ClamAV / freshclam update errors

Jan 26, 2022
6
0
6
40
Hi,

recently updated our cluster (3 nodes total), the first node keep giving errors with clamav while updating.
The other 2 nodes don't give any errors.

Code:
Jan 27 17:02:19 pmx1 freshclam[491326]: Trying to retrieve CVD header from https://database.clamav.net/daily.cvd
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: remote_cvdhead: Download failed (6) WARNING:  Message: Couldn't resolve host name
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: Failed to get daily database version information from server: https://database.clamav.net
Jan 27 17:02:19 pmx1 freshclam[491326]: ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
Jan 27 17:02:19 pmx1 freshclam[491326]: Trying again in 5 secs...

Also, when we look at - Configuration : Virus Detector
The Status list is empty (on the first node)

Anyone with similar problems?

Thanks in advance.

With Regards,

Thomas




Code:
proxmox-mailgateway: 7.1-1
pmg-api: 7.1-1
pmg-gui: 3.1-1
pve-kernel-helper: 7.1-8
pve-kernel-5.13: 7.1-6
pve-kernel-5.11: 7.0-10
pve-kernel-5.13.19-3-pve: 5.13.19-7
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.13.19-1-pve: 5.13.19-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-5-pve: 5.11.22-10
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.0
libproxmox-acme-plugins: 1.4.0
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-14
libpve-http-server-perl: 4.0-4
libxdgmime-perl: 1.0-1
pmg-docs: 7.1-1
pmg-i18n: 2.6-2
pmg-log-tracker: 2.3.0-1
postgresql-13: 13.5-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.4-4
pve-firmware: 3.3-4
pve-xtermjs: 4.12.0-1
 
hi,

see the error: WARNING: remote_cvdhead: Download failed (6) WARNING: Message: Couldn't resolve host name
sounds like a DNS problem.

what happens when you run ping database.clamav.net?

check your /etc/resolv.conf on that node to see which nameserver is set for it
 
I can ping without any problems. Resolving doesn't seem to be the issue.

Code:
$ ping google.com
PING google.com(ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e)) 56 data bytes
64 bytes from ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e): icmp_seq=1 ttl=114 time=2.79 ms
...
ping -4 database.clamav.net
PING  (104.16.219.84) 56(84) bytes of data.
64 bytes from 104.16.219.84 (104.16.219.84): icmp_seq=1 ttl=58 time=2.99 ms
...
ping database.clamav.net
PING database.clamav.net(2606:4700::6810:db54 (2606:4700::6810:db54)) 56 data bytes
64 bytes from 2606:4700::6810:db54 (2606:4700::6810:db54): icmp_seq=1 ttl=58 time=3.28 ms
...

When I use wget to get de main.cvd database, this is what happens.
Code:
$ wget http://database.clamav.net/main.cvd
--2022-01-27 21:06:29--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 2606:4700::6810:da54, 2606:4700::6810:db54, 104.16.218.84, ...
Connecting to database.clamav.net (database.clamav.net)|2606:4700::6810:da54|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:29 ERROR 403: Forbidden.


$ wget -4 http://database.clamav.net/main.cvd
--2022-01-27 21:06:40--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 104.16.218.84, 104.16.219.84
Connecting to database.clamav.net (database.clamav.net)|104.16.218.84|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:40 ERROR 403: Forbidden.

* Using a browser gets me a cloudflare 'protection' page

Checking your browser before accessing database.clamav.net.​


This process is automatic. Your browser will redirect to your requested content shortly.

Redirecting…

DDoS protection by Cloudflare


With regards,

Thomas
 
Took a closer look at /var/log/message, these appeared after the upgrade.

Code:
Jan 25 08:54:28 pmx1 kernel: [673715.705604] audit: type=1400 audit(1643097268.285:53): apparmor="DENIED" operation="create" profile="/usr/bin/freshclam" pid=1394963 comm="freshclam" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
-
Code:
Jan 25 08:55:02 pmx1 kernel: [673749.861912] audit: type=1400 audit(1643097302.444:128): apparmor="DENIED" operation="create" profile="/usr/sbin/clamd" pid=1396042 comm="clamd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none

Tried;
systemctl disable apparmor.service
systemctl stop apparmor.service

systemctl restart clamav-freshclam && systemctl restart clamav-daemon

...no changes

Then tried;
apt remove apparmor -y

Followed by a reboot

Finding this is really a quick and dirty solution, solved the problem for now.

Hopefully you can fix this in a more cleaner way

With regards,

Thomas
 
Hi,

No need to disable apparmor you can simply change the clamd and freshclam to warn only in apparmor.

Taken from: https://aaronbrighton.medium.com/in...clamav-antivirus-on-ubuntu-18-04-a6416bab3b41

To disable AppArmor from enforcing restrictions on “clamd” you can set the profile to complain mode.

Warning: Doing so reduces some of the safety mechanisms that AppArmor has put in place to harden clamd, do so at your own risk.

sudo aa-complain /usr/sbin/clamd
If the above command fails with Command 'aa-complain' not found you may need to install the apparmor-utils package:

sudo apt-get install apparmor-utils


best regards,

P.
 
Correct
Bash:
sudo apt-get install apparmor-utils
sudo aa-complain /usr/sbin/clamd
sudo systemctl restart apparmor
 
What's missed here is
sudo aa-complain /usr/bin/freshclam

freshclam handles updates, not clamd.

root@mailscrub:~# freshclam
ClamAV update process started at Wed Jul 26 10:39:52 2023
daily database available for update (local version: 26980, remote version: 26981)
Current database is 1 version behind.
Downloading database patch # 26981...
^Download failed (6) ^ Message: Couldn't resolve host name
^downloadPatch: Can't download daily-26981.cdiff from https://database.clamav.net/daily-26981.cdiff

root@mailscrub:~# aa-complain /usr/bin/freshclam
Setting /usr/bin/freshclam to complain mode.

root@mailscrub:~# freshclam
ClamAV update process started at Wed Jul 26 10:40:53 2023
daily database available for update (local version: 26980, remote version: 26981)
Current database is 1 version behind.
Downloading database patch # 26981...
Time: 0.2s, ETA: 0.0s [========================>] 4.66KiB/4.66KiB
Testing database: '/var/lib/clamav//tmp.ced8ed945b/clamav-a68bbac811e976bcd32cdf0c7ca39e1e.tmp-daily.cld' ...
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!