ClamAV conf changes today, when updating from Debian 10.4 to 10.5

kpv · August 1, 2020, 6:36pm

Just FYI, accepting the Debian clamav package maintainer’s clamd.conf file to replace the existing one, while updating from Debian 10.4 to 10.5, broke the ClamAV service:

# systemctl list-units --failed
  UNIT                          LOAD   ACTIVE SUB    DESCRIPTION                     
● clamav-daemon.service         loaded failed failed Clam AntiVirus userspace daemon 
● logrotate.service             loaded failed failed Rotate log files

Below are the clamd.conf diffs when updating from 0.102.2+dfsg-0+deb10u1 to 0.102.4+dfsg-0+deb10u1 (note: /tmp/clamd.conf-hestiacp is a copy of the file /etc/clamav/clamd.conf as created/modified by the Debian 10.4 + HestiaCP 1.2.0 default installation ~20 days ago).

root@vm10:~# diff /etc/clamav/clamd.conf /tmp/clamd.conf-hestiacp 
1,3c1,3
< #Automatically Generated by clamav-daemon postinst
< #To reconfigure clamd run #dpkg-reconfigure clamav-daemon
< #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
---
> #Automatically Generated by clamav-base postinst
> #To reconfigure clamd run #dpkg-reconfigure clamav-base
> #Please read /usr/share/doc/clamav-base/README.Debian.gz for details
10a11
> # AllowSupplementaryGroups true
21d21
< LogRotate true
25,26c25
< PreludeEnable no
< PreludeAnalyzerName ClamAV
---
> PidFile /var/run/clamav/clamd.pid
28d26
< OfficialDatabaseOnly false
33d30
< MaxEmbeddedPE 10M
35d31
< ScanPDF true
37,41d32
< MaxHTMLNormalize 10M
< MaxHTMLNoTags 2M
< MaxScriptNormalize 5M
< MaxZipTypeRcg 1M
< ScanSWF true
47d37
< CrossFilesystems true
52d41
< PartitionIntersection false
62,78d50
< AllowAllMatchScan true
< ForceToDisk false
< DisableCertCheck false
< DisableCache false
< MaxScanTime 120000
< MaxScanSize 100M
< MaxFileSize 25M
< MaxRecursion 16
< MaxFiles 10000
< MaxPartitions 50
< MaxIconsPE 100
< PCREMatchLimit 10000
< PCRERecMatchLimit 5000
< PCREMaxFileSize 25M
< ScanXMLDOCS true
< ScanHWP3 true
< MaxRecHWP3 16
87,88c59,60
< PidFile /var/run/clamav/clamd.pid
< OnAccessMaxFileSize 5M
---
> OfficialDatabaseOnly false
> CrossFilesystems true
root@vm10:~#

kpv · August 1, 2020, 6:45pm

PS: After reverting to the previous clamd.conf and restarting, both services started fine.

Raphael · August 1, 2020, 6:57pm

I think nearly every service will fail or stop working as expected when you replace the configuration file with a default one. Just something you should do when advised or you know, what you’re doing .

kpv · August 1, 2020, 11:11pm

Well, I tried it on test VM, so it was no big deal for me. I posted here as a PSA (Public Service Announcement) to help anyone else who might try it on a production system.

Anyway, the actual error in /var/log/clamav/clamav.log was “ERROR: LOCAL: Socket allocation error: Permission denied” (which should have read “LOCAL: Unix socket file /var/run/clamav/clamd.ctl”)

Sat Aug  1 15:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug  1 16:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug  1 17:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug  1 18:01:38 2020 -> SelfCheck: Database status OK.
Sat Aug  1 19:01:37 2020 -> Reading databases from /var/lib/clamav
Sat Aug  1 19:01:48 2020 -> Database correctly reloaded (8318097 signatures)
Sat Aug  1 20:01:48 2020 -> SelfCheck: Database status OK.
Sat Aug  1 21:01:48 2020 -> SelfCheck: Database status OK.
Sat Aug  1 21:18:47 2020 -> Waiting for all threads to finish
Sat Aug  1 21:18:49 2020 -> Shutting down the main socket.
Sat Aug  1 21:18:49 2020 -> Pid file removed.
Sat Aug  1 21:18:49 2020 -> --- Stopped at Sat Aug  1 21:18:49 2020
Sat Aug  1 21:18:49 2020 -> Closing the main socket.
Sat Aug  1 21:18:49 2020 -> Socket file removed.
Sat Aug  1 21:18:49 2020 -> +++ Started at Sat Aug  1 21:18:49 2020
Sat Aug  1 21:18:49 2020 -> Received 0 file descriptor(s) from systemd.
Sat Aug  1 21:18:49 2020 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Sat Aug  1 21:18:49 2020 -> Running as user clamav (UID 110, GID 114)
Sat Aug  1 21:18:49 2020 -> Log file size limited to 4294967295 bytes.
Sat Aug  1 21:18:49 2020 -> Reading databases from /var/lib/clamav
Sat Aug  1 21:18:49 2020 -> Not loading PUA signatures.
Sat Aug  1 21:18:49 2020 -> Bytecode: Security mode set to "TrustSigned".
Sat Aug  1 21:18:58 2020 -> Loaded 8318097 signatures.
Sat Aug  1 21:19:00 2020 -> ERROR: LOCAL: Socket allocation error: Permission denied
Sat Aug  1 21:19:00 2020 -> Closing the main socket.

