[clamav-users] daily.cvd: Malformed database

Al Varnell alvarnell at mac.com
Wed May 6 01:16:06 UTC 2015 

daily.cvd is compressed while daily.cld is expanded so there can only be one of those in your database.

Normally what happens is that freshclam checks to see if daily.* needs to be updated and attempts to download incremental .cdiff updates which are processed and added one-by-one to a decompressed daily resulting in an up-to-date daily.cld.  If for some reason freshclam is unable to download incremental updates, it will download the latest daily.cvd and delete the older daily.cld.  From your freshclam.log it would appear that this is working as designed.

That being said, I still can’t explain why you are getting the "malformed" database error.


-Al-

On Tue, May 05, 2015 at 03:07 PM, MAYER Hans wrote:
> 
> Hi Ged
> 
> thanks for your feedback. 
> 
>> What does "Whipped out" mean?
> 
> rm /usr/local/share/clamav/* 
> 
>> You have said neither from where you are trying to download the file,
> nor exactly how you are using wget to do it, which might perhaps have
> helped.
> 
> I always take the files with 'freshclam' 
> My /usr/local/etc/freshclam.conf consists only of comment lines. 
> So I assume it will pull the date from a default location. 
> As I got this error I tried to fetch with wget. This I did:
> wget http://db.us.clamav.net/daily.cvd
> 
> I got the identical file as freshclam pulled it. 
> Actually now I recognize there is a daily.cld and a daily.cvd 
> 
> See below what I have done now.
> Too late I have seen that I have today a daily.cld which is much bigger then the daily.cvd from yesterday.
> This must be done by the nightly cron job. 
> A new freshclam brought a smaller daily.cvd and I got the error. 
> So I copied the daily.cld from my productive system to this location. 
> The productive system is also Oracle (SUN) Solaris with Sparc architecture but  ClamAV 0.98.6 
> On the productive system with "old" clamav it's working but here on the test system
> ( which is also SUN Sparc Solaris ) I got again the same error. 
> So it's definitely not the daily.cld which is corrupt I can say now.
> 
> At the end you can find the output of a truss command ( "truss" is like "strace" on Linux ) 
> You can see the daemon could successfully open the file for read only. 
> Otherwise it would come an error and not file descriptor 5.
> 
> Kind regards 
> Hans
> 
> 
> 
> mh3:root> cd /usr/local/share/clamav
> mh3:root> ls -la
> total 299706
> drwxrwxr-x   2 clamav   clamav       512 May  5 15:47 .
> drwxr-xr-x  25 root     root         512 Jan 18 12:46 ..
> -rw-r--r--   1 clamav   clamav     75408 May  2 21:06 bytecode.cvd
> -rw-r--r--   1 clamav   clamav   88544768 May  5 15:47 daily.cld
> -rw-r--r--   1 clamav   clamav   64720632 May  2 21:04 main.cvd
> -rw-------   1 clamav   clamav       208 May  5 15:47 mirrors.dat
> mh3:root> rm *
> mh3:root> ls -la
> total 4
> drwxrwxr-x   2 clamav   clamav       512 May  5 23:06 .
> drwxr-xr-x  25 root     root         512 Jan 18 12:46 ..
> mh3:root> freshclam
> ClamAV update process started at Tue May  5 23:07:08 2015
> Downloading main.cvd [100%]
> main.cvd updated (version: 55, sigs: 2424225, f-level: 60, builder: neo)
> Downloading daily.cvd [100%]
> daily.cvd updated (version: 20420, sigs: 1382746, f-level: 63, builder: neo)
> Downloading bytecode.cvd [100%]
> bytecode.cvd updated (version: 254, sigs: 45, f-level: 63, builder: anvilleg)
> Database updated (3807016 signatures) from database.clamav.net (IP: 193.1.193.64)
> mh3:root> ls -la
> total 194346
> drwxrwxr-x   2 clamav   clamav       512 May  5 23:11 .
> drwxr-xr-x  25 root     root         512 Jan 18 12:46 ..
> -rw-r--r--   1 clamav   clamav     75408 May  5 23:11 bytecode.cvd
> -rw-r--r--   1 clamav   clamav   34624748 May  5 23:10 daily.cvd
> -rw-r--r--   1 clamav   clamav   64720632 May  5 23:09 main.cvd
> -rw-------   1 clamav   clamav        52 May  5 23:11 mirrors.dat
> mh3:root> /usr/local/sbin/clamd
