Clam AV Scans Not Working
-
This post is deleted! -
Yes, my FOG server is connected to the internet. The command “freshclam” works via an SSH connection.
-
[S]Ok, same thing here… internet connection is ok but why the Fog “clamav-pxe-client” says:[/S]
[S]Starting AV scan…[/S]
[S]ClamAV 0.97.1[/S][S]and the version installed to server is 0.97.3… shoud the clamav pxe packet rebuild or something after clamav update?[/S]
Its working now… just reinstalled the whole thing…
-
[S]Which kernel version are you running? I had seen this and have updated the kernel to the latest “kitchensink” kernel to work with some of my more obscure hardware.[/S]
[S]After doing that and running “freshclam” the versions matched.[/S]
I retract that, the version in the kernel and the version installed don’t match.
-
I am getting this error too. freshclam looks to works when I ssh to the server but when I create the task in fog this is what i get. I have created the directory structure and copied the cvd and cld files there but i still get this. I have reinstalled this fog server 4 different times and the same thing happens. Ubuntu 12.04 LTS and fog .32. I have just started using fog and the other items seem to work fine. This clamav would give me another way to ‘clean’ a windows computer. I am very new to ubuntu and fog but am willing learn and work for the knowledge and read many posts but unable to find the exact answer.
[url=“/_imported_xf_attachments/0/251_clamaverror.jpg?:”]clamaverror.jpg[/url]
-
I don’t think you are understand how ClamAV works in FOG. You have clamAV on the server which is completely separate from the ClamAV that runs on the client when you make an AV task.
The ClamAV on the client is in the init image and to update it, you have to rebuild the init image. So it’s not as easy to update as the server and updating the server really does nothing for making the clients updated.
If you want to use ClamAV in FOG “out of the box” then you have to allow each client to connect to the internet to get new virus defs from the ClamAV servers and you have to update the ClamAV in the init image.
There is an article on the wiki that I updated with instructions on turning your FOG server into a ClamAV def file server for your FOG clients. You basically edit the init image to tell the ClamAV clients to ask for virus defs from the FOG server.
The client still looks for a local copy of the database and fails because it’s not included in the init image, but it falls back to checking for updates from the FOG server.
-
Thanks for the response and your expertise.
This is the one I think you are referring to: [url]http://www.fogproject.org/wiki/index.php/Clamav[/url]
I have pasted it below for reference.
At the bottom you say that you will update and remove the note so I did not know if these are complete.Ubuntu 10.04 LTS
[LIST=1]
[]Remove ClamAV installed with Fog because it’s out of date and generates too many warnings when trying to update, if it updates at all
[]Add the PPA to your sources list: ppa:ubuntu-clamav/ppa
[]Get the newest clamav installed on your Fog Server
[]Update your definitions by running freshclam
[]Disable scripted updates and let ClamAV download definitions to the root of the web server. Add “ScriptedUpdates off” to the freshclam.conf file on the Fog Server.
[]Expand the Fog init file. (from [URL=‘http://fogproject.org/wiki/index.php/Modifying_the_Init_Image’][U][COLOR=#000080]Modifying_the_Init_Image[/COLOR][/U][/URL])
[LIST]
[]cd /tftpboot/fog/images
[]gunzip init.gz
[]mkdir initmountdir
[]mount -o loop init initmountdir
[/LIST]
[]Modify the freshclam.conf file inside the init. Add “DatabaseMirror MyFogServerNameOrIP” and “ScriptedUpdates off” to this file.
[]Compress the init file.
[LIST]
[]cd /tftpboot/fog/images
[]umount initmountdir/
[]rmdir initmountdir
[]gzip init
[/LIST]
[*]Setup a virus scan task for a host and watch your client download the definitions from your Fog server and run the scan
[/LIST]
[B]Note:[/B] These steps are from memory and may be slightly off. I will update and remove this note when I am able to verify the steps - [URL=‘http://fogproject.org/wiki/index.php/User:Chad-bisd’][U][COLOR=#000080]Chad-bisd[/COLOR][/U][/URL] 20:18, 13 June 2012 (MDT) -
Here is what I have tried step-by-step based on your numbers above. I think we are making progress. thanks again.
