[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Robert Kudyba rkudyba at fordham.edu
Tue Jul 13 18:51:31 UTC 2021 

> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
>
> and a bunch of others which we're not concerned with.  Firstly, you
> really don't want both a bytecode.cld *and* a bytecode.cvd, so you
> should probably just delete the older one.


Done.


> Here's what happens just after 10AM on the 13th:
>
> Tue Jul 13 10:01:01 AM EDT 2021
> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
> Tue Jul 13 10:02:01 AM EDT 2021
> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
>
> So daily.cld was updated, presumably by freshclam.  That's good, as
> nothing seems to have broken.  Can you confirm that happened from the
> freshclam log?


here are the logs from 10:01 AM Jul 13:
Jul 13 10:01:02 storm freshclam[3930506]: Database test passed.
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date
(version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date
(version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is
up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is
up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date
(version: custom database)
Jul 13 10:01:10 storm freshclam[3930506]: Testing database:
'/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb'
...
Jul 13 10:01:10  ourserver   freshclam[3930506]: Testing database:
'/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb'
...
Jul 13 10:01:10 ourserver freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated
(version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated
(version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]:
--------------------------------------


> Is freshclam running from cron or as a daemon?
>

Daemon
ps -auwx|grep freshclam
clamav      3818  0.0  0.0  28952 12864 ?        Ss   12:00   0:00
/usr/bin/freshclam -d --foreground=true


>
> ----------------------------------------------------------------------
>
> The next thing that I see of interest is
>
> Tue Jul 13 11:10:02 AM EDT 2021
> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav    293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
> Tue Jul 13 12:02:01 PM EDT 2021
> -rw-r--r-- 1 clamav     clamav       1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamupdate clamupdate    293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav     clamav     327797248 Jul 13 10:00 daily.cld
> -rw-r--r-- 1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd
> -rw-r--r-- 1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
>
> There's a fifty minute gap in the log.  Why is that?  Presumably this
> is about the time you updated and rebooted the system.

correct


> Are you sure
> that the system time gets set correctly at boot?  We need to know that
> we can rely on the timestamps in the logs.  All the logs.
>

systemctl status chronyd
● chronyd.service - NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled;
vendor preset: enabled)
     Active: active (running) since Tue 2021-07-13 12:00:50 EDT; 2h 46min
ago
       Docs: man:chronyd(8)
             man:chrony.conf(5)
    Process: 3171 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited,
status=0/SUCCESS)
   Main PID: 3232 (chronyd)
      Tasks: 1 (limit: 154189)
     Memory: 4.6M
     CGroup: /system.slice/chronyd.service
             └─3232 /usr/sbin/chronyd

Jul 13 12:00:50 ourserver.edu systemd[1]: Starting NTP client/server...
Jul 13 12:00:50 ourserver.edu chronyd[3232]: chronyd version 4.1 starting
(+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS
+SECHASH +IPV6 +DEBUG)
Jul 13 12:00:50 ourserver.edu chronyd[3232]: Frequency -34.655 +/- 0.141
ppm read from /var/lib/chrony/drift
Jul 13 12:00:50 ourserver.edu chronyd[3232]: Using right/UTC timezone to
obtain leap second data
Jul 13 12:00:50 ourserver.edu systemd[1]: Started NTP client/server.
Jul 13 12:01:34 ourserver.edu chronyd[3232]: Selected source 50.205.57.38 (
2.fedora.pool.ntp.org)
Jul 13 12:01:34 ourserver.edu chronyd[3232]: System clock TAI offset set to
37 seconds


> Anyway, suddenly the owner/group IDs have changed and you have both a
> daily.cld and a daily.cvd - which isn't good news, especially as one
> of them is over three weeks old.  Where did it come from?
>

Right, that's the question.


> > From the cron log file:
> > Jul 13 12:14:01 ourserver CROND[22349]: (clamav) CMD ([ -x
> > /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
> > /usr/local/sbin/clamav-unofficial-sigs.sh)
> > Jul 13 12:14:03  ourserver CROND[22318]: (clamav) CMDEND ([ -x
> > /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
> > /usr/local/sbin/clamav-unofficial-sigs.sh)
>
> Assuming that we can believe the timestamps, then any problems that
> arose from ownership by the clamupdate user/group had already happened
> at 12:02 so it was *not* the run of clamav-unofficial-sigs.sh at 12:14
> which caused them.
>
> Is this the first time that clamav-unofficial-sigs.sh ran?
>

No it's been running all the time. So are freshclam and
clamav-unofficial-sigs.sh not supposed to run as separate processes?

>
> What's in the freshclam log about these times?
>

Nothing as the upgrade/reboot was still happening. The next freshclam is:
Jul 13 14:00:58 ourserver freshclam[3818]: Received signal: wake up
Jul 13 14:00:58  ourserver   freshclam[3818]: ClamAV update process started
at Tue Jul 13 14:00:58 2021
Jul 13 14:00:58  ourserver   freshclam[3818]: Received signal: wake up
Jul 13 14:00:58  ourserver   freshclam[3818]: ClamAV update process started
at Tue Jul 13 14:00:58 2021
Jul 13 14:00:58  ourserver   freshclam[3818]: ERROR: Can't create temporary
directory /var/lib/clamav/tmp.21024dac47
Jul 13 14:00:58  ourserver   freshclam[3818]: Hint: The database directory
must be writable for UID 985 or GID 981
Jul 13 14:00:58  ourserver    freshclam[3818]: ERROR: Update failed.
Jul 13 14:00:58  ourserver   freshclam[3818]: Can't create temporary
directory /var/lib/clamav/tmp.21024dac47
Jul 13 14:00:58  ourserver   freshclam[3818]: Hint: The database directory
must be writable for UID 985 or GID 981
Jul 13 14:00:58  ourserver   freshclam[3818]: Update failed.
Jul 13 14:00:58  ourserver   freshclam[3818]:
--------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210713/b2de9543/attachment.htm>

More information about the clamav-users mailing list