OK, so I get into work this morning to be told there's a problem with
the mail server - and the helpdesk have had calls from several
clients who aren't getting any mail.
The first hint I have is a delayed mail message from one of the
servers which included the following :
<xx...@xxxxx.xxx> (expanded from <root>): host 127.0.0.1[127.0.0.1]
said: 451-4.5.0 Error in processing, id=20146-06, virus_scan FAILED:
virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too
many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX
socket /var/run/clamav/clamd.ctl: No such file or directory) at (eval 42)
line 268.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected
exit 50, output="LibClamAV Error: cli_hex2str(): Malformed hexstring: This
ClamAV version has reached End of Life! Please upgrade to
version 0.95 or l
451-4.5.0 ater. For more information see
www.clamav.net/eol-clamav-094 and
www.clamav.net/download (length: 169) 451-4.5.0 LibClamAV Error: Problem
parsing signature at line 742 451-4.5.0 LibClamAV Error: Problem parsing
database at line 742 451-4.5.0 LibClamAV Error: Can't load
/var/lib/clamav//daily.inc/daily.ndb: Malformed database 451 4.5.0 ERROR:
Malformed database" at (eval 42) line 462. (in reply to end of DATA
command)
To which my first reaction is WTF ?
So I find that **without warning** my mail server has been remotely disabled.
Yes, I do mean **WITHOUT WARNING** - there has not, at any point,
been anything remotely resembling any warning that things were going
to be turned off. A notice on your website doesn't count unless you
think it's reasonable for all admins to have to visit the project
website for all their packages on a regular basis just in case the
project plans something crazy like remotely disabling your server !
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
doesn't count as any sort of warning that things WILL BE TURNED OFF
What's more, the language of the notice that I have now seen makes it
quite clear that you knew **BEFORE** you did this what the effects
would be.
This move is needed to push more people to upgrade to 0.95
This makes it quite clear that there are still a lot of people
running the older version, so it's hard to imagine what sort of
response you expected from people.
Anyway, rant over, how to move forward. The mail server is running
Debian Sarge, and upgrading is not an option for now - that's why
it's still running Sarge. Even if it were running Lenny, then the
stable version in that is still affected. I have a newer server
built, but I won't have the hardware to run it on for a few months.
0.95 won't install - unmet dependencies and I'm not going to try
manually frigging stuff on a production server to work round that.
So for now I've had to completely disable AV scanning on the server.
The obvious workaround for me at the moment is to disable Freshclam
and rollback to where I was before the update that broke things. Can
anyone tell me exactly which files I need to rollback ? Yes, using an
old AV db is bad, but it's less bad than not using one at all which
is where I am now.
So, like the title above - now what ?
Could I suggest the following ?
1) Roll out an update to re-enable peoples servers.
2) Roll out a less damaging update - how about NOT updating the DB
and announce that it's not being updated ? Still annoying, but far
less annoying that having your server taken down without warning.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
