Dansguardian not working anymore

MyKey0815 · June 15, 2017, 7:21am

Today I´m not able to go to any Webpage. My System is UCS 4.1-4 with UCS Proxy.

The reason: Dansguardian cannot start anymore:

root@ucs003090:/var/lib/clamav# /etc/init.d/dansguardian restart
[....] Restarting DansGuardian: dansguardianLibClamAV Error: cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short
LibClamAV Error: cli_parse_add(): Problem adding signature (3).
LibClamAV Error: Problem parsing database at line 2793
LibClamAV Error: Can't load daily.ldb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ldb
LibClamAV Error: Can't load /var/lib/clamav/daily.cvd: Malformed database
Error loading clamav db: Malformed database
Content scanner plugin init returned error value: -1
Error loading CS plugins
Error parsing the dansguardian.conf file or other DansGuardian configuration files
 failed!

I delete the daily.cld and restart clamav

cd /var/lib/clamav
mv daily.cld daily.cld.bak
/etc/init.d/dansguardian restart

But the error come up again. Which part of this Prxy-System is the reason? Squid - clamav - dansguardian?

Grandjean · June 15, 2017, 7:29am

Hi!

the problem is ClamAV, the virus scanner. ClamAV is not able to load its databases. Those contain the malware signatures. I would try the following steps:

Stop the freshclam daemon if running:
/etc/init.d/clamav-freshclam stop
Delete/Move the old database just like you did before:
mv daily.cld daily.cld.bak
Start the signature update manually:
freshclam
If this succeded, start clamav-freshclam and dansguardian again

If you are pressed for time and accessing the internet is more important than scanning for malware, you can also (temporarily) disable ClamAV for DansGuardian/Squid:

ucr set squid/virusscan=no

MyKey0815 · June 16, 2017, 8:15am

Sorry - but I have do your steps and it works not 100%

Today morning I have the same problem again (before i have delete all files under /var/lib/clamav and do a freshclam):

Restarting DansGuardian: dansguardianLibClamAV Error: cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short

Could it be, that some parts should be update to a newer version? Squid is 3.1.20 - ClamAV is 0.99.2 - DansGuardian 2.10.1.1

My UCS is 4.1-4 Errata 429

Grandjean · June 16, 2017, 8:24am

So it worked yesterday but is broken again today?
The daemon clamav-freshclam should do an update of the signatures at least once a day. Maybe something goes wrong there, resulting in an incomplete database. The daemon logs to /var/log/clamav/freshclam.log. Can you have a look at this log file? I vaguely remember a similar case where the 24 hour DSL re-connect reliably interrupted the download process.

MyKey0815 · June 16, 2017, 8:28am

The update-process is working fine:

ClamAV update process started at Fri Jun 16 09:59:25 2017
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host db.local.clamav.net (IP: 213.174.32.130)
Trying host db.local.clamav.net (193.27.49.165)...
Downloading main.cvd [100%]
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily.cvd [100%]
daily.cvd updated (version: 23478, sigs: 1736837, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 303, sigs: 59, f-level: 63, builder: anvilleg)
Database updated (6303145 signatures) from db.local.clamav.net (IP: 193.27.49.165)
Clamd successfully notified about the update.

Yes, yesterday it works for a short time. But yesterday i only remove/update the daily - today all update all and the error come up imidetly

thorp-hansen · June 16, 2017, 10:01am

You can try to rebuild the freshclam database:

# invoke-rc.d freshclam stop
# ucr set clamav/database/mirror=database.clamav.net
# rm -Rf /var/lib/clamav/*
# freshclam -v
# invoke-rc.d freshclam start

Can you tell us if this worked?

MyKey0815 · June 16, 2017, 10:39am

Sorry - no success.

root@ucs003090:/var/lib/clamav# ucr set clamav/database/mirror=database.clamav.net
Setting clamav/database/mirror
File: /etc/clamav/freshclam.conf
Module: kopano-cfg
root@ucs003090:/var/lib/clamav# rm -Rf /var/lib/clamav/*
root@ucs003090:/var/lib/clamav# freshclam -v
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Fri Jun 16 12:04:44 2017
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1517
Software version from DNS: 0.99.2
Retrieving http://database.clamav.net/main.cvd
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host database.clamav.net (IP: 213.174.32.130)
Ignoring mirror 213.174.32.130 (due to previous errors)
Trying host database.clamav.net (195.30.97.3)...
Trying to download http://database.clamav.net/main.cvd (IP: 195.30.97.3)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4566249 signatures from new main.cvd
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Querying main.58.82.1.0.C31E6103.ping.clamav.net
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 195.30.97.3)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1736839 signatures from new daily.cvd
daily.cvd updated (version: 23478, sigs: 1736837, f-level: 63, builder: neo)
Querying daily.23478.82.1.0.C31E6103.ping.clamav.net
Retrieving http://database.clamav.net/bytecode.cvd
Trying to download http://database.clamav.net/bytecode.cvd (IP: 195.30.97.3)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 59 signatures from new bytecode.cvd
bytecode.cvd updated (version: 303, sigs: 59, f-level: 63, builder: anvilleg)
Querying bytecode.303.82.1.0.C31E6103.ping.clamav.net
Database updated (6303145 signatures) from database.clamav.net (IP: 195.30.97.3)
Clamd successfully notified about the update.

root@ucs003090:/var/lib/clamav# dansguardian restart
LibClamAV Error: cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short
LibClamAV Error: cli_parse_add(): Problem adding signature (3).
LibClamAV Error: Problem parsing database at line 2793
LibClamAV Error: Can't load daily.ldb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ldb
LibClamAV Error: Can't load /var/lib/clamav/daily.cvd: Malformed database
Error loading clamav db: Malformed database
Content scanner plugin init returned error value: -1
Error loading CS plugins
Error parsing the dansguardian.conf file or other DansGuardian configuration files

Grandjean · June 16, 2017, 11:14am

So, you are not alone anymore. Here is someone with the same problem:

The thing that makes me wonder: There were no UCS 4.1 Updates in the relevant timeframe. Did ClamAV change something?

thorp-hansen · June 16, 2017, 11:19am

FYI: happens also at a complete new install of “univention-dansguardian”

Okay - the problem currently happens in 4.1-x, in 4.2 the problem is “solved”.
Background: https://forge.univention.org/bugzilla/show_bug.cgi?id=44807