[clamav-users] Malformed pattern daily.ldb version 25410

Sat Apr 6 01:40:03 UTC 2019

This appears to be a different problem than the sigtool --list problem on daily

I think it may  be a problem with integrity of downloaded file and not an incompatibility
of that file with clamav version or something wrong with a sig in the file.
Testing the main.cvd file may be good first step.

It appears to be reported that  the  main.cvd downloaded  is corrupted:

>> Fri Apr  5 14:17:59 2019 -> *Trying to download
>>http://db.US.clamav.net/main.cvd (IP: 104.16.219.84)
>> Fri Apr  5 14:18:12 2019 -> Downloading main.cvd [100%]
>> Fri Apr  5 14:18:12 2019 -> ^[LibClamAV] cli_cvdload: Corrupted CVD header
>>Fri Apr  5 14:18:12 2019 -> !Verification: Malformed database

Some things that may help debug:

# download the main.cvd manually eg if have unix wget or curl

wget http://db.US.clamav.net/main.cvd

# check the size , is it zero length or improbably small ? Did wget report errors.

# Test main.cvd with sigtool look for errors or sensible output as below.

sigtool --info main.cvd

File: main.cvd
Build time: 07 Jun 2017 17:38 -0400
Version: 58
Signatures: 4566249
Functionality level: 60
Builder: sigmgr
MD5: 57462fd73f1cfdb356b9dca66da2b732
Digital signature: KWRdhTG+Own6ohh0wn5+vqg1d8ULKCxxxQeKuSA155B3ijxBKgf+bV3IXPcmZrIBUDn1xi8FmyvB63UieykwN/Avq5mTjHIVO8zFnC7wVF7dhdcEYn9Nt+Pmk/HXXx0voylYkidvgZmrxI8jx4a/Re6n3hHQJoCZrkHM15GER8j
Verification OK.

# examine main.cvd with binary editor eg xxd
main.cvd should have a 512 byte header then a gzipped tar file containing the database files and a main.info
The header has : separated fields .  About the 4th field should look like an md5sum like above 57462fd73f1cfdb356b9dca66da2b732.
This is the md5sum of the gz that follows the header.   The header seems to end with space padding.
about the 5th field should look like a the value of Digital signature: above.   You should see the Builder field eg sigmgr above.

I think sigtool has verified the signature above.  If file has been altered then verification failure might be reported. eg
is db.US.clamav.net the real clamav mirror site or an imposter.    WARNING if the file isn't verifying it may be malicious
eg a compression bomb , a malicious archive , an exploit against some of the tools below and it might be dangerous to run
some of the tools below against it.  Remember only http was used not https to get the file so site might be bogus and file
could be anything.

# Extract gz from main.cvd eg with dd    and calling the gz main.gz
ie strip off the 512 byte header at start

dd if=main.cvd of=main.gz skip=1 bs=512

# test the gz
gunzip -t main.gz

# extract gz (it will be large eg 3 times size of the gz on my example)
gunzip main.gz  

# this should give a tar file called main for my example
# test the tar file  (my tar reports improbable dates)
tar tvf main
---------- 0/0           17992 1970-01-01 10:00 COPYING
---------- 0/0            1060 1970-01-01 10:00 main.info
---------- 0/0         3649543 1970-01-01 10:00 main.hdb
---------- 0/0        24806499 1970-01-01 10:00 main.hsb
etc

#  try extracting main.info and some of the database files 
tar xf main main.info

# main.info contains sha256sum for each database file.
# test the extracted database files have same 256 sum
eg from main.info

main.sfp:87:ded8b3b340e2da8415f1409959abb54725afad137a66e938080c7c95a9413128

sha256sum main.sfp
ded8b3b340e2da8415f1409959abb54725afad137a66e938080c7c95a9413128  main.sfp

If a sha256 doesn't  match  that database file is corrupted or altered or main.sfp is wrong

You could look at a database file eg main.ndb with text editor or xxd  ans should see lines looking
like clamav signatures.    Try 'file main.ndb'  first to make sure is a text file . Corrupted file might be binary
and trash your terminal or editor.

If the main.cvd appears to be OK then maybe the problem is it isn't compatible with clamav version.
You'd need to look at things like version and functionality level from the sigtool output and decide
if this is what is expected for a current main.cvd.    If it is then I guess that incompatible main.cvd
or some faulty sig in main.cvd might be the issue. 

>> Is there a way to go back to daily-25409, for example, other than using
backups?  I looked at the FAQ,

If the main.cvd is corrupted I doubt freshclam would replace existing database files and
sigtool --version    may show you are already on daily-25409  or earlier.

Note if running

freshclam --datadir

I think any settings other than database location from freshclam.conf would apply.   So if you were just trying to
get an example main.cvd you might see side effects you don't want  like freshclam writing to a configured log file
or trying to HUP your clamd or writing a mirrors.dat 

David Shrimpton