Fix ClamAV
1 - remove ClamAV
apt-get --purge remove clamav clamav-base clamav-daemon clamav-freshclam libclamav2
apt-get autoremove libclamav6add software to allow adding the PPA
apt-get install python-software-properties2 - add the PPA
add-apt-repository ppa:ubuntu-clamav/ppa3 - install newest ClamAV
apt-get install clamav4 - update ClamAV definitions
freshclam5 - disable scripted updates and let ClamAV download definitions to the [B]root of the web server[/B]
nano /etc/clamav/freshclam.conf
change “ScriptedUpdates” to “no” - instead of original “yes”
changing to “off” produced the following when running freshclam
ERROR: Incorrect argument format for option ScriptedUpdates
ERROR: Can’t open/parse the config file /etc/clamav/freshclam.conf6, 7, 8 - modify the init.gz image file
cd /
cd /tftpboot/fog/images
cp init.gz init-ORIG.gz
gunzip init.gz
mkdir initmountdir
mount -o loop init initmountdir
nano initmountdir/etc/freshclam.conf
add “ScriptedUpdates” to “no” based on above ERROR
change “DatabaseMirror” to “IPAddressOfServer” instead of original “database.clamav.net”
umount initmountdir/
rmdir initmountdir
gzip inithere is what the directory structure looks like
/var/www/fog/av/clamav and the files
-rw-r–r-- 1 clamav clamav 60125 Feb 26 09:21 bytecode.cvd
-rw-r–r-- 1 clamav clamav 20404363 Feb 26 09:21 daily.cvd
-rw-r–r-- 1 clamav clamav 30750647 Feb 26 09:21 main.cvd
-rw------- 1 clamav clamav 104 Feb 26 11:09 mirrors.dat9 - setup a virus scan task in FOG to test
(here is a modified) pic of the results[url=“/_imported_xf_attachments/0/252_AfterChanges.jpg?:”]AfterChanges.jpg[/url]
-
The antivirus in FOG works as follow:
[B]In the server:[/B]
During the FOG install process, you install clamav package from the repositories. Actually the clamAV version is 0.97.6.
the freshclam runs every day, you can setup it in freshclam.conf file, and download the new virus definitions and update the files: bytecode.cvd and daily.cvd.[B]In the client:[/B]
In the init.gz the clamav is installed, you can see his version in the screen (your capture says that the clamAV version is 0.97.1). Opss, your version isn’t the same in the server and in the client. The server version is 0.97.6 and the client 0.97.1, the definitions are differents.
The script fog.av try to download the virus definitions from your FOG server, but the script says “Not supported database files”. The reason of this is clear, the server version files (0.97.6) and the client version files (0.97.1) are differents, and the definitions are not compatibles. Well, is one little problem, but is not the world end. The script, then, tries to connect to the clamav servers, you must setup it in /etc/freshclam.conf file (step 6,7,8), and downloads the virus definitions for your clamav version (0.97.1). If the download ends, the antivirus runs the scan. Be sure that you have setup the DNS_ADDRESS in FOG server settingsWell, install the clamav in the server, i think, is not necessary. His mission is “only” download the virus definitions every day.
There are some little problems with this feature:
1º) The init.gz free space is little and the definitions files are more and more large, and don’t fit in the free space.
2º) You must have the same version in the server and in the client. To do it, you must rebuilt the init.gz -
Thanks for the help. I appreciate your expertise also.
FOG did install ClamAV and it looked to be updating correctly but I was trying to get the AV task to run.
The server does have 0.97.6 and I see the client does say 0.97.1.
Other than what I have added to /etc/freshclam.conf what else do I need to add?
Do you think that I can just put the correct definitions in /usr/share/clamav? I cannot find the correct files but if I could would that work?
From the CLI I can resolve all items necessary for ClamAV based on what I have read. Are there other setting for the DNS_ADDRESS in the FOG server that I have not found?
How do I rebuild the init.gz with the same version of clamav?
Does this feature work as implemented on FOG or was a good idea but now does not work because the definitions are too large? -
I’ll get on my FOG server that does AV updates and see if I can find the missing link. I think it was an apache configuration change that allowed downloading the files from the root of the web server.
-
You must config the FOG_PXE_IMAGE_DNSADDRESS value, if you don’t have configured it, the client doesn’t know how to resolve the direction of the clamAV server.
