Mailing List Archive

Running round in circles here.
Hi - been using ClamAV to help secure a few Moodle systems and this has been working fine for years. It seems this year to have been causing a problem. I frequently get this:

ClamAV has failed to run. The return error message was " An error occured".
Here is the output from ClamAV:

ERROR: Could not lookup : Servname not supported for ai_socktype

I have been all over the internet looking this up, following dead ends and poor advice. I just cannot prevent it from happening no matter what I do, and frankly, I’m at a loss. I’ve uninstalled, re-installed, updated, set up users, removed users, checked permissions and many other suggestions from different user groups. There seems to be a lot of posts with the same vague error message and none of the suggested solutions has worked.

I’m running Ubuntu 16.04 with latest ClamAV. We use Freshclam for updating and clamd for running as a service. We simply need it to catch the likely problems when users upload files to our Moodle systems.

I cannot seem to fix the issue, and really need some sane advice from users with far more experience than me.

What causes this error, and how do I fix it?

Thanks

Hal

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Running round in circles here. [ In reply to ]
Hi there,

On Mon, 9 Sep 2019, Hal MacLean via clamav-users wrote:

> ... been using ClamAV to help secure a few Moodle systems and this
> has been working fine for years. It seems this year to have been
> causing a problem.

Whatever the reason, it's fixable. There have been a few issues long
past, but in my experience ClamAV is now extremely reliable.

This sort of thing can sometimes happen when 'upstream' versions make
big changes, and distribution 'packages' aren't updated as carefully
as they might have been - either by the maintainer or the user - or
some dependency hasn't caught up because of some specific issue in the
particular system. For example some needed upgrade of a library might
be 'held back' for whatever reason. Or it might just be the result of
meddling, often itself a result of bad advice. :(

I'm going to assume that (as you're running Moodle, Web servers and
database servers) the computers have adequate specifications - in
particular the RAM - but more information about that would be useful.

> I frequently get this:
>
> ClamAV has failed to run. The return error message was " An error occured".

The exact message in your double-quotes does not appear anywhere in
the latest ClamAV sources, except in a comment within a longer string.
So either that isn't the exact message - and getting the exact message
can often be an issue, so please confirm; or it came from something
which is not built from the latest sources; or from something else.
Theyre often issues too and we might need to investigate later on.

> Here is the output from ClamAV:
>
> ERROR: Could not lookup : Servname not supported for ai_socktype

Please be more specific. "ClamAV" isn't a binary which runs. By
inspection of the latest sources, the only binary which could have
produced this message is clamdscan. Please give the exact command
or at least more detail about how and when this message is produced.

> I have been all over the internet looking this up ...

You should have come straight here!

> following dead ends and poor advice ...

That's today's Internet I'm afraid.

> I?ve uninstalled, re-installed, updated ...

Please be more specific about the uninstall/re-install. At

https://packages.ubuntu.com/xenial/clamav

I see several packages. If you're using the Ubuntu packages, did you
take care to uninstall and re-install all of them? If not, you might
have mixed versions of the different packages which will in some cases
cause problems. Did you 'purge' the packages after uninstalling them?
Are you using binary packages or the less usual 'source packages'?

> I?m running Ubuntu 16.04 with latest ClamAV.

Please be more specific about the version of ClamAV. Do you mean the
latest ClamAV or the latest version which is packaged for your version
of Ubuntu? From a cursory search the latest package seems out of date
but that's often the way with packages. If ClamAV is from packages,
(note the plural) please give the exact package versions, for example

clamav (0.100.3+dfsg-0ubuntu0.16.04.1)
libclamav7 (0.100.3+dfsg-0ubuntu0.16.04.1)
clamav-freshclam (0.100.3+dfsg-0ubuntu0.16.04.1)

otherwise please give the source version such as

0.101.4

which, at the time of writing, really *is* the latest version. :)

> We use Freshclam for updating and clamd for running as a service. We
> simply need it to catch the likely problems when users upload files
> to our Moodle systems.

Then I'm guessing that you need on-access scanning, please confirm?

> ... need some sane advice from users with far more experience ...

You've finally arrived at the right place. :)

> What causes this error, and how do I fix it?

We'll get there. Others might have seen this and know already, but I
don't know yet. Consider this an initial request for further details,
plus something to try until we get more eyes on when e.g. people in the
USA start their day. In addition to the information already requested
(please read *all* carefully, and answer all the questions and confirm
where requested), you haven't said if anything actually works as you
think it should. Can you for example scan a file using "clamscan"
(not "clamdscan")? What happens if you do that? Copy/paste command
and output please. Does 'freshclam' seem to be doing what it should?
How do you know? Are you keeping logs? Do you look at them? Have
you tried 'verbose' settings/options?

