ClamAV / freshclam update errors

Jan 26, 2022
6
0
1
37
Hi,

recently updated our cluster (3 nodes total), the first node keep giving errors with clamav while updating.
The other 2 nodes don't give any errors.

Code:
Jan 27 17:02:19 pmx1 freshclam[491326]: Trying to retrieve CVD header from https://database.clamav.net/daily.cvd
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: remote_cvdhead: Download failed (6) WARNING:  Message: Couldn't resolve host name
Jan 27 17:02:19 pmx1 freshclam[491326]: WARNING: Failed to get daily database version information from server: https://database.clamav.net
Jan 27 17:02:19 pmx1 freshclam[491326]: ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.
Jan 27 17:02:19 pmx1 freshclam[491326]: Trying again in 5 secs...

Also, when we look at - Configuration : Virus Detector
The Status list is empty (on the first node)

Anyone with similar problems?

Thanks in advance.

With Regards,

Thomas




Code:
proxmox-mailgateway: 7.1-1
pmg-api: 7.1-1
pmg-gui: 3.1-1
pve-kernel-helper: 7.1-8
pve-kernel-5.13: 7.1-6
pve-kernel-5.11: 7.0-10
pve-kernel-5.13.19-3-pve: 5.13.19-7
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.13.19-1-pve: 5.13.19-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-5-pve: 5.11.22-10
clamav-daemon: 0.103.5+dfsg-0+deb11u1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
libarchive-perl: 3.4.0-1
libjs-extjs: 7.0.0-1
libjs-framework7: 4.4.7-1
libproxmox-acme-perl: 1.4.0
libproxmox-acme-plugins: 1.4.0
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-14
libpve-http-server-perl: 4.0-4
libxdgmime-perl: 1.0-1
pmg-docs: 7.1-1
pmg-i18n: 2.6-2
pmg-log-tracker: 2.3.0-1
postgresql-13: 13.5-0+deb11u1
proxmox-mini-journalreader: 1.3-1
proxmox-spamassassin: 3.4.6-4
proxmox-widget-toolkit: 3.4-4
pve-firmware: 3.3-4
pve-xtermjs: 4.12.0-1
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
676
118
hi,

see the error: WARNING: remote_cvdhead: Download failed (6) WARNING: Message: Couldn't resolve host name
sounds like a DNS problem.

what happens when you run ping database.clamav.net?

check your /etc/resolv.conf on that node to see which nameserver is set for it
 
Jan 26, 2022
6
0
1
37
I can ping without any problems. Resolving doesn't seem to be the issue.

Code:
$ ping google.com
PING google.com(ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e)) 56 data bytes
64 bytes from ams16s21-in-x0e.1e100.net (2a00:1450:400e:802::200e): icmp_seq=1 ttl=114 time=2.79 ms
...
ping -4 database.clamav.net
PING  (104.16.219.84) 56(84) bytes of data.
64 bytes from 104.16.219.84 (104.16.219.84): icmp_seq=1 ttl=58 time=2.99 ms
...
ping database.clamav.net
PING database.clamav.net(2606:4700::6810:db54 (2606:4700::6810:db54)) 56 data bytes
64 bytes from 2606:4700::6810:db54 (2606:4700::6810:db54): icmp_seq=1 ttl=58 time=3.28 ms
...

When I use wget to get de main.cvd database, this is what happens.
Code:
$ wget http://database.clamav.net/main.cvd
--2022-01-27 21:06:29--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 2606:4700::6810:da54, 2606:4700::6810:db54, 104.16.218.84, ...
Connecting to database.clamav.net (database.clamav.net)|2606:4700::6810:da54|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:29 ERROR 403: Forbidden.


$ wget -4 http://database.clamav.net/main.cvd
--2022-01-27 21:06:40--  http://database.clamav.net/main.cvd
Resolving database.clamav.net (database.clamav.net)... 104.16.218.84, 104.16.219.84
Connecting to database.clamav.net (database.clamav.net)|104.16.218.84|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-01-27 21:06:40 ERROR 403: Forbidden.

* Using a browser gets me a cloudflare 'protection' page

Checking your browser before accessing database.clamav.net.​


This process is automatic. Your browser will redirect to your requested content shortly.

Redirecting…

DDoS protection by Cloudflare


With regards,

Thomas
 
Jan 26, 2022
6
0
1
37
Took a closer look at /var/log/message, these appeared after the upgrade.

Code:
Jan 25 08:54:28 pmx1 kernel: [673715.705604] audit: type=1400 audit(1643097268.285:53): apparmor="DENIED" operation="create" profile="/usr/bin/freshclam" pid=1394963 comm="freshclam" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
-
Code:
Jan 25 08:55:02 pmx1 kernel: [673749.861912] audit: type=1400 audit(1643097302.444:128): apparmor="DENIED" operation="create" profile="/usr/sbin/clamd" pid=1396042 comm="clamd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none

Tried;
systemctl disable apparmor.service
systemctl stop apparmor.service

systemctl restart clamav-freshclam && systemctl restart clamav-daemon

...no changes

Then tried;
apt remove apparmor -y

Followed by a reboot

Finding this is really a quick and dirty solution, solved the problem for now.

Hopefully you can fix this in a more cleaner way

With regards,

Thomas
 

PMB

New Member
Feb 13, 2022
14
1
3
48
Hi,

No need to disable apparmor you can simply change the clamd and freshclam to warn only in apparmor.

Taken from: https://aaronbrighton.medium.com/in...clamav-antivirus-on-ubuntu-18-04-a6416bab3b41

To disable AppArmor from enforcing restrictions on “clamd” you can set the profile to complain mode.

Warning: Doing so reduces some of the safety mechanisms that AppArmor has put in place to harden clamd, do so at your own risk.

sudo aa-complain /usr/sbin/clamd
If the above command fails with Command 'aa-complain' not found you may need to install the apparmor-utils package:

sudo apt-get install apparmor-utils


best regards,

P.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!