ClamAV / freshclam update errors

[systeembeheersp]

Hi,

recently updated our cluster (3 nodes total), the first node keep giving errors with clamav while updating.
The other 2 nodes don't give any errors.

Jan 27 17:02:19 pmx1 freshclam[491326]: Trying to retrieve CVD header from https://database.clamav.net/daily.cvd
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: remote_cvdhead: Download failed (6) WARNING:  Message: Couldn't resolve host name
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: Failed to get daily database version information from server: https://database.clamav.net
Jan 27 17:02:19 pmx1 freshclam[491326]: ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
Jan 27 17:02:19 pmx1 freshclam[491326]: Trying again in 5 secs...

Also, when we look at - Configuration : Virus Detector
The Status list is empty (on the first node)

Anyone with similar problems?

Thanks in advance.

With Regards,

Thomas

proxmox-mailgateway: 7.1-1
pmg-api: 7.1-1
pmg-gui: 3.1-1
pve-kernel-helper: 7.1-8
pve-kernel-5.13: 7.1-6
pve-kernel-5.11: 7.0-10
pve-kernel-5.13.19-3-pve: 5.13.19-7
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.13.19-1-pve: 5.13.19-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-5-pve: 5.11.22-10
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.0
libproxmox-acme-plugins: 1.4.0
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-14
libpve-http-server-perl: 4.0-4
libxdgmime-perl: 1.0-1
pmg-docs: 7.1-1
pmg-i18n: 2.6-2
pmg-log-tracker: 2.3.0-1
postgresql-13: 13.5-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.4-4
pve-firmware: 3.3-4
pve-xtermjs: 4.12.0-1

 

[oguz]

hi,

see the error: WARNING: remote_cvdhead: Download failed (6) WARNING: Message: Couldn't resolve host name
sounds like a DNS problem.

what happens when you run ping database.clamav.net?

check your /etc/resolv.conf on that node to see which nameserver is set for it

 

[systeembeheersp]

I can ping without any problems. Resolving doesn't seem to be the issue.

$ ping google.com
PING google.com(ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e)) 56 data bytes
64 bytes from ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e): icmp_seq=1 ttl=114 time=2.79 ms
...
ping -4 database.clamav.net
PING  (104.16.219.84) 56(84) bytes of data.
64 bytes from 104.16.219.84 (104.16.219.84): icmp_seq=1 ttl=58 time=2.99 ms
...
ping database.clamav.net
PING database.clamav.net(2606:4700::6810:db54 (2606:4700::6810:db54)) 56 data bytes
64 bytes from 2606:4700::6810:db54 (2606:4700::6810:db54): icmp_seq=1 ttl=58 time=3.28 ms
...

When I use wget to get de main.cvd database, this is what happens.

$ wget http://database.clamav.net/main.cvd
--2022-01-27 21:06:29--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 2606:4700::6810:da54, 2606:4700::6810:db54, 104.16.218.84, ...
Connecting to database.clamav.net (database.clamav.net)|2606:4700::6810:da54|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:29 ERROR 403: Forbidden.


$ wget -4 http://database.clamav.net/main.cvd
--2022-01-27 21:06:40--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 104.16.218.84, 104.16.219.84
Connecting to database.clamav.net (database.clamav.net)|104.16.218.84|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:40 ERROR 403: Forbidden.

* Using a browser gets me a cloudflare 'protection' page

Checking your browser before accessing database.clamav.net.​

This process is automatic. Your browser will redirect to your requested content shortly.

Redirecting…

DDoS protection by Cloudflare


With regards,

Thomas

 

[systeembeheersp]

Reading the clamav documentation at https://docs.clamav.net/manual/Usage/Configuration.html#freshclamconf

freshclam should care of it, even when a database is corrupted, a fresh copy would be downloaded
Seems to be bumping into the cloudflare hosted site ,https://database.clamav.net/main.cvd.

Regards,

Thomas

 

[systeembeheersp]

Took a closer look at /var/log/message, these appeared after the upgrade.

Jan 25 08:54:28 pmx1 kernel: [673715.705604] audit: type=1400 audit(1643097268.285:53): apparmor="DENIED" operation="create" profile="/usr/bin/freshclam" pid=1394963 comm="freshclam" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none

-

Jan 25 08:55:02 pmx1 kernel: [673749.861912] audit: type=1400 audit(1643097302.444:128): apparmor="DENIED" operation="create" profile="/usr/sbin/clamd" pid=1396042 comm="clamd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none

Tried;
systemctl disable apparmor.service
systemctl stop apparmor.service

systemctl restart clamav-freshclam && systemctl restart clamav-daemon

...no changes

Then tried;
apt remove apparmor -y

Followed by a reboot

Finding this is really a quick and dirty solution, solved the problem for now.

Hopefully you can fix this in a more cleaner way

With regards,

Thomas

 

[PMB]

Hi,

No need to disable apparmor you can simply change the clamd and freshclam to warn only in apparmor.

Taken from: https://aaronbrighton.medium.com/in...clamav-antivirus-on-ubuntu-18-04-a6416bab3b41

To disable AppArmor from enforcing restrictions on “clamd” you can set the profile to complain mode.

Warning: Doing so reduces some of the safety mechanisms that AppArmor has put in place to harden clamd, do so at your own risk.

sudo aa-complain /usr/sbin/clamd
If the above command fails with Command 'aa-complain' not found you may need to install the apparmor-utils package:

sudo apt-get install apparmor-utils


best regards,

P.

 

[erikvanberkum]

Correct

sudo apt-get install apparmor-utils
sudo aa-complain /usr/sbin/clamd
sudo systemctl restart apparmor

 

[kentur]

What's missed here is
sudo aa-complain /usr/bin/freshclam

freshclam handles updates, not clamd.

root@mailscrub:~# freshclam
ClamAV update process started at Wed Jul 26 10:39:52 2023
daily database available for update (local version: 26980, remote version: 26981)
Current database is 1 version behind.
Downloading database patch # 26981...
^Download failed (6) ^ Message: Couldn't resolve host name
^downloadPatch: Can't download daily-26981.cdiff from https://database.clamav.net/daily-26981.cdiff

root@mailscrub:~# aa-complain /usr/bin/freshclam
Setting /usr/bin/freshclam to complain mode.

root@mailscrub:~# freshclam
ClamAV update process started at Wed Jul 26 10:40:53 2023
daily database available for update (local version: 26980, remote version: 26981)
Current database is 1 version behind.
Downloading database patch # 26981...
Time: 0.2s, ETA: 0.0s [========================>] 4.66KiB/4.66KiB
Testing database: '/var/lib/clamav//tmp.ced8ed945b/clamav-a68bbac811e976bcd32cdf0c7ca39e1e.tmp-daily.cld' ...