Clamdscan - Clamav Version Anomaly on different servers
by Rawcous from LinuxQuestions.org on (#5CV2K)
Belated Happy New Year to you all.
I have 2 Centos 8 Servers - 4.18.0-240.1.1.el8_3.x86_64 - both have clamav / clamdscan installed, the primary reason being that they both provide a service to Windows Clients.
I have the clamd daemon process running on both as follows: Code:root 30153 1 0 12:00 ? 00:00:14 /usr/sbin/clamd -c /etc/clamd.confIf I incorporate the following code into a bash script on server 1 it works perfectly:
Code:/usr/bin/clamdscan -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/nullWith the following output being generated:
/tmp/file2scan: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 12:36:31
End Date: 2021:01:13 12:36:31
[root@raw04 tmp]#
HOWEVER:
If I incorporate the same line into a script on server 2 it does not work at all:
Code:/usr/bin/clamdscan -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/null
With the following output being generated:
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 12:37:39
End Date: 2021:01:13 12:37:39
[root@raw03 tmp]#
This problem occurs regardless of the file that is scanned.
What I have done & found so far:
1. The error occurs on server 2 even with identical /etc/clamd.conf configuration files.
2. Direct comparison of the clam modules / programs reveals the following:
Server 1
clamd -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
freshclam -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamdscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
(I noticed that when I ran each of the 4 commands above yesterday the output was 26047 and not 26048).
Server 2
clamd -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
freshclam -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamdscan -V -> ClamAV 0.103.0
You will notivce that on Server 2 running the command Code:clamdscan -V did not yield the 26048 suffix.
The only output difference between the 2 servers being in the clamdscan binary itself. I am assuming that even though the version prefix ClamAV 0.103.0 is identical, that the suffix /26048/Tue Jan 12 12:33:56 2021 possibly means that it's a version variation.
All clam modules on both servers prior to the 13th Jan were 0.102.0 although the same difference existed between the clamdscan binaries i.e. Server 1 listed clamdscan as ClamAV 0.102.0/26046/$Date
In fact I am assuming that this is the case because I have proceeded to install Centos 8 on 3 further machines using the same DVD Installation media and received the same result as the result of the output for Server 2.
Executing:Code:sha256sum -b /usr/bin/clamdscan on both servers yields exactly the same result indicating that the binaries are the same - WHAT THE!!!???
The only way I can get clamdscan to work correctly on Server 2 is to modify the command structure as follows:
Code:/usr/bin/clamdscan --config-file=/etc/clamd.conf --fdpass -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/null
(Compare the clamdscan script code for Server 2 to the script code for Server 1 further above)
On Server 2 I have to specify the configuration file even the clamd daemon is running & loaded as follows:
Code:root 30153 1 0 12:00 ? 00:00:14 /usr/sbin/clamd -c /etc/clamd.confAdditionally Server 2 clamdscan Version ClamAV 0.103.0 has issues scanning socket files meaning that I have to add countless Exclude expressions to the /etc/clamd.conf file otherwise the following error results:
WARNING: /tmp/.ICE-unix/3614: Not supported file type
WARNING: /tmp/.ICE-unix/4072: Not supported file type
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 13:15:02
End Date: 2021:01:13 13:15:02
Code:[root@raw03 .ICE-unix]# ls -l *
srwxrwxrwx 1 gdm gdm 0 Jan 13 08:51 3614
srwxrwxrwx 1 misc misc 0 Jan 13 08:52 4072So for the time being it seems I need to maintain both servers differently as perhaps there are 2 or more different releases of a Clamav Version being simultaneoulsy maintained by the Clam team as:
ClamAV 0.102.0/26046/$Date was upgraded to ClamAV 0.103.0/26046/Mon Jan 11 12:34:14 2021 today
ClamAV 0.102.0 was upgraded to ClamAV 0.103.0 today.
Very confusing... Any ideas folks!!??
Regards,
Rawcous!
