ClamAV 0.94 EOL on ZCS 5.0.16 prior (discussion)

[mmorse]

For those using ZCS 5.0.16 and prior, come 15 April 2010 anti-virus definitions will no longer update AND your ClamAV instance will stop working entirely.

Source: End of Life Announcement: ClamAV 0.94.x

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year. We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We include ClamAV 0.95 as of ZCS 5.0.18+, there are of course other security reasons to upgrade such as the third-party CVE-2009-3555, in addition to other bugs and multiple RFE's. ZCS 6.0.6 & 5.0.23 Shipped!

If your intent on keeping your old version, you may have trouble with your Amavisd-ClamAV.

Preventative methods:
-Upgrade ZCS.
-Update just the ClamAV component.
-Set zimbraVirusDefinitionsUpdateFrequency to 0 well in advance of that day to avoid receiving the remote disable code.

If reading this already past the 15th date options include:
-Turn off ClamAV from your admin console > server > services 'as/av' tab > uncheck av. Via CLI it's zmprov ms `zmhostname` -zimbraServiceEnabled antivirus. (The minus sign is important, or you'll have nothing but av running.) Then zmamavisdctl reload or zmcontrol stop/start. (This may leave you more vulnerable of course, so schedule a maintenance window as soon as you can.)
-Update just the ClamAV component.
-Upgrade ZCS.

Helpful links:
ClamAV - Updating Version - Zimbra :: Wiki
ClamAV - Updating from versions lower than 0.90.0 - Zimbra :: Wiki
ClamAV - Updating clamd for releases earlier than ZCS 5.0.16 - Zimbra :: Wiki < Freshly written

[premoddev]

Hi Mmorse,

Will it affect future upgrade of the ZCS version, if we upgrade ClamAV manually as discussed on the wiki page ClamAV - Updating Version - Zimbra :: Wiki. As of now an upgrade of ZCS is not possible, so need to keep the current version for some more time.

Thanks,
Premod

[mmorse]

(Just to bump this up because of all the activity today.)

ClamAV - Updating clamd for releases earlier than ZCS 5.0.16 - Zimbra :: Wiki

And there's other reason's to update:

Bug 45625 - remove OPENWHOIS references from spamassasin config

Recently the domain open-whois.org, who once provided Relay Blacklist services, expired. Once it expired it was free to be registered by anyone who wished to pay to purchase the domain. It appears that whoever purchased the domain did so with malicious intent. The open-whois.org RBL is now blacklisting every IP on the internet, which means no matter your provider, it's listed on this blacklist and anyone using this blacklist is now likely to be seeing a vast increase in false positive spam.

Fixed in 5.0.23+ For other versions you may workaround this issue by modifying the following files and removing or commenting references to OPENWHOIS:
/opt/zimbra/conf/spamassassin/STATISTICS-set1.txt
/opt/zimbra/conf/spamassassin/STATISTICS-set3.txt
/opt/zimbra/conf/spamassassin/active.list
/opt/zimbra/conf/spamassassin/50_scores.cf
/opt/zimbra/conf/spamassassin/72_active.cf

Please note this bug does not affect ZCS 6.0.x.

[lsu_guy]

The steps below are NOT reccomended for permanent use. Its just a quick way to get production boxes going so that you can upgrade later.

This problem can be temporarily solved by turning off the antivirus from admin console.

Admin Console -> Servers -> (Your server name) -> Services tab. Uncheck "Anti-Virus". Click "Save".

From the command prompt:
> su - zimbra
> zmcontrol stop
> zmcontrol start

This should get you going until you can upgrade.

[raj]

wiki link ( ClamAV - Updating clamd for releases earlier than ZCS 5.0.16 - Zimbra :: Wiki ) is getting updated for many things as i write this..so going back to link may show you more instructions in time.

if you just want to DISABLE the clamav only and not the AntiSpam then do the following

To Disable ClamAV or AntiVirus Only till you do the update/upgrdae or fix

su - zimbra
zmprov ms `zmhostname` -zimbraServiceEnabled antivirus
zmcontrol stop
zmcontrol start

To Enable ClamAV or AntiVirus Only before you do the fix or updgrade

su - zimbra
zmprov ms `zmhostname` +zimbraServiceEnabled antivirus
zmcontrol stop
zmcontrol start

Raj

[raj]

Official WIKI link is ClamAV - Updating clamd for releases earlier than ZCS 5.0.16 - Zimbra :: Wiki
for complete details you should follow the above link only

following are the steps which worked for us..we had to patch a lots of machines so this kind of automated the fix for us.

-----------------------------------------------------------------------------------------
This fix/instructions only for RHEL 5 32bit or CentOS 5 32bit due to the download link
if you fix the download link as per WIKI link above for your install then other instructions should work as is

* following is the edited version..to fix the ArchiveMaxFileSize issue in some clamav.conf.in file which is different in some zimbra versions.
-----------------------------------------------------------------------------------------

sed -i 's/ArchiveMaxFileSize/# ArchiveMaxFileSize/g' /opt/zimbra/conf/clamd.conf.in
cat /opt/zimbra/conf/clamd.conf.in | grep ArchiveMaxFileSize
cd /tmp
rm -rf clamav-0.95.1.tar
rm -rf clamav-0.95.1
wget http://files2.zimbra.com/downloads/clamav/rhel5/clamav-0.95.1.tar
tar xf clamav-0.95.1.tar
cp -r /tmp/clamav-0.95.1 /opt/zimbra
rm -f /opt/zimbra/clamav
cd /opt/zimbra
ln -s clamav-0.95.1 clamav
ls -l clamav
chmod -R 755 /opt/zimbra/clamav-0.95.1/db
su - zimbra
zmprov ms `zmhostname` +zimbraServiceEnabled antivirus
zmcontrol stop
zmcontrol stop
logout
cd /opt/zimbra/libexec
./zmfixperms
su - zimbra
zmcontrol start
zmcontrol status
/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf
logout

-----------------------------------------------------------------------------------------
check the output of logs to see if everything worked ok
-----------------------------------------------------------------------------------------

tail -n 60 /opt/zimbra/log/clamd.log
tail -n 20 /opt/zimbra/log/freshclam.log

** update edit **
while enableing AV back i had the following command with CAPITAL "A" for Antivirus which is NOT correct it has to be all lower case
if you did the following BAD command
zmprov ms `zmhostname` +zimbraServiceEnabled Antivirus
then you will get the following output
Starting Antivirus...skipped.
missing or not executable.


Raj

[siw919]

I am using zimbra 5.0.7 version. Since today morning i was facing the problem of mail deliverly. When i stop/start zmcontrl service , antivirus showing not started .

I have disable the Antivirus from zimbra interface & now mail delivery is started. But disable a antivirus is not a good solutions. So Plz provide me a permanent solutions. Logs are as below:

Apr 16 11:23:52 mail amavis[19203]: (19203-01-13) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)
Apr 16 11:23:52 mail amavis[19194]: (19194-01-13) Checking: uKH1Rg4EiGnS [203.212.64.40] <Wirelesszone@cellnext.com> -> <alerts@cellnext.com>
Apr 16 11:23:52 mail amavis[19194]: (19194-01-13) ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (1)
Apr 16 11:23:52 mail amavis[19204]: (19204-01-13) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)
Apr 16 11:23:52 mail amavis[19195]: (19195-01-13) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)
Apr 16 11:23:52 mail amavis[19196]: (19196-01-13) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)
Apr 16 11:23:53 mail amavis[19194]: (19194-01-13) (!)ClamAV-clamd: Can't connect to INET socket 127.0.0.1:3310: Connection refused, retrying (2)