> LibClamAV Error: Can't load /usr/local/share/clamav/daily.cvd: Malformed database
> ERROR: Malformed database
> mh3:root> rm daily.cvd
> mh3:root> # i copied from a remote server a daily.cld to /var/tmp
> mh3:root> cp /var/tmp/daily.cld .
> mh3:root> chown clamav:clamav daily.cld
> mh3:root> /usr/local/sbin/clamd
> LibClamAV Error: Can't load /usr/local/share/clamav/daily.cld: Malformed database
> ERROR: Malformed database
> mh3:root> ls -la
> total 299706
> drwxrwxr-x   2 clamav   clamav       512 May  5 23:22 .
> drwxr-xr-x  25 root     root         512 Jan 18 12:46 ..
> -rw-r--r--   1 clamav   clamav     75408 May  5 23:11 bytecode.cvd
> -rw-r--r--   1 clamav   clamav   88544768 May  5 23:22 daily.cld
> -rw-r--r--   1 clamav   clamav   64720632 May  5 23:09 main.cvd
> -rw-------   1 clamav   clamav        52 May  5 23:11 mirrors.dat
> mh3:root> cp /var/tmp/bytecode.cld .
> mh3:root> rm bytecode.cvd
> mh3:root> chown clamav:clamav bytecode.cld
> mh3:root> /usr/local/sbin/clamd
> LibClamAV Error: Can't load /usr/local/share/clamav/daily.cld: Malformed database
> ERROR: Malformed database
> mh3:root> ls -al
> total 300342
> drwxrwxr-x   2 clamav   clamav       512 May  5 23:23 .
> drwxr-xr-x  25 root     root         512 Jan 18 12:46 ..
> -rw-r--r--   1 clamav   clamav    389120 May  5 23:23 bytecode.cld
> -rw-r--r--   1 clamav   clamav   88544768 May  5 23:22 daily.cld
> -rw-r--r--   1 clamav   clamav   64720632 May  5 23:09 main.cvd
> -rw-------   1 clamav   clamav        52 May  5 23:11 mirrors.dat
> mh3:root> cat /var/log/freshclam.log
> # nothing inside as UpdateLogFile was commented out 
> 
> 
> 
> mh3:root> truss -t open /usr/local/sbin/clamd
> open("/var/ld/ld.config", O_RDONLY)             = 3
> open("/usr/local/lib/libclamav.so.6", O_RDONLY) = 3
> open("/usr/lib/libxml2.so.2", O_RDONLY)         = 3
> open("/usr/lib/libz.so", O_RDONLY)              = 3
> open("/usr/lib/libbz2.so.1", O_RDONLY)          = 3
> open("/usr/local/lib/libiconv.so.2", O_RDONLY)  = 3
> open("/usr/sfw/lib/libssl.so.0.9.7", O_RDONLY)  = 3
> open("/usr/sfw/lib/libcrypto.so.0.9.7", O_RDONLY) = 3
> open("/usr/lib/libm.so.2", O_RDONLY)            = 3
> open("/usr/lib/libnsl.so.1", O_RDONLY)          = 3
> open("/usr/lib/libsocket.so.1", O_RDONLY)       = 3
> open("/usr/lib/libresolv.so.2", O_RDONLY)       = 3
> open("/usr/lib/libpthread.so.1", O_RDONLY)      = 3
> open("/usr/lib/libc.so.1", O_RDONLY)            = 3
> open("/usr/lib/libssl.so.1.0.0", O_RDONLY)      = 3
> open("/usr/lib/libcrypto.so.1.0.0", O_RDONLY)   = 3
> open("/usr/sfw/lib/libgcc_s.so.1", O_RDONLY)    = 3
> open("/usr/lib/libz.so.1", O_RDONLY)            = 3
> open("/usr/lib/libdl.so.1", O_RDONLY)           = 3
> open("/usr/sfw/lib/libssl_extra.so.0.9.7", O_RDONLY) = 3
> open("/usr/sfw/lib/libcrypto_extra.so.0.9.7", O_RDONLY) = 3
> open("/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1", O_RDONLY) = 3
>    Incurred fault #1, FLTILL  %pc = 0xFE6CBB3C
>      siginfo: SIGILL ILL_ILLADR addr=0xFE6CBB3C
>    Received signal #4, SIGILL [caught]
>      siginfo: SIGILL ILL_ILLADR addr=0xFE6CBB3C
> open("/usr/local/etc/clamd.conf", O_RDONLY)     = 3
> open("/proc/5885/psinfo", O_RDONLY)             = 3
> open64("/var/run/name_service_door", O_RDONLY)  = 3
> open("/usr/local/lib/libclamunrar_iface.so.6.1.26", O_RDONLY) = 4
> open("/usr/local/lib/libclamunrar.so.6", O_RDONLY) = 4
> open("/usr/lib/libmp.so.2", O_RDONLY)           = 4
> open("/usr/lib/libmd.so.1", O_RDONLY)           = 4
> open("/usr/lib/libscf.so.1", O_RDONLY)          = 4
> open("/usr/lib/libdoor.so.1", O_RDONLY)         = 4
> open("/usr/lib/libuutil.so.1", O_RDONLY)        = 4
> open("/usr/lib/libgen.so.1", O_RDONLY)          = 4
> open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 5
> open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 5
> LibClamAV Error: Can't load /usr/local/share/clamav/daily.cld: Malformed database
> ERROR: Malformed database

More information about the clamav-users mailing list