Same here, broken symlinks pointing from /usr/local/maldetect/sigs to non-existing files in tmp.

from linux-malware-detect.

In my case it turned out to be a permission problem, related to both file permissions and apparmor.
Here is what I did to fix it:

chmod o+x /usr/local/maldetect/{,sigs}
chmod o+r /usr/local/maldetect/sigs/*db
echo "/usr/local/maldetect/sigs/* r," >> /etc/apparmor.d/local/usr.sbin.clamd
service apparmor reload
service clamav-daemon restart

The missing lmd.user links where no longer a problem for me after i fixed the permissions.
The next signature update will probably reset the file permissions again, I still have to check whether that was due to my tightened root umask setting or the update script itself.

from linux-malware-detect.

the file permission problem probably was homegrown. I think the apparmor stuff should be all you need:

echo "/usr/local/maldetect/sigs/* r," >> /etc/apparmor.d/local/usr.sbin.clamd
service apparmor reload && service clamav-daemon restart

from linux-malware-detect.

I had the same issue. I will try fo fiw with previous comment

from linux-malware-detect.

For me, file is missing. Only option is to delete symlink from clamav lib dir until a fix is provided

from linux-malware-detect.

Running CentOS 6.7.

I ran ./uninstall.sh and then downloaded the current again and ran ./install.sh. That still left the bad symlinks in /var/clamav/ in place

lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb
lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb

but these ones were not present any longer in sigs

lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.15757.hdb
lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.15757.ndb

I went ahead and deleted the /var/clamav/ lmd symlinks and restarted clamd and it worked ok. If anyone can confirm that the lmd symlinks are not needed in /var/clamav/ that would be great. The following valid symlinks remain there

rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb
rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

It is likely that just deleting the lmd bad symlinks will allow you to restart clamd.

For reference, my initial symptoms were email subjects prepended with the string

UNCHECKED

and the following in the clamd log

Sat Sep 19 03:24:11 2015 -> Reading databases from /var/clamav
Sat Sep 19 03:24:21 2015 -> ERROR: reload db failed: Can't open file or directory
Sat Sep 19 03:24:21 2015 -> Terminating because of a fatal error.

from linux-malware-detect.

Symlink in /var/lib/clamav to lmd and rfxn has appears back. But lmd symlin still linked to nothing. Clamav 0.98, debian 8

from linux-malware-detect.

I still have the dangling symlinks pointing from /var/lib/clamav to /usr/local/maldetect/sigs, but no more symlinks pointing from /usr/local/maldetect/sigs to tmp. I do not get errors this way.

from linux-malware-detect.

chmod 755 /usr/local/maldetect/tmp

This should fix he issue, it is not so much that the file is empty but that clamav cant lsstat the file due to the parent directories permissions when clamd is running as a non-root user.

I've made an upstream change in the code that I will commit to address this in a few minutes.

from linux-malware-detect.

tried this and the following still happens when I start clamav

service clamav-daemon start

*Starting ClamAV daemon clamd
LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/rfxn.ndb
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/rfxn.ndb
ERROR: Can't open file or directory
[fail]

I also get the same errors as reported above in the maillog (because the daemon isn't running)
but it does look like email is being delivered.

BTW, thank you for this great package that I use daily on all my servers. Also thank you for looking at this issue so quickly, it's really appreciated!

from linux-malware-detect.

@captainwasabi no problem at all, glad to help. In most sane mail configurations, clamd failing should be a fail-open setup so mail keeps moving.

That being said, can you answer a few questions:
What OS version are you running (cat /etc/redhat-release) ?
What version of clamd (clamd -V) ?
Is there a control panel (e.g cpanel) ?

Thanks

from linux-malware-detect.

Ubuntu 12.04.5 LTS everything is up to date as of 9/15

Linux version 3.2.0-90-generic (buildd@lgw01-29) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #128-Ubuntu SMP
Fri Aug 14 21:43:58 UTC 2015 (Ubuntu 3.2.0-90.128-generic 3.2.69)

ClamAV 0.98.7/20927/Fri Sep 18 12:41:20 2015

No cpanel, this is a server running on metal.

from linux-malware-detect.

this issue still exists on commit 5ad5452 on Ubuntu 14.04.3 LTS.

