Clam AV Scans Not Working

Martin T

Here is what I have tried step-by-step based on your numbers above. I think we are making progress. thanks again.

Fix ClamAV
1 - remove ClamAV
apt-get --purge remove clamav clamav-base clamav-daemon clamav-freshclam libclamav2
apt-get autoremove libclamav6

add software to allow adding the PPA
apt-get install python-software-properties

2 - add the PPA
add-apt-repository ppa:ubuntu-clamav/ppa

3 - install newest ClamAV
apt-get install clamav

4 - update ClamAV definitions
freshclam

5 - disable scripted updates and let ClamAV download definitions to the [B]root of the web server[/B]
nano /etc/clamav/freshclam.conf
change “ScriptedUpdates” to “no” - instead of original “yes”
changing to “off” produced the following when running freshclam
ERROR: Incorrect argument format for option ScriptedUpdates
ERROR: Can’t open/parse the config file /etc/clamav/freshclam.conf

6, 7, 8 - modify the init.gz image file
cd /
cd /tftpboot/fog/images
cp init.gz init-ORIG.gz
gunzip init.gz
mkdir initmountdir
mount -o loop init initmountdir
nano initmountdir/etc/freshclam.conf
add “ScriptedUpdates” to “no” based on above ERROR
change “DatabaseMirror” to “IPAddressOfServer” instead of original “database.clamav.net”
umount initmountdir/
rmdir initmountdir
gzip init

here is what the directory structure looks like
/var/www/fog/av/clamav and the files
-rw-r–r-- 1 clamav clamav 60125 Feb 26 09:21 bytecode.cvd
-rw-r–r-- 1 clamav clamav 20404363 Feb 26 09:21 daily.cvd
-rw-r–r-- 1 clamav clamav 30750647 Feb 26 09:21 main.cvd
-rw------- 1 clamav clamav 104 Feb 26 11:09 mirrors.dat

9 - setup a virus scan task in FOG to test
(here is a modified) pic of the results

[url=“/_imported_xf_attachments/0/252_AfterChanges.jpg?:”]AfterChanges.jpg[/url]

Fernando Gietz

The antivirus in FOG works as follow:

[B]In the server:[/B]
During the FOG install process, you install clamav package from the repositories. Actually the clamAV version is 0.97.6.
the freshclam runs every day, you can setup it in freshclam.conf file, and download the new virus definitions and update the files: bytecode.cvd and daily.cvd.

[B]In the client:[/B]
In the init.gz the clamav is installed, you can see his version in the screen (your capture says that the clamAV version is 0.97.1). Opss, your version isn’t the same in the server and in the client. The server version is 0.97.6 and the client 0.97.1, the definitions are differents.
The script fog.av try to download the virus definitions from your FOG server, but the script says “Not supported database files”. The reason of this is clear, the server version files (0.97.6) and the client version files (0.97.1) are differents, and the definitions are not compatibles. Well, is one little problem, but is not the world end. The script, then, tries to connect to the clamav servers, you must setup it in /etc/freshclam.conf file (step 6,7,8), and downloads the virus definitions for your clamav version (0.97.1). If the download ends, the antivirus runs the scan. Be sure that you have setup the DNS_ADDRESS in FOG server settings

Well, install the clamav in the server, i think, is not necessary. His mission is “only” download the virus definitions every day.

There are some little problems with this feature:
1º) The init.gz free space is little and the definitions files are more and more large, and don’t fit in the free space.
2º) You must have the same version in the server and in the client. To do it, you must rebuilt the init.gz

Martin T

Thanks for the help. I appreciate your expertise also.
FOG did install ClamAV and it looked to be updating correctly but I was trying to get the AV task to run.
The server does have 0.97.6 and I see the client does say 0.97.1.
Other than what I have added to /etc/freshclam.conf what else do I need to add?
Do you think that I can just put the correct definitions in /usr/share/clamav? I cannot find the correct files but if I could would that work?
From the CLI I can resolve all items necessary for ClamAV based on what I have read. Are there other setting for the DNS_ADDRESS in the FOG server that I have not found?
How do I rebuild the init.gz with the same version of clamav?
Does this feature work as implemented on FOG or was a good idea but now does not work because the definitions are too large?

chad-bisd

I’ll get on my FOG server that does AV updates and see if I can find the missing link. I think it was an apache configuration change that allowed downloading the files from the root of the web server.

Fernando Gietz

You must config the FOG_PXE_IMAGE_DNSADDRESS value, if you don’t have configured it, the client doesn’t know how to resolve the direction of the clamAV server.
To rebuit the init.gz with the new version of clamav
[url]http://fogproject.org/forum/threads/clamav-version-update.3926/[/url]
To resize the init.gz
[url]http://fogproject.org/forum/threads/change-initrd-size.3920/[/url]

chad-bisd

One thing I did that is not in the wiki article is to make symbolic links:
[CODE]
cd /var/www
sudo ln -s /var/lib/clamav/bytecode.cld
sudo ln -s /var/lib/clamav/daily.cld
sudo ln -s /var/lib/clamav/daily.cvd
sudo ln -s /var/lib/clamav/main.cvd
[/CODE]

Martin T

Thank you Fernando Gietz and chad-bisd for input.

I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
I have asked other questions above but let’s see how this goes.
I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly.

chad-bisd

Before you go through the effort of resizing the init.gz, just try the steps in the wiki with the slight modifications from this thread.

Try it with the different versions. The compatibility error came from no files in /usr/share/clamav inside the init image, not because the client and server were different versions.

You only need DNS settings if you use the host name of the FOG server and not the IP address.

I believe the .cld files come and go, but make symbolic links to anything you have and try it.

Martin T

These are the only items I changed after the rebuild/install of FOG and [B]ClamAV is now working at the client[/B]. I will now work on getting rid of the OUTDATED AV ENGINE errors.

1 - (6, 7, 8 from above) - [B]modify the init.gz image file[/B]
cd /
cd /tftpboot/fog/images
cp init.gz init-ORIG.gz
gunzip init.gz
mkdir initmountdir
mount -o loop init initmountdir
nano initmountdir/etc/freshclam.conf
add “ScriptedUpdates” to “no” based on above ERROR
change “DatabaseMirror” to “IPAddressOfServer” instead of original “database.clamav.net”
umount initmountdir/
rmdir initmountdir
gzip init

2 - [B]create symbolic links[/B]
cd /var/www
ln -s /var/lib/clamav/bytecode.cvd
ln -s /var/lib/clamav/daily.cvd
ln -s /var/lib/clamav/main.cvd

Before I start working on the init.gz do either of you know what I need to change so that the client does not reboot after the AV scan is finished? I want to see what the results are before the computer reboots.

chad-bisd

You need to edit the av script in the init image and remove the call to reboot the workstation or add a pause or something.

chad-bisd

I will update the wiki and note the changes.

Martin T

Even after making the changes above and ‘knowing’ that I had the AV scanning working sometimes it would not work. Especially when trying to show staff how good this product was. The culprit - different kernels. I found that ‘Kernel - 2.6.35.7 KS’ would not allow the AV scan to work but the default bzImage would. Thanks for all the help.

Fernando Gietz

[quote=“Martin T, post: 10917, member: 3420”]Thank you Fernando Gietz and chad-bisd for input.

I have rebuilt the complete fog server with Ubuntu 12.04.2 LTS 64bit and fog .32 and I am back to the same error that I started with (clamaverror.jpg Monday 2:41PM). I did this because I have tried so many changes that I wanted to make sure that I got back to a safe starting point. So a few questions, if you please.
Do I go back and make all the changes 1-9, yesterday at 11:34 AM or try the rebuild/resize of init.gz?[B] - both[/B]
The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[B] - Fernando Gietz[/B]
Where is the FOG_PXE_IMAGE_DNSADDRESS at? [B]- Fernando Gietz[/B]
I can only find main, daily, and bytecode CVD files. No CLD files. Do I just make the symbolic links to what I have? [B]- chad-bisd[/B]
I have asked other questions above but let’s see how this goes.
I am willing to try almost anything and can rebuild the server when I know exactly the steps to make it work. Hopefully I can create a complete posting that outlines the exact steps to make this work for everyone who wants this task to work correctly.[/quote]

Sorry for answer so late.

[I]Where is the FOG_PXE_IMAGE_DNSADDRESS at?[/I]
In webui: About > FOG settings > TFTP Server

[I]The server does have 0.97.6 and I see the client does say 0.97.1. Are the definitions truly incompatible?[/I]
I’m not claAV expert but the capture says that [I]Not supported database files founf in /usr/share/clamav. [/I]Seems the database files are incompatibles. This problem/issue desappears if you upgrade the clamAV version[I] to 0.97.6[/I]

I have seen the fog.av script and you don’t must resize the init.gz (sorry, but i’m sure that you have learn a lot of ). The database files from the server are copied in /usr/share/clamav. This folder is a ramdisk:

[CODE]mount -t tmpfs none /usr/share/clamav/ -o size=50m;[/CODE]

This ramdisk have 50M size. This size would be little[I], why? [/I]the reason is the database files size grown more and more, daily. For example, in my server those files:

[CODE]-rw-r–r-- 1 clam clam 302K feb 15 03:37 bytecode.cld
-rw-r–r-- 1 clam clam 0 feb 26 20:25 clamd.sock
-rw-r–r-- 1 clam clam 55M mar 12 03:10 daily.cld
-rw-r–r-- 1 clam clam 30M mar 11 14:14 main.cvd
-rw-r–r-- 1 clam clam 572 mar 12 03:10 mirrors.dat[/CODE]

86 MB, and daily increases his size The size of the ramdisk would be dinamic.