clamd failing. Bad update?

sozotech

• November 16, 2015 12:18

I am seeing clamd trying to restart on all of our servers and am getting the following error message. Starting clamd: LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /usr/local/cpanel/3rdparty/share/clamav/honeynet.hdb: Malformed database LibClamAV Error: cli_loaddbdir(): error loading database /usr/local/cpanel/3rdparty/share/clamav/honeynet.hdb ERROR: Malformed database Running freshclam doesn't seem to pull down a good database. Any ideas how to get clamd back up and running?

• 

  mobboss

  • November 16, 2015 19:34

  I have been getting this as well. LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /usr/local/cpanel/3rdparty/share/clamav/securiteinfooffice.hdb: Malformed database LibClamAV Error: cli_loaddbdir(): error loading database /usr/local/cpanel/3rdparty/share/clamav/securiteinfooffice.hdb ERROR: Malformed database clamd has failed. Contact your system administrator if the service does not automagically recover.

  0
• 

  supporto

  • November 17, 2015 07:29

  same issue LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /usr/local/cpanel/3rdparty/share/clamav/securiteinfoelf.hdb: Malformed database LibClamAV Error: cli_loaddbdir(): error loading database /usr/local/cpanel/3rdparty/share/clamav/securiteinfoelf.hdb ERROR: Malformed database clamd has failed. Contact your system administrator if the service does not automagically recover.

  0
• 

  tm2004

  • November 17, 2015 11:31

  Same here, started a few days ago. Any ideas?
  root@srv3006 [/]# /scripts/restartsrv_clamd Waiting for "clamd" to start "" "failed. Service Error The "clamd" service failed to start. Startup Log LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /usr/local/cpanel/3rdparty/share/clamav/securiteinfoelf.hdb: Malformed database LibClamAV Error: cli_loaddbdir(): error loading database /usr/local/cpanel/3rdparty/share/clamav/securiteinfoelf.hdb ERROR: Malformed database clamd has failed. Contact your system administrator if the service does not automagically recover.
  

  0
• 

  sozotech

  • November 17, 2015 11:46

  I assume we probably need to open a ticket. I will do so now and see what cPanel has to say. Eric

  0
• 

  sozotech

  • November 17, 2015 12:00

  My ticket id is 7386817. Eric

  0
• 

  tm2004

  • November 17, 2015 12:36

  Hmm, this is the contents of /usr/local/cpanel/3rdparty/share/clamav/securiteinfohtml.hdb after a fresh cPanel update to 11.52 (23)
  clamav.securiteinfo.com/securiteinfoelf.hdb has been removed New up-to-date signatures are available for download Please see the following link for more information : https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml
  

  0
• 

  sozotech

  • November 17, 2015 12:50

  Sounds like this database just needs to be removed from clamav? How do you do that? Eric

  0
• 

  tm2004

  • November 17, 2015 12:56

  Something needs to be changed.. there is another set of files here: /usr/share/clamav/ When I run FRESHCLAM I get this:
  Using username "root". Last login: Tue Nov 17 05:49:54 2015 root@srv3006 [~]# freshclam ClamAV update process started at Tue Nov 17 05:53:30 2015 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 21062, sigs: 1687373, f-level: 63, builder: neo) bytecode.cld is up to date (version: 270, sigs: 46, f-level: 63, builder: shurley) root@srv3006 [~]#
  

  0
• 

  sozotech

  • November 17, 2015 14:13

  I got a the following response back from cPanel. "The following databases are no longer used and weren't able to be loaded by ClamAv. They were located in /usr/local/cpanel/3rdparty/share/clamav and have been moved to /root/cpanelzone" The following commands should work to move these DB's out of the way and get clamav started again.
  mkdir /root/cpanelzone/ cd /usr/local/cpanel/3rdparty/share/clamav mv honeynet.hdb /root/cpanelzone/ mv securiteinfobat.hdb /root/cpanelzone/ mv securiteinfodos.hdb /root/cpanelzone/ mv securiteinfoelf.hdb /root/cpanelzone/ mv securiteinfohtml.hdb /root/cpanelzone/ mv securiteinfooffice.hdb /root/cpanelzone/ mv securiteinfopdf.hdb /root/cpanelzone/ mv securiteinfosh.hdb /root/cpanelzone/ service exim restart
  Not sure why their update script did not remove these when they stopped supporting them. Best regards, Eric

  0
• 

  tm2004

  • November 17, 2015 21:37

  Thanks for the details from cPanel. Crazy thing for me... about an hour after I upgraded to 11.52 (and finally gave up making it work), I get a system email that the dang thing restarted and has been working all afternoon. Maybe a cached config file somewhere?? Who knows but a FORCED UPCP eventually worked for us.

  0
• 

  cPanelMichael

  • November 18, 2015 20:08

  Hello :) Were these databases manually implemented at some point? I can't reproduce their existence on a fresh installation, and I see no previous references to them. Thank you.

  0
• 

  Sanesecurity

  • November 24, 2015 13:49

  Securiteinfo changed their database location and setup a while back. [Removed] The above script is kept up-to-date with the various new databases, such as badmacro.ndb, foxhole_filename.cdb and foxhole_generic.cdb etc. Hope that helps, Steve

  0

Please sign in to leave a comment.