[sanesecurity] Re: Errors

  • From: Doc Schneider <dschneider@xxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Thu, 16 Apr 2009 15:27:25 -0500



Doc Schneider wrote:



Bill Landry wrote:

Bill Landry wrote:

Doc Schneider wrote:

Bill Landry wrote:

Doc Schneider wrote:

Bill Landry wrote:

Doc Schneider wrote:

Oh and using clamav 0.95.1 on CentOS 5.2

Doc Schneider wrote:

I've got a server that keeps getting these errors. Using Bills
unofficial sigs script v 2.7

Any ideas?

Stopping Clam AntiVirus Daemon: [FAILED]
Starting Clam AntiVirus Daemon: LibClamAV Error: cli_loadmd5:
Malformed MD5 string at line 95073
LibClamAV Error: cli_loadmd5: Problem parsing database at line 95073 LibClamAV Error: Can't load /var/clamav/securiteinfo.hdb: Malformed 
database
ERROR: Malformed database
[FAILED]

Doc, can you provide the output from:

   ls -l /var/clamav/securiteinfo.hdb

and (adjust path to match your "ss-dbs" working directory location):

   ls -l /usr/unofficial-dbs/ss-dbs/securiteinfo.hdb

and:

   unofficial-clamav-sigs.sh -s securiteinfo.hdb

I'm wondering why this file appears to not be updating, as the issue
you
report above was resolved by newer signature updates from SecruiteInfo 
for securiteinfo.hdb.

Bill


-rw-r--r-- 1 root root 7451460 Apr 16 07:56
/usr/unofficial-dbs/si-dbs/securiteinfo.hdb

I removed all the si sigs so none are going into /var/clamav/
Hmmm, that's too bad, can't compare the two file then. Anyway, that is 
the correct file size.  What about the output from either:

   unofficial-clamav-sigs.sh -s securiteinfo.hdb

or:

   clamscan -d /usr/unofficial-dbs/si-dbs/securiteinfo.hdb /dev/null

If the database is not reporting any errors, then it should not cause
clamd any problems.

Bill


Clamscan integrity testing database file:
/usr/unofficial-dbs/si-dbs/securiteinfo.hdb
Clamscan reports that the 'scam.ndb' database file integrity tested GOOD 

clamscan -d /usr/unofficial-dbs/si-dbs/securiteinfo.hdb /dev/null
ERROR: Not supported file type (/dev/null)

----------- SCAN SUMMARY -----------
Known viruses: 106406
Engine version: 0.95.1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.393 sec (0 m 0 s)

Perfect, so there should be no issue with using this database.  However,
since the file that was previously causing the issue no longer
available, there is no way to confirm whether the file was different
than the one you just tested in your working directory, and no way to
determine if was being updated or not.


BTW, have you enabled logging in the script?  If so, could you provide
log output from an update run that shows this issue?

Thanks,

Bill
I've enabled logging in the conf file and will send the output after it runs on the hour. 



And of course not much in the log:


Apr 16 15:14:29 INFO - Pausing database file updates for 435 seconds...
Apr 16 15:21:45 INFO - SaneSecurity mirror site used: www01.masbytes.es 213.194.159.34 
Apr 16 15:21:47 INFO - No SaneSecurity database file updates found
Apr 16 15:21:48 INFO - MSRBL mirror site used: msrbl.aarboard.ch 88.198.249.108 
Apr 16 15:21:50 INFO - No MSRBL database file updates found
Apr 16 15:21:50 INFO - Next SecuriteInfo check will be performed in approximately 0 hour(s), 57 minute(s) Apr 16 15:21:50 INFO - Next MalwarePatrol download will be performed in approximately 3 hour(s), 14 minute(s) 
Apr 16 15:21:50 INFO - No update(s) detected, NOT reloading ClamAV databases


--
Doc Schneider
Fort Systems, LTD http://www.fsl.com/
Office Phone: 202 595-7760 ext. 803

Other related posts:

  1. Home
  2. sanesecurity
  3. Archive
  4. 04-2009