Clam AV Scans Not Working



  • Hi All,

    Im having trouble having Clam AV scan a target machine. I am running FOG 0.32 along with the latest version of Clam AV.

    ClamAV 0.97.3/14437/Sun Feb 12 20:15:55 2012

    Check the photo to see the error on the host machine.

    IMG_20120212_132453.jpg


  • Developer

    @Martin T, post: 10917, member: 3420 said:

    Thank you Fernando Gietz and chad-bisd for input.

    I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
    Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
    The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
    Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
    I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
    I have asked other questions above but let’s see how this goes.
    I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly.

    Sorry for answer so late.

    [I]Where is the FOG_PXE_IMAGE_DNSADDRESS at?[/I]
    In webui: About > FOG settings > TFTP Server

    [I]The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[/I]
    I’m not claAV expert :) but the capture says that [I]Not supported database files founf in /usr/share/clamav. [/I]Seems the database files are incompatibles. This problem/issue desappears if you upgrade the clamAV version[I] to 0.97.6[/I]

    I have seen the fog.av script and you don’t must resize the init.gz (sorry, but i’m sure that you have learn a lot of :) ). The database files from the server are copied in /usr/share/clamav. This folder is a ramdisk:

    mount -t tmpfs none /usr/share/clamav/ -o size=50m;
    

    This ramdisk have 50M size. This size would be little[I], why? [/I]the reason is the database files size grown more and more, daily. For example, in my server those files:

    -rw-r--r--   1 clam clam 302K feb 15 03:37 bytecode.cld
    -rw-r--r--   1 clam clam    0 feb 26 20:25 clamd.sock
    -rw-r--r--   1 clam clam  55M mar 12 03:10 daily.cld
    -rw-r--r--   1 clam clam  30M mar 11 14:14 main.cvd
    -rw-r--r--   1 clam clam  572 mar 12 03:10 mirrors.dat
    

    86 MB, and daily increases his size :( The size of the ramdisk would be dinamic.



  • Even after making the changes above and ‘knowing’ that I had the AV scanning working sometimes it would not work. Especially when trying to show staff how good this product was. The culprit - different kernels. I found that ‘Kernel - 2.6.35.7 KS’ would not allow the AV scan to work but the default bzImage would. Thanks for all the help.


  • Moderator

    I will update the wiki and note the changes.


  • Moderator

    You need to edit the av script in the init image and remove the call to reboot the workstation or add a pause or something.



  • These are the only items I changed after the rebuild/install of FOG and [B]ClamAV is now working at the client[/B]. I will now work on getting rid of the OUTDATED AV ENGINE errors.

    1 - (6, 7, 8 from above) - [B]modify the init.gz image file[/B]
    cd /
    cd /tftpboot/fog/images
    cp init.gz init-ORIG.gz
    gunzip init.gz
    mkdir initmountdir
    mount -o loop init initmountdir
    nano initmountdir/etc/freshclam.conf
    add “ScriptedUpdates” to “no” based on above ERROR
    change “DatabaseMirror” to “IPAddressOfServer” instead of original "database.clamav.net"
    umount initmountdir/
    rmdir initmountdir
    gzip init

    2 - [B]create symbolic links[/B]
    cd /var/www
    ln -s /var/lib/clamav/bytecode.cvd
    ln -s /var/lib/clamav/daily.cvd
    ln -s /var/lib/clamav/main.cvd

    Before I start working on the init.gz do either of you know what I need to change so that the client does not reboot after the AV scan is finished? I want to see what the results are before the computer reboots.


  • Moderator

    Before you go through the effort of resizing the init.gz, just try the steps in the wiki with the slight modifications from this thread.

    Try it with the different versions. The compatibility error came from no files in /usr/share/clamav inside the init image, not because the client and server were different versions.

    You only need DNS settings if you use the host name of the FOG server and not the IP address.

    I believe the .cld files come and go, but make symbolic links to anything you have and try it.



  • Thank you Fernando Gietz and chad-bisd for input.

    I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
    Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
    The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
    Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
    I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
    I have asked other questions above but let’s see how this goes.
    I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly.


  • Moderator

    One thing I did that is not in the wiki article is to make symbolic links:

    
    cd /var/www
    sudo ln -s /var/lib/clamav/bytecode.cld
    sudo ln -s /var/lib/clamav/daily.cld
    sudo ln -s /var/lib/clamav/daily.cvd
    sudo ln -s /var/lib/clamav/main.cvd
    
    

  • Developer

    You must config the FOG_PXE_IMAGE_DNSADDRESS value, if you don’t have configured it, the client doesn’t know how to resolve the direction of the clamAV server.
    To rebuit the init.gz with the new version of clamav
    http://fogproject.org/forum/threads/clamav-version-update.3926/
    To resize the init.gz
    http://fogproject.org/forum/threads/change-initrd-size.3920/


  • Moderator

    I’ll get on my FOG server that does AV updates and see if I can find the missing link. I think it was an apache configuration change that allowed downloading the files from the root of the web server.



