I am having an issue with 0 length bytecode.cvd files on my scanner instances.  This seems to have started sometime on 22 Feb, I'm afraid I don't have an exact time.  The clamav daemon produces logs like the following:
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: cli_cvdverify: Can't read CVD header
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: Can't load /var/lib/clamav/bytecode.cld: Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/bytecode.cld
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: Mon Feb 27 14:39:11 2023 -> !Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Consumed 8.679s CPU time.

I feel like I have narrowed the problem down to a 0 length 'bytecode.cvd' file.  Here is a listing of the definitions directory:
$ ls -l /var/lib/clamav
total 226168
-rw-r--r-- 1 clamav clamav    314802 Feb 27 14:06 bytecode.cld
-rw-r--r-- 1 clamav clamav         0 Feb 27 02:00 bytecode.cvd
-rw-r--r-- 1 clamav clamav  60787973 Feb 27 10:01 daily.cld
-rw-r--r-- 1 clamav clamav        69 Feb 23 15:33 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 27 02:00 main.cvd

My initial fix (before narrowing the problem down to bytecode.cvd) was to 
  1. stop freshclam
  2. clean this directory
  3. restart freshclam
  4. give it time to get the definitions (from a private mirror)
  5. start clamav daemon
This would work for maybe 1/2 day then the empty bytecode.cvd file would reappear and the daemon would fail.

This morning I was able to spend some more time and find that it was just the one file that needed to be removed. 

I have a local mirror because there are several instances of this scanner in use (at least 2 instances for several environments).  I have checked the mirror and it appears to be working fine and keeping the definitions up to date inside our environment.  In addition, the scanner instances appear to be keeping the local set of definitions up to date with the mirror.  

The mirror does not have a bytecode.cvd file on it (here is a listing of its definitions directory)
$ ls -l /var/lib/clamav
total 226172
-rw-r--r-- 1 clamav clamav    314802 Feb 22 22:02 bytecode.cld
-rw-r--r-- 1 clamav clamav  60787973 Feb 27 09:06 daily.cld
-rw-r--r-- 1 clamav clamav        69 Jan 29  2022 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Jan 29  2022 main.cvd
-rw-r--r-- 1 clamav clamav        87 Jan 29  2022 test.html

To the best of my knowledge, the software is up to date:
$ sudo freshclam -V
ClamAV 0.103.8/26825/Mon Feb 27 08:24:38 2023

Here is the freshclam.conf used on all the local sanner instances
$ cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
PrivateMirror http://10.50.0.2
ScriptedUpdates no
PrivateMirror http://10.50.0.2

The scanner has been working fine for about 12 months, keeping the software and the definitions up to date.   The only configuration item that seems to relate is "Bytecode true", but the description seems to discuss just the downloading of the file, not whether it is created on the local instance. 

Does anyone have any pointers?

Thanks
Kevin
--

Kevin O'Connor
Principal DevOps Engineer
M: 617-834-1291

email-footer-logos.jpg (1000×120)

STATEMENT OF CONFIDENTIALITY: The information contained in this message and any attachments are intended solely for the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, or responsible for delivering the e-mail to the intended recipient, you have received this message in error. Any use, dissemination, forwarding, printing, or copying is strictly prohibited. Please notify Ampion immediately at security@ampion.net and destroy all copies of this message and any attachments.