Topic: ClamAV and rkhunter errors on SME Server 7.3 - Help Needed

[tandum]

2008-02-21 20:30:37.338198500 WARNING: Local version: 0.92 Recommended version: 0.92.1

I recieved the same message from 6 seperate servers except some of them where running version 0.91 or earlier. I did a 'yum update clamav' on them and the ones running version 0.91 or earlier updated just fine and are no longer sending emails every hour.

I still have 2 servers which already had 0.92 installed. Neither would do a 'yum update clamav'. I have since done a 'yum update' on each to bring them to sme-server 7.3. They are still sending these emails and I can not update to clamav version 0.92.1 using yum. They tell me clamav was not found.

What is the solution?

[jokiin]

I recieved the same message from 6 seperate servers except some of them where running version 0.91 or earlier. I did a 'yum update clamav' on them and the ones running version 0.91 or earlier updated just fine and are no longer sending emails every hour.

Did they update to 0.92.1?

[tandum]

I'm not getting any emails from those machines so I guess so, how do I tell?  clamd -V says 0.92 on all systems. My box is currently doing a full 'yum update' via vpn on a machine with a slow link, 129/285 done so far, so I'm not touching it till it is finished.

[tandum]

clamd -V on a good system returns ClamAV 0.92/5936/`date`

clamd -V on a bad system returns ClamAV 0.92/5923/`date`

At least I cut the emails down from 6/hour to 2/hour. I'm sure it will fix itself.

[william_syd]

What is the solution?

The latest version is sitting in smeupdates-testing.

I don't know the procedure that it takes for it to move into smeupdates.

Maybe install it on a test machine and report back via the bugtracker what your results are.

[root@tiger ~]# clamd -V
ClamAV 0.92.1/5941/Sat Feb 23 09:18:46 2008

[chris burnat]

Well it was a faulse alarm - after 2 days the problem appears to have fixed itself without any need for remedials.

From Buzilla:
 ------- Comment  #7 From Ray Mitchell  2008-02-22 21:50:18   -------
I also saw this on a couple of sme servers located in Sydney using TPG.
The problem is really external to sme as advised by Stephen and also determined
from past experience.

Bug #3962 has been closed INVALID and will remain on the records at Bugzilla for search purposes.

[ScottieDog]

I am not sure how everybody else is going with these problems, but I believe I still have problems.

1. re: rkhunter - My server sent me the following email at 4.03am Sunday 24/02/08.

/etc/cron.daily/01-rkhunter:

Warning: The following processes are using deleted files:
         Process: /usr/bin/freshclam    PID: 3944    File: /var/clamav/daily.cvd
Warning: Process '/sbin/pppoe' (PID 3683) is listening on the network.
Warning: Process '/sbin/pppoe' (PID 3683) is listening on the network.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

* Can anybody confirm this is a known error, or have I got a problem on my server only ?

2. re: clamav - My server sent me this scan summary at 12.35am Sunday 24/02/08 & Update failed report at 8:11pm Saturday 23/02/08.

----------- SCAN SUMMARY -----------
Known viruses: 387632
Engine version: 0.92
Scanned directories: 620
Scanned files: 91539
Infected files: 0
Data scanned: 530.56 MB
Time: 1703.142 sec (28 m 23 s)


2008-02-23 20:11:06.134555500 ClamAV update process started at Sat Feb 23 20:11:06 2008
2008-02-23 20:11:06.135213500 WARNING: Your ClamAV installation is OUTDATED!
2008-02-23 20:11:06.135240500 WARNING: Local version: 0.92 Recommended version: 0.92.1
2008-02-23 20:11:06.135245500 DON'T PANIC! Read http://www.clamav.net/support/faq
2008-02-23 20:11:06.135518500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
2008-02-23 20:11:06.252991500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
2008-02-23 20:11:06.253015500 ERROR: getpatch: Can't apply patch
2008-02-23 20:11:06.253095500 WARNING: Incremental update failed, trying to download daily.cvd
2008-02-23 20:11:08.130273500 WARNING: Mirror 203.16.234.78 is not synchronized.
2008-02-23 20:11:08.135606500 Giving up on database.clamav.net...
2008-02-23 20:11:08.135654500 Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.


Can anybody confirm they still have rkhunter and/or clamav problems ?

[jokiin]

Can anybody confirm they still have rkhunter and/or clamav problems ?

Yep, still the same

[raem]

ScottieDog

I am not sure how everybody else is going with these problems, but I believe I still have problems.

There are two issues, one is the updated version 0.92.1 which you will have to wait for, and the other issue is the external dbs, which you will also have to wait for. Neither problem is serious, your sme server will continue to work.

The external clamav dbs were broken, and perhaps the fixed versions are still propagating around the world.
The newer 0.92.1 version is subject to release from the testing repository.

Just wait, as both issues will be resolved in time.

[jokiin]

Just wait, as both issues will be resolved in time.

Personally I'm not too concerned about it, have see this sort of thing previously when updates are pending release, been using SME since version 4.0 so am reasonably familiar with how it all goes.

[william_syd]

As for rkhunter, I think your suppose to know what your server is doing and whitelist any false positives in /etc/rkhunter.conf