clamav-milter Crash

Debian macht sich hervorragend als Web- und Mailserver. Schau auch in den " Tipps und Tricks"-Bereich.
Antworten
Benutzeravatar
fulltilt
Beiträge: 1155
Registriert: 03.12.2006 20:10:57

clamav-milter Crash

Beitrag von fulltilt » 17.02.2021 14:46:03

Seit heute morgen funktioniert clamav-milter nicht mehr, ich muss dazu sagen ich habe vorher ein Web mit Maldet geprüft und vorher maldet aktualisiert:
maldet -d && maldet -u
Es kann sein das über die Aktualisierung auch Clamav rules geändert wurden oder es gab heute morgen eventl. ein freshclam was nicht passt.
Das System läuft mit clamav-milter bereits 2 Jahre, es wurde auch nichts an den Configs geändert.
Sobald ich clamav-milter wieder in der Postfix main.cf einbinde crasht clamav-daemon und clamav-milter ...

Wie kann das Problem gelöst werden?

main.cf

Code: Alles auswählen

non_smtpd_milters = unix:/spamass/spamass.sock, unix:/clamav/clamav-milter.ctl
smtpd_milters = unix:/spamass/spamass.sock, unix:/clamav/clamav-milter.ctl
status bei reaktivierung in main.cf und postfix restart

Code: Alles auswählen

● clamav-milter.service - LSB: ClamAV virus milter
   Loaded: loaded (/etc/init.d/clamav-milter; generated)
   Active: active (running) since Wed 2021-02-17 14:04:11 CET; 3min 14s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 24483 ExecStop=/etc/init.d/clamav-milter stop (code=exited, status=0/SUCCESS)
  Process: 24626 ExecStart=/etc/init.d/clamav-milter start (code=exited, status=0/SUCCESS)
    Tasks: 6 (limit: 4915)
   CGroup: /system.slice/clamav-milter.service
           └─24751 /usr/sbin/clamav-milter --config-file=/etc/clamav/clamav-milter.conf

Feb 17 14:04:11 host3 systemd[1]: Starting LSB: ClamAV virus milter...
Feb 17 14:04:11 host3 clamav-milter[24626]:  * Starting Sendmail milter plugin for ClamAV clamav-milter
Feb 17 14:04:11 host3 clamav-milter[24750]: +++ Started at Wed Feb 17 14:04:11 2021
Feb 17 14:04:11 host3 clamav-milter[24626]:    ...done.
Feb 17 14:04:11 host3 systemd[1]: Started LSB: ClamAV virus milter.
Feb 17 14:07:24 host3 clamav-milter[24751]: Connection closed while reading from socket
Feb 17 14:07:24 host3 clamav-milter[24751]: No reply from clamd


● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           └─extend.conf
   Active: failed (Result: signal) since Wed 2021-02-17 14:07:24 CET; 28s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 24271 ExecStart=/usr/sbin/clamd --foreground=true (code=killed, signal=ABRT)
  Process: 24270 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
  Process: 24269 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
 Main PID: 24271 (code=killed, signal=ABRT)

Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> OLE2 support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> PDF support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> SWF support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> HTML support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> XMLDOCS support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> HWP3 support enabled.
Feb 17 14:03:48 host3 clamd[24271]: Wed Feb 17 14:03:48 2021 -> Self checking every 3600 seconds.
Feb 17 14:07:24 host3 clamd[24271]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed.
Feb 17 14:07:24 host3 systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=6/ABRT
Feb 17 14:07:24 host3 systemd[1]: clamav-daemon.service: Failed with result 'signal'.

debug:

Code: Alles auswählen

LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 9460 duplicate identifier "eleonore_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 10312 duplicate identifier "eleonore_jar2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 10338 duplicate identifier "eleonore_jar3"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 10363 duplicate identifier "eleonore_js"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 10392 duplicate identifier "eleonore_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 10423 duplicate identifier "eleonore_js3"
LibClamAV Warning: load_oneyara: yara rule contains too many subsigs (104, max: 64), skipping YARA.fragus_htm
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 776 rules.
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Sakura.yar line 31 duplicate identifier "sakura_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Sakura.yar line 62 duplicate identifier "sakura_jar2"
LibClamAV Warning: cli_loadyara: failed to parse or load 2 yara rules from file /var/lib/clamav/EK_Sakura.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 22 duplicate identifier "AnglerEKredirector"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 50 duplicate identifier "angler_flash"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 78 duplicate identifier "angler_flash2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 108 duplicate identifier "angler_flash4"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 134 duplicate identifier "angler_flash5"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 165 duplicate identifier "angler_flash_uncompressed"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 197 duplicate identifier "angler_html"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 229 duplicate identifier "angler_html2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 252 duplicate identifier "angler_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Angler.yar line 283 duplicate identifier "angler_js"
LibClamAV Warning: cli_loadyara: failed to parse or load 10 yara rules from file /var/lib/clamav/EK_Angler.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Zerox88.yar line 25 duplicate identifier "zerox88_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Zerox88.yar line 55 duplicate identifier "zerox88_js3"
LibClamAV Warning: cli_loadyara: failed to parse or load 2 yara rules from file /var/lib/clamav/EK_Zerox88.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 32 duplicate identifier "zeroaccess_css"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 57 duplicate identifier "zeroaccess_css2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 87 duplicate identifier "zeroaccess_htm"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 119 duplicate identifier "zeroaccess_js"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 151 duplicate identifier "zeroaccess_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 180 duplicate identifier "zeroaccess_js3"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_ZeroAcces.yar line 211 duplicate identifier "zeroaccess_js4"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/EK_ZeroAcces.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Zeus.yar line 28 duplicate identifier "zeus_js"
LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/EK_Zeus.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 31 duplicate identifier "blackhole2_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 57 duplicate identifier "blackhole2_jar2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 83 duplicate identifier "blackhole2_jar3"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 115 duplicate identifier "blackhole2_pdf"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 119 duplicate identifier "blackhole1_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 170 duplicate identifier "blackhole2_css"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 206 duplicate identifier "blackhole2_htm"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 243 duplicate identifier "blackhole2_htm10"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 276 duplicate identifier "blackhole2_htm11"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 312 duplicate identifier "blackhole2_htm12"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 331 duplicate identifier "blackhole2_htm3"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 361 duplicate identifier "blackhole2_htm4"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 395 duplicate identifier "blackhole2_htm5"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 425 duplicate identifier "blackhole2_htm6"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Blackhole.yar line 453 duplicate identifier "blackhole2_htm8"
LibClamAV Warning: cli_loadyara: failed to parse or load 15 yara rules from file /var/lib/clamav/EK_Blackhole.yar, successfully loaded 1 rules.
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 23 duplicate identifier "phoenix_html"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 54 duplicate identifier "phoenix_html10"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 86 duplicate identifier "phoenix_html11"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 117 duplicate identifier "phoenix_html2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 149 duplicate identifier "phoenix_html3"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 176 duplicate identifier "phoenix_html4"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 206 duplicate identifier "phoenix_html5"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 237 duplicate identifier "phoenix_html6"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 268 duplicate identifier "phoenix_html7"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 298 duplicate identifier "phoenix_html8"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 330 duplicate identifier "phoenix_html9"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 354 duplicate identifier "phoenix_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 382 duplicate identifier "phoenix_jar2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 405 duplicate identifier "phoenix_jar3"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 431 duplicate identifier "phoenix_pdf"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 458 duplicate identifier "phoenix_pdf2"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Phoenix.yar line 483 duplicate identifier "phoenix_pdf3"
LibClamAV Warning: cli_loadyara: failed to parse or load 17 yara rules from file /var/lib/clamav/EK_Phoenix.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Crimepack.yar line 24 duplicate identifier "crimepack_jar"
LibClamAV Error: yyerror(): /var/lib/clamav/EK_Crimepack.yar line 49 duplicate identifier "crimepack_jar3"
LibClamAV Warning: cli_loadyara: failed to parse or load 2 yara rules from file /var/lib/clamav/EK_Crimepack.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
Debian: Testing
Desktop: KDE Plasma 5

Benutzeravatar
fulltilt
Beiträge: 1155
Registriert: 03.12.2006 20:10:57

Re: clamav-milter Crash

Beitrag von fulltilt » 17.02.2021 16:20:25

hmm ... ich habe mal testweise den kompletten Ordner /var/lib/clamav ersetzt von einer anderen Installation, damit scheint es zu klappen ...

Code: Alles auswählen

mv /var/lib/clamav /var/lib/clamav-bak
cp -r clamav/ /var/lib/
cd /var/lib/
sudo chown -R clamav:clamav clamav/
dieser enthält auch nur 3 files

Code: Alles auswählen

-rw-r--r-- 1 clamav clamav    296388 Feb 17 15:57 bytecode.cvd
-rw-r--r-- 1 clamav clamav 325390336 Feb 17 16:03 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Feb 17 15:57 main.cvd
vorher sah dder Inhalt so aus:

Code: Alles auswählen

blurl.ndb                                    EK_Eleonore.yar       main.cld          Sanesecurity_sigtest.yara
bofhland_cracked_URL.ndb                     EK_Fragus.yar         malwarehash.hsb   Sanesecurity_spam.yara
bofhland_malware_attach.hdb                  EK_Phoenix.yar        mirrors.dat       scam.ndb
bofhland_malware_URL.ndb                     EK_Sakura.yar         phish.ndb         sigwhitelist.ign2
bofhland_phishing_URL.ndb                    EK_ZeroAcces.yar      phishtank.ndb     spamattach.hdb
bytecode.cld                                 EK_Zerox88.yar        porcupine.hsb     spamimg.hdb
clamav-c39165dc62b065dd97926e0cea49d0b4.tmp  EK_Zeus.yar           porcupine.ndb     winnow.attachments.hdb
daily.cld                                    foxhole_filename.cdb  rfxn.hdb          winnow_bad_cw.hdb
EK_Angler.yar                                foxhole_generic.cdb   rfxn.ndb          winnow_extended_malware.hdb
EK_Blackhole.yar                             hackingteam.hsb       rfxn.yara         winnow_malware.hdb
EK_BleedingLife.yar                          junk.ndb              rogue.hdb         winnow_malware_links.ndb
EK_Crimepack.yar                             jurlbl.ndb            sanesecurity.ftm
ich schätze mal das da bei einem freshclam oder bei dem maldet clam signaturen update etwas schief gelaufen ist ... wäre nicht das erste Mal das kaputte rules mit freshclam geladen wurden ....
Debian: Testing
Desktop: KDE Plasma 5

Antworten