Next I suggest you try running the clamd binary that's installed at
the moment with a configuration file which I'll supply below as a test
of the clamd binary and its interaction with the rest of your system.
I'd like to see it run from the command line, without 'help' from some
abomination like systemd. You will need another gigabyte of RAM or so
to run this daemon, will that be an issue?

8<----------------------------------------------------------------------
LogFile /tmp/clamd_tcp1.log
LogFileMaxSize 0
LogTime yes
LogClean yes
LogVerbose yes
PidFile /tmp/clamd_tcp1.pid
TemporaryDirectory /tmp
# Please edit the path to your database directory below
DatabaseDirectory /etc/mail/clamav
TCPSocket 3313
TCPAddr 127.0.0.1
StreamMaxLength 50M
SelfCheck 9993
# Please edit the user below if necessary.
User clamav
ExitOnOOM yes
Debug yes
LeaveTemporaryFiles yes
8<----------------------------------------------------------------------

Save the above text (excluding the 8<---- 'cut' markers) to the file

/tmp/clamd_tcp1.conf

then in a root shell (sometimes called a 'terminal') start a clamd
instance using the command:

/path/to/clamd --config-file=/tmp/clamd_tcp1.conf

Obviously replace "/path/to" with the proper path. If you don't know
the path use:

which clamd

at a shell prompt to find it.

Next make sure you have the 'telnet' utility, install it if not, and
then in a shell (it doesn't need to be a root shell) give the command

telnet localhost 3311

which should produce something like this output:

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

and you will see no prompt from the shell. Quickly type

PING

and hit return.

You should see

PONG
Connection closed by foreign host.

followed the shell prompt.

Then kill the daemon you just started. Its PID is in a file in /tmp,
and to kill it use whatever utility you would normally use or in a
root shell type:

kill xxxxx

where xxxxx is the PID from the PID file. No sense leaving a daemon
lying around doing nothing and begging for surprises.

If you can get that far things should be generally pretty good and we
probably just need to tweak the configuration. If not we likely have
more work to do.

Please note that my List address only accepts mail from the List server.

Please also note that this is a mailing list so I'm beating the horse
to death for a reason - others might come along to read it later, and
I have no way to know what experience they may have.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Running round in circles here. [ In reply to ]
Hello again,

On Mon, 9 Sep 2019, G.W. Haywood via clamav-users wrote:

> telnet localhost 3311

That should of course have been

telnet localhost 3313

to connect to the port given in the configuration.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Running round in circles here. [ In reply to ]
It looks like that error message comes from
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/clamdscan/proto.c#L112,
and is generated when a call to getaddrinfo (a C standard library function)
fails. The values passed to this call are directly based on what's in the
clamd config file, so as Ged Haywood suggested, it'd be helpful to see what
your config looks like so that we can diagnose further. Specifically, this
code deals with the LocalSocket, TCPSocket, and TCPAddr configuration
options.

-Andrew

On Mon, Sep 9, 2019 at 7:31 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello again,
>
> On Mon, 9 Sep 2019, G.W. Haywood via clamav-users wrote:
>
> > telnet localhost 3311
>
> That should of course have been
>
> telnet localhost 3313
>
> to connect to the port given in the configuration.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: Running round in circles here. [ In reply to ]
Wow!

Thank you so much for this - it’s going to take a while for me to collate the info, but I will do my best and get back to you as soon as I can. Thank you for your time, patience and sheer good will in taking this on. I am humbled!

Hal

--

> On 9 Sep 2019, at 19:23, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Running round in circles here. [ In reply to ]
Andrew - thank you for this pointer - I’ve pasted the conf. below.

One possible answer that has been given is to check the actual server name. I have a sneaky suspicion that it has been changed after ClmaAV was installed, which certainly won’t help. Trouble is, I do not know what it was previously to be able to return it to it’s earlier name.

Here’s the conf. As far as I know it’s never been edited from the default install:

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000


> On 9 Sep 2019, at 22:55, Andrew Williams <awillia2@sourcefire.com> wrote:
>
> It looks like that error message comes from https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/clamdscan/proto.c#L112, and is generated when a call to getaddrinfo (a C standard library function) fails. The values passed to this call are directly based on what's in the clamd config file, so as Ged Haywood suggested, it'd be helpful to see what your config looks like so that we can diagnose further. Specifically, this code deals with the LocalSocket, TCPSocket, and TCPAddr configuration options.
>
> -Andrew
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml