[SOLVED] clamd won't start: malformed database

[thenetmonkey]

As my subject indicates, I'm having a problem where clamd won't start because it reports "malformed database" in my clamd.log file.

here is the log from freshclam:
--------------------------------------
Received signal: wake up
ClamAV update process started at Sun Jun 22 07:43:03 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.93.1
DON'T PANIC! Read Clam AntiVirus
main.inc is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
Downloading daily-7532.cdiff [100%]
daily.inc updated (version: 7532, sigs: 93812, f-level: 31, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 26, recommended = 31
DON'T PANIC! Read Clam AntiVirus
Database updated (325646 signatures) from db.us.clamav.net (IP: 65.120.238.2)
Clamd successfully notified about the update.
--------------------------------------

Here is the log of the update that failed from clamd.log:
Sun Jun 22 07:43:06 2008 -> SelfCheck: Database modification detected. Forcing reload.
Sun Jun 22 07:43:06 2008 -> Reading databases from /opt/zimbra/data/clamav/db
Sun Jun 22 07:43:13 2008 -> ERROR: reload db failed: Malformed database
Sun Jun 22 07:43:13 2008 -> Terminating because of a fatal error.
Sun Jun 22 07:43:13 2008 -> Pid file removed.
Sun Jun 22 07:43:13 2008 -> --- Stopped at Sun Jun 22 07:43:13 2008

here is the output of clamscan -d dail.cvd:
/opt/zimbra/clamav/bin/clamscan -d daily.cvd
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
/opt/zimbra/data/clamav/db/main.cvd: OK
/opt/zimbra/data/clamav/db/mirrors.dat: OK
/opt/zimbra/data/clamav/db/daily.cvd: OK

----------- SCAN SUMMARY -----------
Known viruses: 6307
Engine version: 0.92.1
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 11.04 MB
Time: 0.623 sec (0 m 0 s)

here is output of clamscan -d main.cvd:
/opt/zimbra/clamav/bin/clamscan -d main.cvd
/opt/zimbra/data/clamav/db/main.cvd: OK
/opt/zimbra/data/clamav/db/mirrors.dat: OK
/opt/zimbra/data/clamav/db/daily.cvd: OK

----------- SCAN SUMMARY -----------
Known viruses: 169676
Engine version: 0.92.1
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 11.04 MB
Time: 6.866 sec (0 m 6 s)

----------------------------------------------
As far as I can tell, the databases are good.
I've even tried renaming them (daily and main), and having freshclam pull in new ones; the new files have the same md5sum as my old files, so I don't think they are actually corrupt.

I've disabled the antivirus service for now so that the company can send and receive email.

Anyone have any suggestions on how to get clamd running again?

Let me know if you need any other information.

Thanks,
Billy

[mmorse]

Welcome to the forums,

What was the process you followed to grab new defs?
su - zimbra
mkdir /tmp/clamdb
mv /opt/zimbra/clamav/db/* /tmp/clamdb
zmprov ms `zmhostname` +zimbraServiceEnabled antivirus
/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf
zmamavisctl stop
zmamavisctl start

http://www.zimbra.com/forums/announc...html#post62754 so we know which version you are running (though clamav 0.92.1 does narrow it some).

[thenetmonkey]

thanks for the tip, i just updated my profile.
zmcontrol -v reports:
Release 5.0.4_GA_2101.UBUNTU6 UBUNTU6 FOSS edition
this is running in a vmware image.

I used this process to grab the new defs:
#ran as user zimbra
zmantivirusctl stop
#made sure no amavis or clam processes were running

#backed up old DBs
cd /opt/zimbra/data/clamav/db
mv daily.cvd .daily.cvd.bak
mv main.cvd .main.cvd.bak

#started freshclam to grab new DBs
/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf
#verified that daily.cvd and main.cvd were created
#verified that md5sums were identical to old files

#removed old dbs
rm .daily.cvd.bak .main.cvd.bak

#started antivirus
zmantivirusctl start
#script reported that amavisd was running, but clamd was not
#checked /opt/zimbra/logs/clamd.log and it showed malformed database error again

#tried starting clamd directly
zmclamdctl start
#clamd.log had another malformed database error

amavisd starts up fine... it's just clamd that has the problem.

the antivirus service was already enabled in zimbra, so I didn't think I needed to reprovision it... it had been working fine for a couple months prior to the DB update on Jun 22 at 7:43am.

[thenetmonkey]

OK, looks like i was doing the freshclam update wrong, and i was using clamscan wrong as well.

here is how i should have been using clamscan to test the dbs:
zimbra@zimbra:~/data/clamav/db$ /opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/data/clamav/db
LibClamAV Error: cli_loadmd5: Problem parsing database at line 84369
LibClamAV Error: Can't load /opt/zimbra/data/clamav/db/daily.inc/daily.mdb: Malformed database
ERROR: Malformed database

----------- SCAN SUMMARY -----------
Known viruses: 355
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.864 sec (0 m 0 s)

this shows that my data/clamav/db/daily.inc/daily.mdb file had a problem at line 84369

My other problem was that I had only removed the .cvd files from the db directory, not the daily.inc directory as well. So, I moved all the files out of the db directory, and ran freshclam again. This time it took quite a bit longer to grab all the updates. After the update, I ran:
zimbra@zimbra:~/data/clamav/db$ /opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/data/clamav/db
LibClamAV Warning: ************************************************** *********
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read Clam AntiVirus ***
LibClamAV Warning: ************************************************** *********
LibClamAV Warning: ************************************************** *********
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read Clam AntiVirus ***
LibClamAV Warning: ************************************************** *********
/opt/zimbra/data/clamav/db/main.cvd: OK
/opt/zimbra/data/clamav/db/daily.cvd: OK
/opt/zimbra/data/clamav/db/mirrors.dat: OK

----------- SCAN SUMMARY -----------
Known viruses: 405927
Engine version: 0.92.1
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 31.41 MB
Time: 14.455 sec (0 m 14 s)

this time it showed my that my db files were OK.

then it was just a matter of provisioning/enabling the antivirus service, and restarting zimbra.

Now my clamd is running correctly.

[thenetmonkey]

hmm... i just replied with my solution, but it looks like it didn't get added.
my problem boiled down to using clamscan -d wrong, and to not updateding the virus DBs correctly with fresh clam.

i had to remove all the files from the data/clamav/db directory, and then run freshclam to have them all repopulated.

Once I did that, clamd was able to start successfully

Also, the proper way to check the DB files for errors is this to pass the path to the DB directory as the parameter to -d, like this:
zimbra@zimbra:~/data/clamav/db$ /opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/data/clamav/db/

LibClamAV Error: cli_loadmd5: Problem parsing database at line 84369
LibClamAV Error: Can't load /opt/zimbra/data/clamav/db//daily.inc/daily.mdb: Malformed database
ERROR: Malformed database

----------- SCAN SUMMARY -----------
Known viruses: 355
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.864 sec (0 m 0 s)

[mmorse]

Cool, you just hit our watchdog fido (post should show up now).