ClamAV not updating via Freshclam

http://markallan.co.uk/BB/viewforum.php?f=1

MagicMikeUK wrote:

I'm getting the following in my Freshclam.log each time the server tries to update :-

ClamAV update process started at Thu Jun 14 16:26:39 2012

Using IPv6 aware code

Querying current.cvd.clamav.net

TTL: 880

Software version from DNS: 0.97.5

WARNING: Your ClamAV installation is OUTDATED!

WARNING: Local version: 0.96.5 Recommended version: 0.97.5

Ignore this for now. I got a message this morning that clamav.net is in the process of rolling out an updated version of the scan engine, but they won't be finished until later today.

It will then be some period of time before the ClamXav developer gets a chance to integrate the new engine into a new release of his product. You can have ClamXav notify you when it's ready by having it check for updates in the Preferences.

Ignoring mirror 81.91.100.173 (has connected too many times with an outdated version)

Ignoring mirror 163.1.3.8 (has connected too many times with an outdated version)

Ignoring mirror 193.1.193.64 (has connected too many times with an outdated version)

Ignoring mirror 217.135.32.99 (has connected too many times with an outdated version)

Ignoring mirror 81.91.100.173 (has connected too many times with an outdated version)

Ignoring mirror 163.1.3.8 (has connected too many times with an outdated version)

Ignoring mirror 193.1.193.64 (has connected too many times with an outdated version)

Ignoring mirror 217.135.32.99 (has connected too many times with an outdated version)

WARNING: getpatch: Can't download daily-14976.cdiff from database.clamav.net

I don't really understand what this is about. Perhaps related to what I said above, but my guess is those will all go away as the day goes on. I have yet to see any of this in my twice a day updates.

For faster response on these and other questions on ClamXav, visit the ClamXav Forum.

MagicMikeUK wrote:

But I'm not using ClamXav, it's the standerd ClamAV that is installed in Snow Leopard Server from Apple.

Sorry, I should have caught that, along with the fact you are running clamav v0.96.5 which was released 11/30/2010, so everything I said is still true except you'll have to wait on Apple to update it. Based on past history that could be several months which may mean not at all given that SL will probably soon be unsupported.

I just checked and clamav still has not formally announced nor posted the update, but I did find it here.

There are instructions for updating it yourself at Topicdesk.com.

But the real answer is probably to send Apple feedback. Probably at http://www.apple.com/feedback/macosx.html

I'm also having this problem.

Any suggestions on how to manually update ClamAV database?

TIA

Ian

IanDBaker wrote:

I'm also having this problem.

Any suggestions on how to manually update ClamAV database?

Just go to http://www.clamav.net. Links to the individual parts of the database are listed under Latest Stable Release.

janetfrommountainview wrote:

Just go to http://www.clamav.net. Links to the individual parts of the database are listed under Latest Stable Release.

Thanks for the suggestion Janet.

However, on the ClamAV website there are links to main.cvd, but the files in /var/clamav are .cld's.

How does one convert from .cvd to .cld, and what files should be replaced: main & daily & bytecode?

TIA,

Ian

IanDBaker wrote:

Thanks for the suggestion Janet.

Sorry, my browser logged me in as my wife.

However, on the ClamAV website there are links to main.cvd, but the files in /var/clamav are .cld's.

.cvd's are the compressed versions and clamav doesn't care which it finds. When the update process works, it will first decompress the .cvd to a .cld and add to it.

what files should be replaced: main & daily & bytecode?

Yes, replace whatever you have.

MadMacs0 wrote:

.cvd's are the compressed versions and clamav doesn't care which it finds. When the update process works, it will first decompress the .cvd to a .cld and add to it.

what files should be replaced: main & daily & bytecode?

Yes, replace whatever you have.

Thanks again MadMacs0 ;-}

For future reference, here is what I did.

• manually downloaded main.cvd, daily.cvd and bytecode.cvd from http://www.clamav.net,
• moved these files to /var/clamav
• disabled virus filtering in Server Admin-->Mail-->Settings-->Filters (to end the clamd & freshclam processes)
• renamed the old files (just in case this didn't work, but probably could have just deleted them)
• fixed ownership (chown _clamav:_clamav bytecode.cvd main.cvd daily.cvd)
• fixed permissions (chmod 644 daily.cvd main.cvd bytecode.cvd)
• removed attributes (there probably is an easier way, but I did the following for each file):

xattr main.cvd

com.apple.metadata:kMDItemWhereFroms

com.apple.quarantine

xattr -d com.apple.metadata:kMDItemWhereFroms main.cvd

xattr -d com.apple.quarantine main.cvd

• re-enabled virus filtering in Server Admin-->Mail-->Settings-->Filters
• sent a test message with attachments to ensure that all is working again.

This worked to update the viurs database, but I'm not yet sure if this fixed the freshclam auto-updating.

> I'm not yet sure if this fixed the freshclam auto-updating.

If not you are probably having some sort of network issue, so post a session from your freshclam.log and maybe one of us can help figure it out.

MadMacs0 wrote:

If not you are probably having some sort of network issue, so post a session from your freshclam.log and maybe one of us can help figure it out.