root@admin:/var/lib/clamav# ls -la
drwxr-xr-x 2 clamav clamav 4096 Sep 19 18:42 .
drwxr-xr-x 58 root root 4096 Sep 19 17:45 ..
-rw-r--r-- 1 clamav clamav 407040 Aug 20 18:59 bytecode.cld
-rw-r--r-- 1 clamav clamav 101435904 Sep 18 20:23 daily.cld
lrwxrwxrwx 1 root root 38 Sep 19 18:42 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb
lrwxrwxrwx 1 root root 38 Sep 19 18:42 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb
-rw-r--r-- 1 clamav clamav 64720632 May 5 21:14 main.cvd
-rw------- 1 clamav clamav 2236 Sep 19 18:23 mirrors.dat
lrwxrwxrwx 1 root root 34 Sep 19 18:42 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb
lrwxrwxrwx 1 root root 34 Sep 19 18:42 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

root@admin:/var/lib/clamav# ls -la /usr/local/maldetect/sigs/
drwxr-xr-x 2 root root 4096 Sep 19 18:42 .
drwxr-xr-x 12 root root 4096 Sep 19 18:42 ..
-rw-r--r-- 1 root root 0 Sep 19 18:42 custom.hex.dat
-rw-r--r-- 1 root root 0 Sep 19 18:42 custom.md5.dat
-rw-r--r-- 1 root root 429904 Sep 19 18:42 hex.dat
-rw-r--r-- 1 root root 14 Sep 19 18:42 maldet.sigs.ver
-rw-r--r-- 1 root root 551001 Sep 19 18:42 md5.dat
-rw-r--r-- 1 root root 602518 Sep 19 18:42 md5v2.dat
-rw-r--r-- 1 root root 598632 Sep 19 18:42 rfxn.hdb
-rw-r--r-- 1 root root 437560 Sep 19 18:42 rfxn.ndb

root@admin:~# service clamav-daemon restart

• Stopping ClamAV daemon clamd [ OK ]
• Starting ClamAV daemon clamd LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/rfxn.ndb
  LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/rfxn.ndb
  ERROR: Can't open file or directory

root@admin:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.3 LTS
Release: 14.04
Codename: trusty

from linux-malware-detect.

I've committed update fa1db0a which should now resolve the clamd startup errors on ubuntu. The changelog entry goes into detail:

[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy signatures into clamav data paths instead of linking them

from linux-malware-detect.

issue verified resolved for Ubuntu 12.04.5

Thanks!

from linux-malware-detect.

For me the lmd.user files or links did not regenerate. I tried uninstall and install and saw this on install as the first few lines:

cp: cannot stat /usr/local/maldetect/sigs/lmd.user.ndb': No such file or directory cp: cannot stat/usr/local/maldetect/sigs/lmd.user.hdb': No such file or directory
cat: /usr/local/maldetect/sess/session.monitor.current: No such file or directory

from linux-malware-detect.

After clean install of lmd clamav-daemon starts correctly.
But as @lgonzalez-silen reported lmd.user link failed to create.

root@admin:~/linux-malware-detect-master# ./install.sh
cp: cannot stat ‘/usr/local/maldetect/sigs/rfxn.ndb’: No such file or directory
cp: cannot stat ‘/usr/local/maldetect/sigs/rfxn.hdb’: No such file or directory
cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory
cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory
Removing any system startup links for /etc/init.d/maldet ...
update-rc.d: warning: /etc/init.d/maldet missing LSB information
update-rc.d: see http://wiki.debian.org/LSBInitScripts
Adding system startup for /etc/init.d/maldet ...
/etc/rc0.d/K30maldet -> ../init.d/maldet
/etc/rc1.d/K30maldet -> ../init.d/maldet
/etc/rc6.d/K30maldet -> ../init.d/maldet
/etc/rc2.d/S70maldet -> ../init.d/maldet
/etc/rc3.d/S70maldet -> ../init.d/maldet
/etc/rc4.d/S70maldet -> ../init.d/maldet
/etc/rc5.d/S70maldet -> ../init.d/maldet
cat: /usr/local/maldetect/sess/session.monitor.current: No such file or directory
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(28271): {sigup} performing signature update check...
maldet(28271): {sigup} could not determine signature version
maldet(28271): {sigup} signature files missing or corrupted, forcing update...
maldet(28271): {sigup} new signature set (2015091828029) available
maldet(28271): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(28271): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(28271): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(28271): {sigup} unpacked and installed maldet-sigpack.tgz
cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory
cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory
maldet(28271): {sigup} verified md5sum of maldet-clean.tgz
maldet(28271): {sigup} unpacked and installed maldet-clean.tgz
maldet(28271): {sigup} signature set update completed
maldet(28271): {sigup} 10822 signatures (8908 MD5 / 1914 HEX / 0 USER)

root@admin:~/linux-malware-detect-master# maldet -d -u
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28448): {update} checking for available updates...
maldet(28448): {update} hashing install files and checking against server...
maldet(28448): {update} latest version already installed.
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28448): {sigup} performing signature update check...
maldet(28448): {sigup} local signature set is version 2015091828029
maldet(28448): {sigup} latest signature set already installed

root@admin:~# maldet -u -d -a /var/www/imscp/gui/
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(30475): {sigup} performing signature update check...
maldet(30475): {sigup} local signature set is version 2015091828029
maldet(30475): {sigup} latest signature set already installed
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks [email protected]
(C) 2015, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory
cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory
maldet(30475): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
maldet(30475): {scan} building file list for /var/www/imscp/gui/, this might take awhile...
maldet(30475): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(30475): {scan} file list completed in 1s, found 5004 files...
maldet(30475): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(30475): {scan} scan of /var/www/imscp/gui/ (5004 files) in progress...
maldet(30475): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

maldet(30475): {scan} scan completed on /var/www/imscp/gui/: files 5004, malware hits 0, cleaned hits 0, time 1s
maldet(30475): {scan} scan report saved, to view run: maldet --report 150919-1945.30475

from linux-malware-detect.