To rebuit the init.gz with the new version of clamav
[url]http://fogproject.org/forum/threads/clamav-version-update.3926/[/url]
To resize the init.gz
[url]http://fogproject.org/forum/threads/change-initrd-size.3920/[/url] -
One thing I did that is not in the wiki article is to make symbolic links:
[CODE]
cd /var/www
sudo ln -s /var/lib/clamav/bytecode.cld
sudo ln -s /var/lib/clamav/daily.cld
sudo ln -s /var/lib/clamav/daily.cvd
sudo ln -s /var/lib/clamav/main.cvd
[/CODE] -
Thank you Fernando Gietz and chad-bisd for input.
I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
I have asked other questions above but let’s see how this goes.
I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly. -
Before you go through the effort of resizing the init.gz, just try the steps in the wiki with the slight modifications from this thread.
Try it with the different versions. The compatibility error came from no files in /usr/share/clamav inside the init image, not because the client and server were different versions.
You only need DNS settings if you use the host name of the FOG server and not the IP address.
I believe the .cld files come and go, but make symbolic links to anything you have and try it.
-
These are the only items I changed after the rebuild/install of FOG and [B]ClamAV is now working at the client[/B]. I will now work on getting rid of the OUTDATED AV ENGINE errors.
1 - (6, 7, 8 from above) - [B]modify the init.gz image file[/B]
cd /
cd /tftpboot/fog/images
cp init.gz init-ORIG.gz
gunzip init.gz
mkdir initmountdir
mount -o loop init initmountdir
nano initmountdir/etc/freshclam.conf
add “ScriptedUpdates” to “no” based on above ERROR
change “DatabaseMirror” to “IPAddressOfServer” instead of original “database.clamav.net”
umount initmountdir/
rmdir initmountdir
gzip init2 - [B]create symbolic links[/B]
cd /var/www
ln -s /var/lib/clamav/bytecode.cvd
ln -s /var/lib/clamav/daily.cvd
ln -s /var/lib/clamav/main.cvdBefore I start working on the init.gz do either of you know what I need to change so that the client does not reboot after the AV scan is finished? I want to see what the results are before the computer reboots.
-
You need to edit the av script in the init image and remove the call to reboot the workstation or add a pause or something.
-
I will update the wiki and note the changes.
-
Even after making the changes above and ‘knowing’ that I had the AV scanning working sometimes it would not work. Especially when trying to show staff how good this product was. The culprit - different kernels. I found that ‘Kernel - 2.6.35.7 KS’ would not allow the AV scan to work but the default bzImage would. Thanks for all the help.
-
[quote=“Martin T, post: 10917, member: 3420”]Thank you Fernando Gietz and chad-bisd for input.
I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
I have asked other questions above but let’s see how this goes.
I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly.[/quote]Sorry for answer so late.
[I]Where is the FOG_PXE_IMAGE_DNSADDRESS at?[/I]
In webui: About > FOG settings > TFTP Server[I]The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[/I]
I’m not claAV expert but the capture says that [I]Not supported database files founf in /usr/share/clamav. [/I]Seems the database files are incompatibles. This problem/issue desappears if you upgrade the clamAV version[I] to 0.97.6[/I]I have seen the fog.av script and you don’t must resize the init.gz (sorry, but i’m sure that you have learn a lot of ). The database files from the server are copied in /usr/share/clamav. This folder is a ramdisk:
[CODE]mount -t tmpfs none /usr/share/clamav/ -o size=50m;[/CODE]
This ramdisk have 50M size. This size would be little[I], why? [/I]the reason is the database files size grown more and more, daily. For example, in my server those files:
[CODE]-rw-r–r-- 1 clam clam 302K feb 15 03:37 bytecode.cld
-rw-r–r-- 1 clam clam 0 feb 26 20:25 clamd.sock
-rw-r–r-- 1 clam clam 55M mar 12 03:10 daily.cld
-rw-r–r-- 1 clam clam 30M mar 11 14:14 main.cvd
-rw-r–r-- 1 clam clam 572 mar 12 03:10 mirrors.dat[/CODE]86 MB, and daily increases his size The size of the ramdisk would be dinamic.