I poked around based on the 'Disable Official Database' thread previously mentioned. Clam wanted nothing to do with either missing or zero length main and daily files.
However digging in to syslogs, I found this interesting tidbit of information:
Nov 17 09:10:20 mkdir[4491]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists
Nov 17 09:10:57 clamd[4496]: LibClamAV Error: mpool_malloc(): Can't allocate memory (262144 bytes).?
Nov 17 09:10:58 clamd[4496]: LibClamAV Error: hm_addhash_bin: failed to grow virusname array to 4097 entries?
Nov 17 09:10:59 clamd[4496]: LibClamAV Error: cli_loadhash: Malformed hash string at line 2737562?
Nov 17 09:11:01 clamd[4496]: LibClamAV Error: cli_loadhash: Problem parsing database at line 2737562?
Nov 17 09:11:01 clamd[4496]: LibClamAV Error: Can't load main.mdb: Can't allocate memory?
Nov 17 09:11:01 clamd[4496]: LibClamAV Error: cli_tgzload: Can't load main.mdb?
Nov 17 09:11:01 clamd[4496]: LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Malformed database?
Nov 17 09:11:01 clamd[4496]: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd?
Nov 17 09:11:01 clamd[4496]: Sun Nov 17 09:10:57 2019 -> !Malformed database?
Nov 17 09:11:01 clamd[4496]: Sun Nov 17 09:10:57 2019 -> *Closing the main socket.?
Nov 17 09:11:01 systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE?
Nov 17 09:11:01 systemd[1]: clamav-daemon.service: Unit entered failed state.?
Nov 17 09:11:01 systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.
free -m
total used free shared buff/cache available?
Mem: 994 250 692 12 51 642?
Swap: 0 0 0?
So the question now is where to go from here ????
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Jim Ward via clamav-users <clamav-users@lists.clamav.net>
Sent: Saturday, November 16, 2019 9:45 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Jim Ward <cavejunkie@hotmail.com>
Subject: Re: [clamav-users] ERROR: Malformed database -> Closing the main socket.
Thank you for the reply. Let me clarify. Build is definitely the wrong term. I am ultimately building out a Mailman system using Amavis and Postfix all on an Amazon EC2 Instance. I started out grabbing the Mailman3 package from the amazon community which loaded with Postfix and I'm not sure what OS. Upon installing ClamAV attempt I received my now infamous ERROR: Malformed database. I will mention that I also installed SpamAssassin. As I have familiarity with Debian for a number of years, but consider myself novice at best, probably closer to newb, I decided to abort the Mailman EC2 package effort and create an EC2 Instance using Debian Stretch as the Debian Buster packages came with a monetary cost. Targeting Mailman3 as the final goal I upgraded the distribution to Debian Buster but based on some of the package upgrade messages I aborted that effort. So to present moment, I have decided to target Mailman2 on Debian Stretch with Postfix and Amavis. I have not done, nor do I intend to do, any builds from source. My 'builds', as poorly stated, have all been simply EC2 machines with OS and package loads. I'm trying to keep it as simple as possible. All package loads have been done via apt-get.
freshclam is running to update the databases, if I'm even in the ballpark on that suspicion. Nothing that I know of is updating the databases but ...
:/var/lib/clamav$ ls -ltr
total 548360?
-rw-r--r-- 1 clamav clamav 117892267 Nov 10 10:27 main.cvd.old?
-rw-r--r-- 1 clamav clamav 296388 Nov 10 10:28 bytecode.cvd.old?
-rw-r--r-- 1 clamav clamav 162196992 Nov 13 04:30 daily.cld.old?
-rw-r--r-- 1 clamav clamav 117892267 Nov 13 05:07 main.cvd?
-rw-r--r-- 1 clamav clamav 296388 Nov 13 05:08 bytecode.cvd?
-rw-r--r-- 1 clamav clamav 162930688 Nov 16 05:10 daily.cld?
-rw------- 1 clamav clamav 256 Nov 16 09:10 mirrors.dat?
