Just FYI, accepting the Debian clamav package maintainer’s clamd.conf file to replace the existing one, while updating from Debian 10.4 to 10.5, broke the ClamAV service:
# systemctl list-units --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● clamav-daemon.service loaded failed failed Clam AntiVirus userspace daemon
● logrotate.service loaded failed failed Rotate log files
Below are the clamd.conf diffs when updating from 0.102.2+dfsg-0+deb10u1 to 0.102.4+dfsg-0+deb10u1 (note: /tmp/clamd.conf-hestiacp is a copy of the file /etc/clamav/clamd.conf as created/modified by the Debian 10.4 + HestiaCP 1.2.0 default installation ~20 days ago).
I think nearly every service will fail or stop working as expected when you replace the configuration file with a default one. Just something you should do when advised or you know, what you’re doing .
Well, I tried it on test VM, so it was no big deal for me. I posted here as a PSA (Public Service Announcement) to help anyone else who might try it on a production system.
Anyway, the actual error in /var/log/clamav/clamav.log was “ERROR: LOCAL: Socket allocation error: Permission denied” (which should have read “LOCAL: Unix socket file /var/run/clamav/clamd.ctl”)
Sat Aug 1 15:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug 1 16:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug 1 17:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug 1 18:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug 1 19:01:37 2020 -> Reading databases from /var/lib/clamav
Sat Aug 1 19:01:48 2020 -> Database correctly reloaded (8318097 signatures)
Sat Aug 1 20:01:48 2020 -> SelfCheck: Database status OK.
Sat Aug 1 21:01:48 2020 -> SelfCheck: Database status OK.
Sat Aug 1 21:18:47 2020 -> Waiting for all threads to finish
Sat Aug 1 21:18:49 2020 -> Shutting down the main socket.
Sat Aug 1 21:18:49 2020 -> Pid file removed.
Sat Aug 1 21:18:49 2020 -> --- Stopped at Sat Aug 1 21:18:49 2020
Sat Aug 1 21:18:49 2020 -> Closing the main socket.
Sat Aug 1 21:18:49 2020 -> Socket file removed.
Sat Aug 1 21:18:49 2020 -> +++ Started at Sat Aug 1 21:18:49 2020
Sat Aug 1 21:18:49 2020 -> Received 0 file descriptor(s) from systemd.
Sat Aug 1 21:18:49 2020 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Sat Aug 1 21:18:49 2020 -> Running as user clamav (UID 110, GID 114)
Sat Aug 1 21:18:49 2020 -> Log file size limited to 4294967295 bytes.
Sat Aug 1 21:18:49 2020 -> Reading databases from /var/lib/clamav
Sat Aug 1 21:18:49 2020 -> Not loading PUA signatures.
Sat Aug 1 21:18:49 2020 -> Bytecode: Security mode set to "TrustSigned".
Sat Aug 1 21:18:58 2020 -> Loaded 8318097 signatures.
Sat Aug 1 21:19:00 2020 -> ERROR: LOCAL: Socket allocation error: Permission denied
Sat Aug 1 21:19:00 2020 -> Closing the main socket.
I just re-examined the diff of Debian maintainer’s new clamd.conf with the HestiaCP’s clamd.conf, and looked up the missing directives in the docs, but couldn’t find any obvious issues. Here is the sorted diff:
So I re-copied the Debian maintainer’s new clamd.conf over the HestiaCP’s clamd.conf and rebooted the system and strangely … this time the Debian maintainer’s new clamd.conf worked (for the initial test, I had just restarted the clamd service). And re-starting clamd also works now (still with Debian’s new clamd.conf)
root@vm10:/etc/clamav# /etc/init.d/clamav-daemon restart
[ ok ] Restarting clamav-daemon (via systemctl): clamav-daemon.service.
root@vm10:/etc/clamav# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: active (running) since Sun 2020-08-02 02:33:11 EEST; 12s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 1650 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
Process: 1651 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Main PID: 1652 (clamd)
Tasks: 2 (limit: 4915)
Memory: 1.0G
CGroup: /system.slice/clamav-daemon.service
└─1652 /usr/sbin/clamd --foreground=true
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> Mail files support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> OLE2 support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> PDF support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> SWF support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> HTML support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> XMLDOCS support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> HWP3 support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> Self checking every 3600 seconds.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> *Listening daemon: PID: 1652
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug 2 02:33:21 2020 -> *MaxQueue set to: 100
root@vm10:/etc/clamav# ls -la /run/clamav/
total 4
drwxr-xr-x 2 clamav root 80 Aug 2 02:33 .
drwxr-xr-x 20 root root 640 Aug 2 02:19 ..
srw-rw-rw- 1 clamav clamav 0 Aug 2 02:33 clamd.ctl
-rw-rw-r-- 1 clamav clamav 5 Aug 2 02:33 clamd.pid
root@vm10:/etc/clamav#
I’ll probably look at it again tomorrow with a clearer head
Finally, a question: Does anyone else’s HestiaCP server have a file clamd.conf.ucf-old in /etc/clamav with the same date/time, size and md5sum with hestia’s clamd.conf? (the timestamp was when the system was created 20 days ago)