  • Thanks for the help. I appreciate your expertise also.
    FOG did install ClamAV and it looked to be updating correctly but I was trying to get the AV task to run.
    The server does have 0.97.6 and I see the client does say 0.97.1.
    Other than what I have added to /etc/freshclam.conf what else do I need to add?
    Do you think that I can just put the correct definitions in /usr/share/clamav? I cannot find the correct files but if I could would that work?
    From the CLI I can resolve all items necessary for ClamAV based on what I have read. Are there other setting for the DNS_ADDRESS in the FOG server that I have not found?
    How do I rebuild the init.gz with the same version of clamav?
    Does this feature work as implemented on FOG or was a good idea but now does not work because the definitions are too large?


  • Developer

    The antivirus in FOG works as follow:

    [B]In the server:[/B]
    During the FOG install process, you install clamav package from the repositories. Actually the clamAV version is 0.97.6.
    the freshclam runs every day, you can setup it in freshclam.conf file, and download the new virus definitions and update the files: bytecode.cvd and daily.cvd.

    [B]In the client:[/B]
    In the init.gz the clamav is installed, you can see his version in the screen (your capture says that the clamAV version is 0.97.1). Opss, your version isn’t the same in the server and in the client. The server version is 0.97.6 and the client 0.97.1, the definitions are differents.
    The script fog.av try to download the virus definitions from your FOG server, but the script says “Not supported database files”. The reason of this is clear, the server version files (0.97.6) and the client version files (0.97.1) are differents, and the definitions are not compatibles. Well, is one little problem, but is not the world end. The script, then, tries to connect to the clamav servers, you must setup it in /etc/freshclam.conf file (step 6,7,8), and downloads the virus definitions for your clamav version (0.97.1). If the download ends, the antivirus runs the scan. Be sure that you have setup the DNS_ADDRESS in FOG server settings ;)

    Well, install the clamav in the server, i think, is not necessary. His mission is “only” download the virus definitions every day.

    There are some little problems with this feature:
    1º) The init.gz free space is little and the definitions files are more and more large, and don’t fit in the free space.
    2º) You must have the same version in the server and in the client. To do it, you must rebuilt the init.gz



  • Here is what I have tried step-by-step based on your numbers above. I think we are making progress. thanks again.

    Fix ClamAV
    1 - remove ClamAV
    apt-get --purge remove clamav clamav-base clamav-daemon clamav-freshclam libclamav2
    apt-get autoremove libclamav6

    add software to allow adding the PPA
    apt-get install python-software-properties

    2 - add the PPA
    add-apt-repository ppa:ubuntu-clamav/ppa

    3 - install newest ClamAV
    apt-get install clamav

    4 - update ClamAV definitions
    freshclam

    5 - disable scripted updates and let ClamAV download definitions to the AfterChanges.jpg



  • Thanks for the response and your expertise.
    This is the one I think you are referring to: http://www.fogproject.org/wiki/index.php/Clamav
    I have pasted it below for reference.
    At the bottom you say that you will update and remove the note so I did not know if these are complete.

    Ubuntu 10.04 LTS
    )
    20:18, 13 June 2012 (MDT)


  • Moderator

    I don’t think you are understand how ClamAV works in FOG. You have clamAV on the server which is completely separate from the ClamAV that runs on the client when you make an AV task.

    The ClamAV on the client is in the init image and to update it, you have to rebuild the init image. So it’s not as easy to update as the server and updating the server really does nothing for making the clients updated.

    If you want to use ClamAV in FOG “out of the box” then you have to allow each client to connect to the internet to get new virus defs from the ClamAV servers and you have to update the ClamAV in the init image.

    There is an article on the wiki that I updated with instructions on turning your FOG server into a ClamAV def file server for your FOG clients. You basically edit the init image to tell the ClamAV clients to ask for virus defs from the FOG server.

    The client still looks for a local copy of the database and fails because it’s not included in the init image, but it falls back to checking for updates from the FOG server.



  • I am getting this error too. freshclam looks to works when I ssh to the server but when I create the task in fog this is what i get. I have created the directory structure and copied the cvd and cld files there but i still get this. I have reinstalled this fog server 4 different times and the same thing happens. Ubuntu 12.04 LTS and fog .32. I have just started using fog and the other items seem to work fine. This clamav would give me another way to ‘clean’ a windows computer. I am very new to ubuntu and fog but am willing learn and work for the knowledge and read many posts but unable to find the exact answer.

    clamaverror.jpg



  • [S]Which kernel version are you running? I had seen this and have updated the kernel to the latest “kitchensink” kernel to work with some of my more obscure hardware.[/S]

    [S]After doing that and running “freshclam” the versions matched.[/S]

    I retract that, the version in the kernel and the version installed don’t match.



  • [S]Ok, same thing here… internet connection is ok but why the Fog “clamav-pxe-client” says:[/S]

    [S]Starting AV scan…[/S]
    [S]ClamAV 0.97.1[/S]

    [S]and the version installed to server is 0.97.3… shoud the clamav pxe packet rebuild or something after clamav update?[/S]

    Its working now… just reinstalled the whole thing…



  • Yes, my FOG server is connected to the internet. The command “freshclam” works via an SSH connection.


Log in to reply
 

423
Online

38715
Users

10543
Topics

99813
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.