kpv · August 1, 2020, 11:39pm

I just re-examined the diff of Debian maintainer’s new clamd.conf with the HestiaCP’s clamd.conf, and looked up the missing directives in the docs, but couldn’t find any obvious issues. Here is the sorted diff:

# diff /tmp/clamd.conf-*
0a1
> # AllowSupplementaryGroups true
3,5c4,6
< #Automatically Generated by clamav-daemon postinst
< #Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
< #To reconfigure clamd run #dpkg-reconfigure clamav-daemon
---
> #Automatically Generated by clamav-base postinst
> #Please read /usr/share/doc/clamav-base/README.Debian.gz for details
> #To reconfigure clamd run #dpkg-reconfigure clamav-base
7d7
< AllowAllMatchScan true
17,18d16
< DisableCache false
< DisableCertCheck false
24d21
< ForceToDisk false
37d33
< LogRotate true
43,49d38
< MaxEmbeddedPE 10M
< MaxFileSize 25M
< MaxFiles 10000
< MaxHTMLNoTags 2M
< MaxHTMLNormalize 10M
< MaxIconsPE 100
< MaxPartitions 50
51,55d39
< MaxRecHWP3 16
< MaxRecursion 16
< MaxScanSize 100M
< MaxScanTime 120000
< MaxScriptNormalize 5M
57d40
< MaxZipTypeRcg 1M
60,64d42
< OnAccessMaxFileSize 5M
< PCREMatchLimit 10000
< PCREMaxFileSize 25M
< PCRERecMatchLimit 5000
< PartitionIntersection false
70,71d47
< PreludeAnalyzerName ClamAV
< PreludeEnable no
76d51
< ScanHWP3 true
79d53
< ScanPDF true
82,83d55
< ScanSWF true
< ScanXMLDOCS true
#

So I re-copied the Debian maintainer’s new clamd.conf over the HestiaCP’s clamd.conf and rebooted the system and strangely … this time the Debian maintainer’s new clamd.conf worked (for the initial test, I had just restarted the clamd service). And re-starting clamd also works now (still with Debian’s new clamd.conf)

root@vm10:/etc/clamav# /etc/init.d/clamav-daemon restart
[ ok ] Restarting clamav-daemon (via systemctl): clamav-daemon.service.
root@vm10:/etc/clamav# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           └─extend.conf
   Active: active (running) since Sun 2020-08-02 02:33:11 EEST; 12s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 1650 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
  Process: 1651 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
 Main PID: 1652 (clamd)
    Tasks: 2 (limit: 4915)
   Memory: 1.0G
   CGroup: /system.slice/clamav-daemon.service
           └─1652 /usr/sbin/clamd --foreground=true

Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> Mail files support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> OLE2 support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> PDF support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> SWF support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> HTML support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> XMLDOCS support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> HWP3 support enabled.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> Self checking every 3600 seconds.
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> *Listening daemon: PID: 1652
Aug 02 02:33:21 vm10.mydomain.tld clamd[1652]: Sun Aug  2 02:33:21 2020 -> *MaxQueue set to: 100
root@vm10:/etc/clamav# ls -la /run/clamav/
total 4
drwxr-xr-x  2 clamav root    80 Aug  2 02:33 .
drwxr-xr-x 20 root   root   640 Aug  2 02:19 ..
srw-rw-rw-  1 clamav clamav   0 Aug  2 02:33 clamd.ctl
-rw-rw-r--  1 clamav clamav   5 Aug  2 02:33 clamd.pid
root@vm10:/etc/clamav#

I’ll probably look at it again tomorrow with a clearer head

kpv · August 1, 2020, 11:47pm

Finally, a question: Does anyone else’s HestiaCP server have a file clamd.conf.ucf-old in /etc/clamav with the same date/time, size and md5sum with hestia’s clamd.conf? (the timestamp was when the system was created 20 days ago)

# ls -la /etc/clamav/clamd.conf*
-rw-r--r-- 1 root root 1514 Jul 11 04:50 /etc/clamav/clamd.conf
-rw-r--r-- 1 root root 1514 Jul 11 04:50 /etc/clamav/clamd.conf.ucf-old
#

octavalent · October 23, 2020, 12:35am

Hello!

I feel really dumb now. I grabbed the clamav.conf from github and dropped it in /etc/clamav but clamd still won’t start on boot.

When I login to the server after it boot I can “service clamav-daemon start” and then after a few seconds /var/run/clamav/clamd.ctl appears.

So, I don’t know if I should be looking at the clamav.conf or learning about apparmor?!

Any suggestions would be welcome!

Ben

EDIT:
Okay. I fixed it. I don’t know if it’s related to this post?

In /etc/apparmor.d/usr.sbin.clamd

First I added capability sys_admin

Then after a reboot I checked journalctl and saw an entry about /proc/filesystems being invalid.

I don’t have a /proc/filesystems on my server
I do have a /proc/fs

I have edited /etc/apparmor.d/usr.sbin.clamd again.

Removed the capability sys_admin I added
Changed @{PROC}/filesystems to /{PROC}/fs

After a reboot, clamd is now starting.

EDIT2:

I just read about /proc/filesystems (!)

It’s not a directory! LOL and I do have it?! I’m confused!

EDIT3:

Nevermind? I suppose. I have just put everything back to the way it was. It is still working?

EDIT4:
I just checked my logs and clamav hasn’t been listening since August 11. Until today when I did this – then undid this.