Hi there, On Mon, 9 Sep 2019, Hal MacLean via clamav-users wrote:
... been using ClamAV to help secure a few Moodle systems and this has been working fine for years. It seems this year to have been causing a problem.
Whatever the reason, it's fixable. There have been a few issues long past, but in my experience ClamAV is now extremely reliable. This sort of thing can sometimes happen when 'upstream' versions make big changes, and distribution 'packages' aren't updated as carefully as they might have been - either by the maintainer or the user - or some dependency hasn't caught up because of some specific issue in the particular system. For example some needed upgrade of a library might be 'held back' for whatever reason. Or it might just be the result of meddling, often itself a result of bad advice. :( I'm going to assume that (as you're running Moodle, Web servers and database servers) the computers have adequate specifications - in particular the RAM - but more information about that would be useful.
I frequently get this: ClamAV has failed to run. The return error message was " An error occured".
The exact message in your double-quotes does not appear anywhere in the latest ClamAV sources, except in a comment within a longer string. So either that isn't the exact message - and getting the exact message can often be an issue, so please confirm; or it came from something which is not built from the latest sources; or from something else. Theyre often issues too and we might need to investigate later on.
Here is the output from ClamAV: ERROR: Could not lookup : Servname not supported for ai_socktype
Please be more specific. "ClamAV" isn't a binary which runs. By inspection of the latest sources, the only binary which could have produced this message is clamdscan. Please give the exact command or at least more detail about how and when this message is produced.
I have been all over the internet looking this up ...
You should have come straight here!
following dead ends and poor advice ...
That's today's Internet I'm afraid.
I’ve uninstalled, re-installed, updated ...
Please be more specific about the uninstall/re-install. At https://packages.ubuntu.com/xenial/clamav I see several packages. If you're using the Ubuntu packages, did you take care to uninstall and re-install all of them? If not, you might have mixed versions of the different packages which will in some cases cause problems. Did you 'purge' the packages after uninstalling them? Are you using binary packages or the less usual 'source packages'?
I’m running Ubuntu 16.04 with latest ClamAV.
Please be more specific about the version of ClamAV. Do you mean the latest ClamAV or the latest version which is packaged for your version of Ubuntu? From a cursory search the latest package seems out of date but that's often the way with packages. If ClamAV is from packages, (note the plural) please give the exact package versions, for example clamav (0.100.3+dfsg-0ubuntu0.16.04.1) libclamav7 (0.100.3+dfsg-0ubuntu0.16.04.1) clamav-freshclam (0.100.3+dfsg-0ubuntu0.16.04.1) otherwise please give the source version such as 0.101.4 which, at the time of writing, really *is* the latest version. :)
We use Freshclam for updating and clamd for running as a service. We simply need it to catch the likely problems when users upload files to our Moodle systems.
Then I'm guessing that you need on-access scanning, please confirm?
... need some sane advice from users with far more experience ...
You've finally arrived at the right place. :)
What causes this error, and how do I fix it?
We'll get there. Others might have seen this and know already, but I don't know yet. Consider this an initial request for further details, plus something to try until we get more eyes on when e.g. people in the USA start their day. In addition to the information already requested (please read *all* carefully, and answer all the questions and confirm where requested), you haven't said if anything actually works as you think it should. Can you for example scan a file using "clamscan" (not "clamdscan")? What happens if you do that? Copy/paste command and output please. Does 'freshclam' seem to be doing what it should? How do you know? Are you keeping logs? Do you look at them? Have you tried 'verbose' settings/options? Next I suggest you try running the clamd binary that's installed at the moment with a configuration file which I'll supply below as a test of the clamd binary and its interaction with the rest of your system. I'd like to see it run from the command line, without 'help' from some abomination like systemd. You will need another gigabyte of RAM or so to run this daemon, will that be an issue? 8<---------------------------------------------------------------------- LogFile /tmp/clamd_tcp1.log LogFileMaxSize 0 LogTime yes LogClean yes LogVerbose yes PidFile /tmp/clamd_tcp1.pid TemporaryDirectory /tmp # Please edit the path to your database directory below DatabaseDirectory /etc/mail/clamav TCPSocket 3313 TCPAddr 127.0.0.1 StreamMaxLength 50M SelfCheck 9993 # Please edit the user below if necessary. User clamav ExitOnOOM yes Debug yes LeaveTemporaryFiles yes 8<---------------------------------------------------------------------- Save the above text (excluding the 8<---- 'cut' markers) to the file /tmp/clamd_tcp1.conf then in a root shell (sometimes called a 'terminal') start a clamd instance using the command: /path/to/clamd --config-file=/tmp/clamd_tcp1.conf Obviously replace "/path/to" with the proper path. If you don't know the path use: which clamd at a shell prompt to find it. Next make sure you have the 'telnet' utility, install it if not, and then in a shell (it doesn't need to be a root shell) give the command telnet localhost 3311 which should produce something like this output: Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. and you will see no prompt from the shell. Quickly type PING and hit return. You should see PONG Connection closed by foreign host. followed the shell prompt. Then kill the daemon you just started. Its PID is in a file in /tmp, and to kill it use whatever utility you would normally use or in a root shell type: kill xxxxx where xxxxx is the PID from the PID file. No sense leaving a daemon lying around doing nothing and begging for surprises. If you can get that far things should be generally pretty good and we probably just need to tweak the configuration. If not we likely have more work to do. Please note that my List address only accepts mail from the List server. Please also note that this is a mailing list so I'm beating the horse to death for a reason - others might come along to read it later, and I have no way to know what experience they may have. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