also after uninstall the files in /var/lib/clamav did not removed.
root@admin:/var/lib/clamav# ls -la
-rw-r--r-- 1 root root 598632 Sep 19 19:45 rfxn.hdb
-rw-r--r-- 1 root root 437560 Sep 19 19:45 rfxn.ndb

from linux-malware-detect.

update done, but link no recreated in clamav lib folder, how to add it again ?

from linux-malware-detect.

@jcarnus the rfxn.* signatures should be copied into the clamav lib folder , not linked. The lmd.user* signatures will now only copy into the clamav lib folder when you have custom signatures defined.

from linux-malware-detect.

1c7f626

@lgonzalez-silen
Do you have custom signatures? The lmd.user.* signatures will now only copy into the clamav lib path when you have custom signatures created. The error output should now be suppressed in the latest commit, 'maldet -d' or pull from git and fresh install. Thanks!

@nanonettr
The uninstall.sh has been updated to address this, Thanks!

from linux-malware-detect.

No custom signatures, so great!

from linux-malware-detect.

@rfxn thanks for your great efforts. Only one problem left..
When using maldet i got an error;
"clamscan returned an error"

$ maldet -u -d -a /var/www/imscp/gui/
maldet(3725): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
maldet(3725): {scan} building file list for /var/www/imscp/gui/, this might take awhile...
maldet(3725): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(3725): {scan} file list completed in 0s, found 5004 files...
maldet(3725): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(3725): {scan} scan of /var/www/imscp/gui/ (5004 files) in progress...
maldet(3725): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!
maldet(3725): {scan} scan completed on /var/www/imscp/gui/: files 5004, malware hits 0, cleaned hits 0, time 1s
maldet(3725): {scan} scan report saved, to view run: maldet --report 150919-2019.3725

$ maldet --report 150919-2019.3725
HOST: admin
SCAN ID: 150919-2019.3725
STARTED: Sep 19 2015 20:19:35 +0300
COMPLETED: Sep 19 2015 20:19:36 +0300
ELAPSED: 1s [find: 0s]

PATH: /var/www/imscp/gui/
TOTAL FILES: 5004
TOTAL HITS: 0
TOTAL CLEANED: 0

Linux Malware Detect v1.5 < [email protected] >

$ cat /usr/local/maldetect/logs/clamscan_log
Sep 19 20:19:35 admin clamscan start
Sep 19 20:19:35 admin executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesize=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.3725.hdb -d /usr/local/maldetect/tmp/.runtime.user.3725.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.3725
WARNING: Ignoring unsupported option --max-filesize
WARNING: Ignoring unsupported option --max-scansize
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --recursive (-r)
Sep 19 20:19:36 admin clamscan end
Sep 19 20:19:36 admin clamscan end

$ which clamscan
/usr/bin/clamscan

$ dpkg -S /usr/bin/clamscan
clamav: /usr/bin/clamscan

$ aptitude show clamav
Package: clamav
State: installed
Version: 0.98.7+dfsg-0ubuntu0.14.04.1

from linux-malware-detect.

ah sorry. wrong package reported. it did not clamscan, it is "clamdscan"

root@admin:~# which clamdscan
/usr/bin/clamdscan

root@admin:~# dpkg -S clamdscan
clamav-daemon: /usr/share/man/man1/clamdscan.1.gz
clamav-daemon: /usr/bin/clamdscan

root@admin:~# aptitude show clamav-daemon
Package: clamav-daemon
State: installed
Version: 0.98.7+dfsg-0ubuntu0.14.04.1

from linux-malware-detect.

Ok seems to be good so right now
Thanks for all a saturday :)

from linux-malware-detect.

I just have one more request. From now on when you update, I don't mind the problems at all, but please respect the sanctity of read-only friday ;)

from linux-malware-detect.

@captainwasabi totally understand and read-only friday I usually live and die by but at some point I need to find time to work on maldet and that is usually my weekends :D Will make an effort in the future to limit releases to Monday-Thur cycles.

from linux-malware-detect.

Oh if you just work this on weekends then more power to you! Awesome
stuff, release when you can.

Sent with AquaMail for Android
http://www.aqua-mail.com

On September 19, 2015 6:31:06 PM Ryan MacDonald [email protected]
wrote:

@captainwasabi totally understand and read-only friday I usually live and
die by but at some point I need to find time to work on maldet and that is
usually my weekends :D Will make an effort in the future to limit releases
to Monday-Thur cycles.

---

Reply to this email directly or view it on GitHub:
#58 (comment)

from linux-malware-detect.