I can confirm that freshclam works after manually updating the virus database files.

However, it seems that Apple has not updated the ClamAV engine. I'm getting these errors in the freshclam log

WARNING: Your ClamAV installation is OUTDATED!

WARNING: Current functionality level = 58, recommended = 63

Is there an easy way (ie without installing dev tools and compiling myself) to update to current version that will run on 10.6.8 Server?

Thanks in advance,

IanDBaker wrote:

Is there an easy way (ie without installing dev tools and compiling myself) to update to current version that will run on 10.6.8 Server?

See http://osx.topicdesk.com/content/view/139/41/

MadMacs0 wrote:

See http://osx.topicdesk.com/content/view/139/41/

I was aware of this link.

I am wondering if it is only the binaries (/usr/sbin/clamd & /usr/bin/freshclam) that need updating, and if so, could these files, having already been compiled on a different machine, simply be updated manually, without needing to install developer tools and compile on every individual server.

TIA

Ian

IanDBaker wrote:

I am wondering if it is only the binaries (/usr/sbin/clamd & /usr/bin/freshclam) that need updating, and if so, could these files, having already been compiled on a different machine, simply be updated manually, without needing to install developer tools and compile on every individual server.

In my experience, those are two of the least changed binaries. I believe most of the changes end up being to /usr/lib/ files, but I'm sure there are many dependancies with other /usr/bin/ files, as well.

Obviously the developers of ClamXav, Lion Cache Cleaner, ProtectMac and OTIC ClamAV® came up with an installer package they use to do what you are trying to do, but in most cases they install the engine in a different location from yours. I'm just not up on how one would go about creating such a package after compiling it on a different machine.

I was getting these exact same error messages until I ran IanDBaker's fix above. So thank you!

Here was the output of freshclam before I manually downloaded the files:

ClamAV update process started at Mon Jul 9 14:11:55 2012

Using IPv6 aware code

Querying current.cvd.clamav.net

TTL: 217

Software version from DNS: 0.97.4

main.cvd version from DNS: 54

main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)

WARNING: Current functionality level = 58, recommended = 60

Please check if ClamAV tools are linked against the proper version of libclamav

DON'T PANIC! Read http://www.clamav.net/support/faq

daily.cvd version from DNS: 15120

Retrieving http://database.clamav.net/daily-15058.cdiff

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

WARNING: getpatch: Can't download daily-15058.cdiff from database.clamav.net

Retrieving http://database.clamav.net/daily-15058.cdiff

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

WARNING: getpatch: Can't download daily-15058.cdiff from database.clamav.net

Retrieving http://database.clamav.net/daily-15058.cdiff

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

ERROR: getpatch: Can't download daily-15058.cdiff from database.clamav.net

WARNING: Incremental update failed, trying to download daily.cvd

Whitelisting short-term blacklisted mirrors

Retrieving http://database.clamav.net/daily.cvd

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

Ignoring mirror 65.19.179.67 (has connected too many times with an outdated version)

Ignoring mirror 168.143.19.95 (has connected too many times with an outdated version)

Ignoring mirror 194.8.197.22 (has connected too many times with an outdated version)

Ignoring mirror 208.72.56.53 (has connected too many times with an outdated version)

ERROR: Can't download daily.cvd from database.clamav.net

Giving up on database.clamav.net...

Update failed. Your network may be down or none of the mirrors listed in /private/etc/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.

======

Then, after the fix, I now see this:

Current working dir is /private/var/clamav

freshclam daemon 0.96.5 (OS: darwin10.0, ARCH: x86_64, CPU: x86_64)

Max retries == 3

ClamAV update process started at Mon Jul 9 14:25:55 2012

Using IPv6 aware code

Querying current.cvd.clamav.net

TTL: 900

Software version from DNS: 0.97.4

main.cvd version from DNS: 54

main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)

WARNING: Current functionality level = 58, recommended = 60

Please check if ClamAV tools are linked against the proper version of libclamav

DON'T PANIC! Read http://www.clamav.net/support/faq

daily.cvd version from DNS: 15120

daily.cvd is up to date (version: 15120, sigs: 228412, f-level: 63, builder: ccordes)

WARNING: Current functionality level = 58, recommended = 63

Please check if ClamAV tools are linked against the proper version of libclamav

DON'T PANIC! Read http://www.clamav.net/support/faq

bytecode.cvd version from DNS: 187

bytecode.cvd is up to date (version: 187, sigs: 37, f-level: 63, builder: neo)

WARNING: Current functionality level = 58, recommended = 63

Please check if ClamAV tools are linked against the proper version of libclamav

DON'T PANIC! Read http://www.clamav.net/support/faq

--------------------------------------

I guess I'll have to wait until I'm out of date again to see if the update issue continues to happen.

But thanks again for the fix!

I couldn't use the net.clamav.*

I had to backup the existing org.clamav* scripts and rename the net.clamav* scripts to org.clamav (and edit the plist to reflect this).

Otherwise Server Admin couldn't stop/start mail and virus filtering properly.