

August 23, 2021 14:03
It's just a standard warning that gets sent out - we see a change, we send the notification, and we leave it up to the admin to decide if it's an issue. In this case, it's just normal updates happening. You can find more details on this here:
0
mtindor

August 23, 2021 14:04
@mtindor - from the output provided in this thread, it seems to be downloading the same version that the RPM check complained about. @BlueSteam - It would not perform a downgrade with any yum or rpmcheck commands unless it was specifically told to do so.

I'm not the one questioning it, Rex.
0
cPRex Jurassic Moderator

August 23, 2021 14:04
Tight, I just wanted to tag you both so you saw it.
0
BlueSteam

August 23, 2021 14:21
It's just a standard warning that gets sent out - we see a change, we send the notification, and we leave it up to the admin to decide if it's an issue. In this case, it's just normal updates happening. You can find more details on this here:
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?