I am having an issue with 0 length bytecode.cvd files on my scanner
instances. This seems to have started sometime on 22 Feb, I'm afraid I
don't have an exact time. The clamav daemon produces logs like the
following:
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: cli_cvdverify:
Can't read CVD header
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: Can't load
/var/lib/clamav/bytecode.cld: Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error:
cli_loaddbdir(): error loading database /var/lib/clamav/bytecode.cld
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: Mon Feb 27 14:39:11 2023 ->
!Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Main
process exited, code=exited, status=1/FAILURE
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Failed with
result 'exit-code'.
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Consumed
8.679s CPU time.
I feel like I have narrowed the problem down to a 0 length 'bytecode.cvd'
file. Here is a listing of the definitions directory:
$ ls -l /var/lib/clamav
total 226168
-rw-r--r-- 1 clamav clamav 314802 Feb 27 14:06 bytecode.cld
-rw-r--r-- 1 clamav clamav 0 Feb 27 02:00 bytecode.cvd
-rw-r--r-- 1 clamav clamav 60787973 Feb 27 10:01 daily.cld
-rw-r--r-- 1 clamav clamav 69 Feb 23 15:33 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 27 02:00 main.cvd
My initial fix (before narrowing the problem down to bytecode.cvd) was to
1. stop freshclam
2. clean this directory
3. restart freshclam
4. give it time to get the definitions (from a private mirror)
5. start clamav daemon
This would work for maybe 1/2 day then the empty bytecode.cvd file would
reappear and the daemon would fail.
This morning I was able to spend some more time and find that it was just
the one file that needed to be removed.
I have a local mirror because there are several instances of this scanner
in use (at least 2 instances for several environments). I have checked the
mirror and it appears to be working fine and keeping the definitions up to
date inside our environment. In addition, the scanner instances appear to
be keeping the local set of definitions up to date with the mirror.
The mirror does not have a bytecode.cvd file on it (here is a listing of
its definitions directory)
$ ls -l /var/lib/clamav
total 226172
-rw-r--r-- 1 clamav clamav 314802 Feb 22 22:02 bytecode.cld
-rw-r--r-- 1 clamav clamav 60787973 Feb 27 09:06 daily.cld
-rw-r--r-- 1 clamav clamav 69 Jan 29 2022 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Jan 29 2022 main.cvd
-rw-r--r-- 1 clamav clamav 87 Jan 29 2022 test.html
To the best of my knowledge, the software is up to date:
$ sudo freshclam -V
ClamAV 0.103.8/26825/Mon Feb 27 08:24:38 2023
Here is the freshclam.conf used on all the local sanner instances
$ cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
PrivateMirror http://10.50.0.2
ScriptedUpdates no
PrivateMirror http://10.50.0.2
The scanner has been working fine for about 12 months, keeping the software
and the definitions up to date. The only configuration item that seems to
relate is "Bytecode true", but the description seems to discuss just the
downloading of the file, not whether it is created on the local instance.
Does anyone have any pointers?
Thanks
Kevin
--
*Kevin O'Connor*
Principal DevOps Engineer
M: 617-834-1291
[image: email-footer-logos.jpg (1000×120)]
STATEMENT OF CONFIDENTIALITY: The information contained in this message and
any attachments are intended solely for the addressee(s) and may contain
confidential or privileged information. If you are not the intended
recipient, or responsible for delivering the e-mail to the intended
recipient, you have received this message in error. Any use, dissemination,
forwarding, printing, or copying is strictly prohibited. Please notify
Ampion immediately at security@ampion.net and destroy all copies of this
message and any attachments.
instances. This seems to have started sometime on 22 Feb, I'm afraid I
don't have an exact time. The clamav daemon produces logs like the
following:
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: cli_cvdverify:
Can't read CVD header
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: Can't load
/var/lib/clamav/bytecode.cld: Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error:
cli_loaddbdir(): error loading database /var/lib/clamav/bytecode.cld
Feb 27 14:39:11 av-scan-wrhn clamd[163614]: Mon Feb 27 14:39:11 2023 ->
!Broken or not a CVD file
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Main
process exited, code=exited, status=1/FAILURE
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Failed with
result 'exit-code'.
Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Consumed
8.679s CPU time.
I feel like I have narrowed the problem down to a 0 length 'bytecode.cvd'
file. Here is a listing of the definitions directory:
$ ls -l /var/lib/clamav
total 226168
-rw-r--r-- 1 clamav clamav 314802 Feb 27 14:06 bytecode.cld
-rw-r--r-- 1 clamav clamav 0 Feb 27 02:00 bytecode.cvd
-rw-r--r-- 1 clamav clamav 60787973 Feb 27 10:01 daily.cld
-rw-r--r-- 1 clamav clamav 69 Feb 23 15:33 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 27 02:00 main.cvd
My initial fix (before narrowing the problem down to bytecode.cvd) was to
1. stop freshclam
2. clean this directory
3. restart freshclam
4. give it time to get the definitions (from a private mirror)
5. start clamav daemon
This would work for maybe 1/2 day then the empty bytecode.cvd file would
reappear and the daemon would fail.
This morning I was able to spend some more time and find that it was just
the one file that needed to be removed.
I have a local mirror because there are several instances of this scanner
in use (at least 2 instances for several environments). I have checked the
mirror and it appears to be working fine and keeping the definitions up to
date inside our environment. In addition, the scanner instances appear to
be keeping the local set of definitions up to date with the mirror.
The mirror does not have a bytecode.cvd file on it (here is a listing of
its definitions directory)
$ ls -l /var/lib/clamav
total 226172
-rw-r--r-- 1 clamav clamav 314802 Feb 22 22:02 bytecode.cld
-rw-r--r-- 1 clamav clamav 60787973 Feb 27 09:06 daily.cld
-rw-r--r-- 1 clamav clamav 69 Jan 29 2022 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Jan 29 2022 main.cvd
-rw-r--r-- 1 clamav clamav 87 Jan 29 2022 test.html
To the best of my knowledge, the software is up to date:
$ sudo freshclam -V
ClamAV 0.103.8/26825/Mon Feb 27 08:24:38 2023
Here is the freshclam.conf used on all the local sanner instances
$ cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
PrivateMirror http://10.50.0.2
ScriptedUpdates no
PrivateMirror http://10.50.0.2
The scanner has been working fine for about 12 months, keeping the software
and the definitions up to date. The only configuration item that seems to
relate is "Bytecode true", but the description seems to discuss just the
downloading of the file, not whether it is created on the local instance.
Does anyone have any pointers?
Thanks
Kevin
--
*Kevin O'Connor*
Principal DevOps Engineer
M: 617-834-1291
[image: email-footer-logos.jpg (1000×120)]
STATEMENT OF CONFIDENTIALITY: The information contained in this message and
any attachments are intended solely for the addressee(s) and may contain
confidential or privileged information. If you are not the intended
recipient, or responsible for delivering the e-mail to the intended
recipient, you have received this message in error. Any use, dissemination,
forwarding, printing, or copying is strictly prohibited. Please notify
Ampion immediately at security@ampion.net and destroy all copies of this
message and any attachments.