[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Robert Kudyba rkudyba at fordham.edu
Mon Jul 12 02:21:41 UTC 2021 

>
> On Sat, 10 Oct 2020, Robert Kudyba wrote:
>
> > ... next time it happens I can try some of these:
> > ...
>
> But put some logging in place before it does, so you get as precise a
> timeline as you can.
>
> > Here's what the -i option returns:
> > ...
> > Loading config: /etc/clamav-unofficial-sigs/master.conf
> > Loading config: /etc/clamav-unofficial-sigs/os.conf
> > Loading config: /etc/clamav-unofficial-sigs/user.conf
>
> I take it you've examined these files for clues?  And the systemd unit
> files etc.?
>

Indeed and here we are 9 months later and the problem is back. I can see
this happened after Jul 3 at 4:22 AM:
Jul 03 04:22:22 Checking for updated interServer database file:
interservertopline.db

Jul 03 04:22:22 No updated interServer interservertopline.db database file

Jul 03 04:22:22 No interServer database file updates

Jul 03 04:22:22 MalwarePatrol Database File Updates

Jul 03 04:22:22 24 hours have not yet elapsed since the last malwarepatrol
update check

Jul 03 04:22:22 No update check was performed at this time

Jul 03 04:22:22 Next check will be performed in approximately 6 hour(s), 53
minute(s)

Jul 03 04:22:22 URLhaus Database File Updates

Jul 03 04:22:22 Checking for urlhaus updates...

Jul 03 04:22:22 Checking for updated urlhaus database file: urlhaus.ndb

Jul 03 04:22:22 WARNING: Failed connection to
https://urlhaus.abuse.ch/downloads - SKIPPED urlhaus urlhaus.ndb update

Jul 03 04:22:22 No updated urlhaus urlhaus.ndb database file

Jul 03 04:22:22 No urlhaus database file updates

Jul 03 04:22:22 Yara-Rules Database File Updates

Jul 03 04:22:22 24 hours have not yet elapsed since the last
yararulesproject update check

Jul 03 04:22:22 No update check was performed at this time

Jul 03 04:22:22 Next check will be performed in approximately 6 hour(s), 53
minute(s)

Jul 03 04:22:22 Update(s) detected, reloading ClamAV databases

Jul 03 04:22:22 ClamAV databases reloading

Jul 03 04:22:22 Issue tracker :
https://github.com/extremeshok/clamav-unofficial-sigs/issues

Jul 03 04:22:22       Powered By https://eXtremeSHOK.com

Jul 03 05:14:01 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav


 ps -auwx|grep clam

*clam*av   1533123  0.0  1.2 2783400 1678272 ?     Ssl  Jul03   7:13
/usr/sbin/*clam*d -c /etc/*clam*d.d/scan.conf

*clam*ilt  1533191  0.0  0.0 1053352 3616 ?        Ssl  Jul03   0:05
/usr/sbin/*clam*av-milter -c /etc/mail/*clam*av-milter.conf

*clam*av   1533209  0.0  0.0  28268 12480 ?        Ss   Jul03   0:00
/usr/bin/fresh*clam* -d --foreground=true


ls -ld /var/lib/clamav

drwxr-xr-x. 4 clamupdate clamupdate 8192 Jul  3 04:46 */var/lib/clamav*


and these 3 files have their owner changed but note the old date timestamp:

-rw-r--r--  1 clamupdate clamupdate    293670 Apr  8 06:32 bytecode.cvd

-rw-r--r--  1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd

-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd


grep clamupdate /etc/clam*/*

/etc/clamav-unofficial-sigs/os.conf:#clam_user="*clamupdate*"

/etc/clamav-unofficial-sigs/os.conf:#clam_group="*clamupdate*"


status clamav-freshclam.service

*●* clamav-freshclam.service - ClamAV virus database updater

     Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled)

     Active: *active (running)* since Sat 2021-07-03 04:46:13 EDT; 1 weeks
1 days ago

       Docs: man:freshclam(1)

             man:freshclam.conf(5)

             https://www.clamav.net/documents

   Main PID: 1533209 (freshclam)

      Tasks: 1 (limit: 154192)

     Memory: 1.7M

     CGroup: /system.slice/clamav-freshclam.service

             └─1533209 /usr/bin/freshclam -d --foreground=true


Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ERROR: Can't create
temporary directory /var/lib/clamav/tmp.92f6163053

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Hint: The database
directory must be writable for UID 985 or GID 981

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ERROR: Update failed.

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Received signal: wake up

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ClamAV update process
started at Sun Jul 11 20:46:13 2021

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *DNS record is older than
3 hours.*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *Can't create temporary
directory /var/lib/clamav/tmp.92f6163053*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Hint: The database
directory must be writable for UID 985 or GID 981

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *Update failed.*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]:
--------------------------------------


cat /usr/lib/systemd/system/clamav-freshclam.service

[Unit]

Description=ClamAV virus database updater

Documentation=man:freshclam(1) man:freshclam.conf(5)
https://www.clamav.net/documents

# If user wants it run from cron, don't start the daemon.

ConditionPathExists=!/etc/cron.d/clamav-update

Wants=network-online.target

After=network-online.target


[Service]

ExecStart=/usr/bin/freshclam -d --foreground=true


[Install]

WantedBy=multi-user.target


systemctl status clamav-unofficial-sigs.service

● clamav-unofficial-sigs.service - Clamav Unofficial Sigs Update service

     Loaded: loaded (/etc/systemd/system/clamav-unofficial-sigs.service;
static)

     Active: inactive (dead)

       Docs: man:clamav-unofficial-sigs(8)

(base) [root at ourserver ~]# systemctl status clamav-unofficial-sigs.timer

● clamav-unofficial-sigs.timer - Clamav Unofficial Sigs Update timer

     Loaded: loaded (/etc/systemd/system/clamav-unofficial-sigs.timer;
disabled; vendor preset: disabled)

     Active: inactive (dead)

    Trigger: n/a

   Triggers: ● clamav-unofficial-sigs.service

       Docs: man:clamav-unofficial-sigs(8)


in /etc/cron.d/clamav-unofficial-sigs we have:


14 * * * *  clamav [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] &&
/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh


Is this a clue in the system logs? UID 985 = clamav


Jul  3 04:22:32 ourserver systemd[1]: Stopping User Manager for UID 985...

Jul  3 04:22:32 ourserver systemd[1519673]: Stopped target Main User Target.

Jul  3 04:22:32 ourserver systemd[1519673]: Stopped target Basic System.

Jul  3 04:22:32 ourserver systemd[1519673]: Stopped target Paths.


grep 985 /etc/passwd

clamav:x:*985*:981::/var/run/clamav:/sbin/nologin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210711/30342b93/attachment.htm>

More information about the clamav-users mailing list