o INET socket 127.0.0.1:3310: Connection refused) at (eval 74) line 310. at (eval 74) line 511. (in reply to end of DATA command))
Apr 16 11:25:32 mail postfix/smtp[21232]: B5F5E1D585BB: to=<prashant.sharma@cellnext.com>, orig_to=<liccn@cellnext.com>, relay=127.0.0.1[127.0.0.1]:10024, conn_use=26, delay=13207, delays=13010/189/0/7.1, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=19203-01-26, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0xa03047c) Too many retries to talk to 127.0.0.1:3310 (Can't connect to INET socket 127.0.0.1:3310: Connection refused) at (eval 74) line 310. at (eval 74) line 511. (in reply to end of DATA command))
Apr 16 11:25:33 mail postfix/smtpd[16169]: connect from unknown[203.212.64.40]
Apr 16 11:25:33 mail postfix/smtpd[16169]: 7B15E1D58A55: client=unknown[203.212.64.40]
Apr 16 11:25:33 mail postfix/cleanup[16025]: 7B15E1D58A55: message-id=<20100416-11253300-ad8@wizone>
Apr 16 11:25:33 mail postfix/smtpd[16169]: disconnect from unknown[203.212.64.40]
Apr 16 11:25:33 mail postfix/qmgr[14848]: 7B15E1D58A55: from=<Wirelesszone@cellnext.com>, size=435, nrcpt=1 (queue active)


amavisd already running: pid 24473


Can't load /opt/zimbra/data/clamav/db/daily.cld: Malformed database

Regards
Pradeep Siwach

[zagg]

Hi,

Same problem here on 2 Zimbra server.
I have followed tips on wiki (erase clamd DB and re-running fleshclam but not working .....)

Please help !

Thanks,

[davidetempesta]

Hi there,

i've the same problem on one Zimbra server.
zmclamdctl was stopped.

Trying to restart:
zmclamdctl start
ClamAV update process started at Fri Apr 16 10:22:20 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.94.1 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
Trying host db.us.clamav.net (213.165.80.159)...
Downloading main-50.cdiff [100%]
Downloading main-51.cdiff [100%]
Downloading main-52.cdiff [100%]
main.cld updated (version: 52, sigs: 704727, f-level: 44, builder: sven)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 37, recommended = 44
DON'T PANIC! Read http://www.clamav.net/support/faq
WARNING: getfile: daily-8543.cdiff not found on remote server (IP: 213.165.80.159)
WARNING: getpatch: Can't download daily-8543.cdiff from db.us.clamav.net
Trying host db.us.clamav.net (213.165.80.159)...
WARNING: getfile: daily-8543.cdiff not found on remote server (IP: 213.165.80.159)
WARNING: getpatch: Can't download daily-8543.cdiff from db.us.clamav.net
Trying host db.us.clamav.net (213.165.80.159)...
WARNING: getfile: daily-8543.cdiff not found on remote server (IP: 213.165.80.159)
WARNING: getpatch: Can't download daily-8543.cdiff from db.us.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Trying host db.us.clamav.net (213.165.80.159)...
Downloading daily.cvd [100%]
daily.cvd updated (version: 10751, sigs: 52057, f-level: 51, builder: guitar)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 37, recommended = 51
DON'T PANIC! Read http://www.clamav.net/support/faq
Database updated (756784 signatures) from db.us.clamav.net (IP: 213.165.80.159)
connect(): Connection refused
WARNING: Clamd was NOT notified: Can't connect to clamd on localhost:3310
Starting clamd...


failed.

Any ideas?
Thanks

Davide

[snake_eyes]

Same for me for tow servers

Can't load /opt/zimbra/data/clamav/db//daily.cld: Malformed database

I ran this command

Code:

/opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/data/clamav/db/

Code:

LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see  www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load /opt/zimbra/data/clamav/db//daily.cld: Malformed database
ERROR: Malformed database

----------- SCAN SUMMARY -----------
Known viruses: 50364
Engine version: 0.94.1-broken-compiler
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.192 sec (0 m 0 s)

So what could be the problem? for both servers