I have 2 Centos 8 Servers - 4.18.0-240.1.1.el8_3.x86_64 - both have clamav / clamdscan installed, the primary reason being that they both provide a service to Windows Clients.
I have the clamd daemon process running on both as follows: Code:root 30153 1 0 12:00 ? 00:00:14 /usr/sbin/clamd -c /etc/clamd.confIf I incorporate the following code into a bash script on server 1 it works perfectly:
Code:/usr/bin/clamdscan -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/nullWith the following output being generated:
/tmp/file2scan: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 12:36:31
End Date: 2021:01:13 12:36:31
[root@raw04 tmp]#
HOWEVER:
If I incorporate the same line into a script on server 2 it does not work at all:
Code:/usr/bin/clamdscan -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/null
With the following output being generated:
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 12:37:39
End Date: 2021:01:13 12:37:39
[root@raw03 tmp]#
This problem occurs regardless of the file that is scanned.
What I have done & found so far:
1. The error occurs on server 2 even with identical /etc/clamd.conf configuration files.
2. Direct comparison of the clam modules / programs reveals the following:
Server 1
clamd -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
freshclam -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamdscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
(I noticed that when I ran each of the 4 commands above yesterday the output was 26047 and not 26048).
Server 2
clamd -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
freshclam -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamscan -V -> ClamAV 0.103.0/26048/Tue Jan 12 12:33:56 2021
clamdscan -V -> ClamAV 0.103.0
You will notivce that on Server 2 running the command Code:clamdscan -V did not yield the 26048 suffix.
The only output difference between the 2 servers being in the clamdscan binary itself. I am assuming that even though the version prefix ClamAV 0.103.0 is identical, that the suffix /26048/Tue Jan 12 12:33:56 2021 possibly means that it's a version variation.
All clam modules on both servers prior to the 13th Jan were 0.102.0 although the same difference existed between the clamdscan binaries i.e. Server 1 listed clamdscan as ClamAV 0.102.0/26046/$Date
In fact I am assuming that this is the case because I have proceeded to install Centos 8 on 3 further machines using the same DVD Installation media and received the same result as the result of the output for Server 2.
Executing:Code:sha256sum -b /usr/bin/clamdscan on both servers yields exactly the same result indicating that the binaries are the same - WHAT THE!!!???
The only way I can get clamdscan to work correctly on Server 2 is to modify the command structure as follows:
Code:/usr/bin/clamdscan --config-file=/etc/clamd.conf --fdpass -l /var/log/clam/name_of_logfile --quiet --move=/var/log/clam/infected /tmp/file2scan 2> /dev/null
(Compare the clamdscan script code for Server 2 to the script code for Server 1 further above)
On Server 2 I have to specify the configuration file even the clamd daemon is running & loaded as follows:
Code:root 30153 1 0 12:00 ? 00:00:14 /usr/sbin/clamd -c /etc/clamd.confAdditionally Server 2 clamdscan Version ClamAV 0.103.0 has issues scanning socket files meaning that I have to add countless Exclude expressions to the /etc/clamd.conf file otherwise the following error results:
WARNING: /tmp/.ICE-unix/3614: Not supported file type
WARNING: /tmp/.ICE-unix/4072: Not supported file type
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2021:01:13 13:15:02
End Date: 2021:01:13 13:15:02
Code:[root@raw03 .ICE-unix]# ls -l *
srwxrwxrwx 1 gdm gdm 0 Jan 13 08:51 3614
srwxrwxrwx 1 misc misc 0 Jan 13 08:52 4072So for the time being it seems I need to maintain both servers differently as perhaps there are 2 or more different releases of a Clamav Version being simultaneoulsy maintained by the Clam team as:
ClamAV 0.102.0/26046/$Date was upgraded to ClamAV 0.103.0/26046/Mon Jan 11 12:34:14 2021 today
ClamAV 0.102.0 was upgraded to ClamAV 0.103.0 today.
Very confusing... Any ideas folks!!??
Regards,
Rawcous!