Topic: clamAV error

[cirkit]

My admin mail received this error early today morning. Normally I receive the scan results summary in place of this message every day. I went through the logs (attached below) to find out the problem, I only thing i could understand was that the clamAV engine was outdated and some DNS errors while updating  but could have not caused a logging error as my rkhunter log e-mail which follows immediately after this email everday has reported all OK. Please help to interpret this message with the help of logs below and suggest any correction if necessary
also how can i run calm av from command prompt (root) and generate such a log again manually to test if this was only a temperory error.

the email was as follows:
sh: line 1: 32230 Aborted nice /usr/bin/clamscan --recursive --infected --stdout --log
/var/log/clamd/clamscan.log --exclude=/proc --exclude=/sys --exclude=/usr/share
--exclude=/var --exclude=/var/spool/clamav/quarantine /home/e-smith/files 2>/var/log/clamd/smeserver-clamscan.log
Null message body; hope that's ok


LOGFILES FROM SERVER MANAGER:
View log files
   /var/log/clamd/smeserver-clamscan.log: Viewed at Thu 14 Aug 2008 07:58:03 AM IST.
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
*** glibc detected *** corrupted double-linked list: 0x0ad5ef48 ***



clamd current log

2008-08-14 07:19:16.362491500 LibClamAV Warning: ***********************************************************
2008-08-14 07:19:16.362493500 LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
2008-08-14 07:19:16.362495500 LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
2008-08-14 07:19:16.362497500 LibClamAV Warning: ***********************************************************
2008-08-14 07:19:17.159490500 LibClamAV Warning: ***********************************************************
2008-08-14 07:19:17.159524500 LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
2008-08-14 07:19:17.159537500 LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
2008-08-14 07:19:17.159550500 LibClamAV Warning: ***********************************************************
2008-08-14 07:19:19.743760500 Database correctly reloaded (396032 signatures)


2008-08-14 07:19:16.359550500 daily.cld updated (version: 8033, sigs: 84527, f-level: 33, builder: ccordes)
2008-08-14 07:19:16.359553500 WARNING: Your ClamAV installation is OUTDATED!
2008-08-14 07:19:16.359555500 WARNING: Current functionality level = 29, recommended = 33
2008-08-14 07:19:16.359557500 DON'T PANIC! Read http://www.clamav.net/support/faq
2008-08-14 07:19:16.359558500 Database updated (396831 signatures) from db.local.clamav.net (IP: 211.12.214.131)
2008-08-14 07:19:16.365729500 Clamd successfully notified about the update.


OUTPUT OF CLAM AV PANEL IN SERVER-MANAGER
ClamAV and db versions  0.93/8033/Thu Aug 14 07:10:28 2008

[robw]

Does anyone have an answer to this? I am getting error messages from anonymous@{domain} daily saying that

"2008-09-08 23:55:36.018615500 WARNING: Your ClamAV installation is OUTDATED!
2008-09-08 23:55:36.018643500 WARNING: Local version: 0.93 Recommended version: 0.94"
then
"Giving up on database.clamav.net...
2008-09-09 07:57:16.202860500 Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working."

I have checked for updates using server manager and it advises all up to date. When I check ClamAV in server manager, it advises (this morning) that the version is 0.93/8194/Tue Sep 9 06:40:30 2008. Do these messages mean that our AV is outdated and not really safeguarding our emails and files?

Any assistance much appreciated. Thanks.

[holck]

As the message says "Don't panic"

See http://wiki.contribs.org/Log_Files

[robw]

Many thanks for your reply Holck. I should perhaps have mentioned that I am also getting heaps of errors between such as these below:

"2008-09-09 07:57:16.198846500 Ignoring mirror 117.104.160.194 (has connected too many times with an outdated version)
2008-09-09 07:57:16.198869500 Ignoring mirror 193.1.193.64 (due to previous errors)
2008-09-09 07:57:16.198874500 Ignoring mirror 203.16.234.78 (has connected too many times with an outdated version)
2008-09-09 07:57:16.198930500 Ignoring mirror 116.240.207.20 (has connected too many times with an outdated version)
2008-09-09 07:57:16.198936500 WARNING: getpatch: Can't download daily-8195.cdiff from database.clamav.net
2008-09-09 07:57:16.199206500 Ignoring mirror 117.104.160.194 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199230500 Ignoring mirror 193.1.193.64 (due to previous errors)
2008-09-09 07:57:16.199252500 Ignoring mirror 203.16.234.78 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199258500 Ignoring mirror 116.240.207.20 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199278500 WARNING: getpatch: Can't download daily-8195.cdiff from database.clamav.net
2008-09-09 07:57:16.199568500 Ignoring mirror 117.104.160.194 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199590500 Ignoring mirror 193.1.193.64 (due to previous errors)
2008-09-09 07:57:16.199609500 Ignoring mirror 203.16.234.78 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199615500 Ignoring mirror 116.240.207.20 (has connected too many times with an outdated version)
2008-09-09 07:57:16.199635500 WARNING: getpatch: Can't download daily-8195.cdiff from database.clamav.net"

then

"2008-09-09 07:57:16.202836500 Giving up on database.clamav.net...
2008-09-09 07:57:16.202860500 Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons."

Our network is not down and the server appears to be working fine other than this. It appears that FreshClam is looking for a later version when it updates and gets snitty when it doesn't find the one it wants. My questions are:

Does this mean we are no longer covered for recent viruses?

We have been getting these errors since 14 August this year. Server manager reports up to date. Is there something I should be doing to intervene or should I just wait until server manager reports updates waiting?

Any assistance greatly appreciated.

[janet]

robw

Two issues.
One is a new update for clamav which will be released when developers create it & finish testing it (ie from upstream sources). You will actually find it in smeupdates-testing repo now.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/releases/7/smeupdates-testing/i386/RPMS/

Second is that the clamav database obviously gets busy at times and is not contactable for various reasons. You are only seeing the errors when this happens.
Clearly at other times the database is updating itself OK, which you can prove by running
freshclam
at the command prompt.

You are still covered for virus scanning etc, just not the most recent version, which has still to be released to sme users.

[robw]

Mary, many thanks for the explaination and re-assurance. I feel much better about it now and am happy to just wait until the new version turns up in Server Manager.

[Bud]

Hi Guys

Hope you can Help

Is there a Contrib that will Show me what Version of ClamAV is Currently on my SME 7.3 Server and can Also give me a Web Graphic to Show if any Viruses have been Found and what They are including Quaranteed etc. etc. the Same as http://central.swerts-knudsen.dk

Thanks

[peterhocking]

Install unjunkmgr