NethServer Version: 7.5.1804 final Module: webfilter / squidclamav
I wanted to test update clamav from 0.100.2 to 0.101.1 on a test-vm, but took accidentally the ssh-window of my production machine. I reverted back to clamav 0.100.2.
I removed nethserver-squidclamav and reinstalled it, but no success.
I removed the hole nethserver-webfilter-module and reinstelld it, but no success.
Same with nethserver-antivirus.
#systemctl status squidclamav
● clamd@squidclamav.service - clamd scanner (squidclamav) daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@.service; static; vendor preset: disabled)
Drop-In: /etc/systemd/system/clamd@squidclamav.service.d
└─c-icap.conf
Active: activating (start) since Thu 2019-01-10 13:56:44 CET; 1min 22s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Control: 23824 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@squidclamav.service
└─23824 /usr/sbin/clamd -c /etc/clamd.d/squidclamav.conf
Jan 10 13:56:44 nethserver.jeckel.local systemd[1]: Starting clamd scanner (squidclamav) daemon...
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Received 0 file descriptor(s) from systemd.
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: clamd daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Running as user c-icap (UID 987, GID 982)
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Log file size limited to 1048576 bytes.
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Reading databases from /var/lib/squidclamav
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Not loading PUA signatures.
Jan 10 13:56:44 nethserver.jeckel.local clamd[23824]: Bytecode: Security mode set to "TrustSigned".
When I kill this task, c-icap server is reported running
#systemctl status c-icap
● c-icap.service - C-ICAP Server
Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/c-icap.service.d
└─squidclamav.conf
Active: active (running) since Thu 2019-01-10 13:58:27 CET; 11min ago
Process: 24088 ExecStart=/usr/sbin/c-icap $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 24089 (c-icap)
Tasks: 37
CGroup: /system.slice/c-icap.service
├─24089 /usr/sbin/c-icap -f /etc/c-icap/c-icap.conf
├─24090 /usr/sbin/c-icap -f /etc/c-icap/c-icap.conf
├─24091 /usr/sbin/c-icap -f /etc/c-icap/c-icap.conf
└─24092 /usr/sbin/c-icap -f /etc/c-icap/c-icap.conf
Jan 10 13:58:27 nethserver.jeckel.local systemd[1]: Starting C-ICAP Server...
Jan 10 13:58:27 nethserver.jeckel.local systemd[1]: Started C-ICAP Server.
Webfilter itself works. Only the antivirus doesn’t work!
Jan 10 16:04:57 nethserver clamd[14180]: Received 0 file descriptor(s) from systemd.
Jan 10 16:04:57 nethserver clamd[14180]: clamd daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 10 16:04:57 nethserver clamd[14180]: Running as user c-icap (UID 987, GID 982)
Jan 10 16:04:57 nethserver clamd[14180]: Log file size limited to 1048576 bytes.
Jan 10 16:04:57 nethserver clamd[14180]: Reading databases from /var/lib/squidclamav
Jan 10 16:04:57 nethserver clamd[14180]: Not loading PUA signatures.
Jan 10 16:04:57 nethserver clamd[14180]: Bytecode: Security mode set to "TrustSigned".
User clanscan
LocalSocket /var/run/cland.scan/clamd.sock
clamd starts normally and I get this:
Limits: Global size limit set to 104857600 bytes.
Limits: File size limit set to 26214400 bytes.
Limits: Recursion level limit set to 16.
Limits: Files limit set to 10000.
Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Limits: MaxScriptNormalize limit set to 5242880 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 5000.
Limits: PCREMaxFileSize limit set to 26214400.
Archive support enabled.
BlockMax heuristic detection disabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
Self checking every 600 seconds.
EDIT: @giacomo thanks for the hint with manually starting.
I found in /var/lib/squidclamav (= DatabaseDirectory) a lot of file like main.cld, and tmp files.
I deleted them and left only the same as on a fresh install. When I then start manually it works.
@giacomo found the solution: signal-event nethserver-squidclamav-update did the trick.
Now everything is in the right place again and services are running from GUI again.
With “Graphs” and “top” in SSH I noticed since two days (could have been longer) that Clamd is at 100% every afternoon more than two hours. Your solution seems to resolve the issue on my NS too. Thanks
Oops - the issue is back again (100% Cpu load from clamd) this morning after reboot so the command signal-event nethserver-squidclamav-update did not solve the issue - only temporarily (NS7.6)
Since it was annoying I removed nethserver-squidclamav
After a new install I see the same 100% load. Interesting is that now the NS web interface shows an error when I try to enable Antivirus under Web Content Filter.
Please stop clamd systemctl stop clamd@squidclamav
and start it manualy /usr/sbin/clamd --debug -F -c /etc/clamd.d/squidclamav.conf
and see if there are any relevant error.
Please check directory /var/lib/squidclamav if there are all files symlinks to /var/lib/clamav.
Thanks for the hint. As I wrote above I had disabled clamav since I could not find the error. Today I had some time and reinstalled it. Although a newer version it is still the same issue. clamd shows 95% CPU usage in ‘top’.
I initiated:
and got the following warning:
LibClamAV Warning: Detected duplicate databases /var/lib/squidclamav/bytecode.cvd and /var/lib/squidclamav/bytecode.cld, please manually remove one of them
I deleted the later of the two files. And checked in /var/lib/squidclamav if all files are symlinks.
Except for one file ‘daily.cvd’ which seems to be an archive file all the other files are symlinks.
At the moment it looks ok. Will report in case the issue comes back tomorrow after reboot.