/var/log/clamav/freshclam.log
Sat Nov 16 05:10:17 2019 -> Received signal: wake up
Sat Nov 16 05:10:17 2019 -> ClamAV update process started at Sat Nov 16 05:10:17 2019?
Sat Nov 16 05:10:17 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)?
Sat Nov 16 05:10:18 2019 -> Downloading daily-25635.cdiff [100%]?
Sat Nov 16 05:10:46 2019 -> daily.cld updated (version: 25635, sigs: 1993543, f-level: 63, builder: raynman)?
Can't query daily.25635.105.1.0.6810DB54.ping.clamav.net?
Sat Nov 16 05:10:51 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)?
Sat Nov 16 05:10:55 2019 -> Database updated (6559886 signatures) from db.local.clamav.net (IP: 104.16.219.84)?
Sat Nov 16 05:10:55 2019 -> WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory?
Sat Nov 16 05:10:55 2019 -> --------------------------------------?
Sat Nov 16 06:10:55 2019 -> Received signal: wake up?
Sat Nov 16 06:10:55 2019 -> ClamAV update process started at Sat Nov 16 06:10:55 2019?
Sat Nov 16 06:10:55 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)?
Sat Nov 16 06:10:55 2019 -> daily.cld is up to date (version: 25635, sigs: 1993543, f-level: 63, builder: raynman)?
Sat Nov 16 06:10:55 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)?
Sat Nov 16 06:10:55 2019 -> --------------------------------------?
Sat Nov 16 07:10:55 2019 -> Received signal: wake up?
Sat Nov 16 07:10:55 2019 -> ClamAV update process started at Sat Nov 16 07:10:55 2019?
Sat Nov 16 07:10:55 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)?
Sat Nov 16 07:10:55 2019 -> daily.cld is up to date (version: 25635, sigs: 1993543, f-level: 63, builder: raynman)?
Sat Nov 16 07:10:55 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)?
Sat Nov 16 07:10:55 2019 -> --------------------------------------?
Sat Nov 16 08:10:55 2019 -> Received signal: wake up?
Sat Nov 16 08:10:55 2019 -> ClamAV update process started at Sat Nov 16 08:10:55 2019?
Sat Nov 16 08:10:55 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)?
Sat Nov 16 08:10:55 2019 -> daily.cld is up to date (version: 25635, sigs: 1993543, f-level: 63, builder: raynman)?
Sat Nov 16 08:10:55 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)?
Sat Nov 16 08:10:55 2019 -> --------------------------------------?
Sat Nov 16 09:10:55 2019 -> Received signal: wake up?
Sat Nov 16 09:10:55 2019 -> ClamAV update process started at Sat Nov 16 09:10:55 2019?
Sat Nov 16 09:10:55 2019 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)?
Sat Nov 16 09:10:55 2019 -> daily.cld is up to date (version: 25635, sigs: 1993543, f-level: 63, builder: raynman)?
Sat Nov 16 09:10:55 2019 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)?
Sat Nov 16 09:10:55 2019 -> --------------------------------------?
Sorry to mislead on the 'build' statement. Hopefully the history above and the directory list will add some value. I've got to run for now but will check back later today.
Thanks again!!
jw
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Saturday, November 16, 2019 8:55 AM
To: Jim Ward via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] ERROR: Malformed database -> Closing the main socket.
Hi there,
On Sat, 16 Nov 2019, Jim Ward via clamav-users wrote:
> I have yet to get past this one. I've done multiple builds to no
> avail. I have run in circles so much at this point that I have no
> idea where to start or where to go. Anyone have the magic cure??
I don't do magic, but I can take a shot at logic. :)
You say you've done multiple builds, but you're running Debian. That
sounds like a recipe for confusion if you're not _very_ familiar with
things like the Filesystem Hierarchy Standard, or, to put it another
way, if not very familiar with the ways Debian screws everything up. :/
When you build from the 'upstream' sources, quite likely everything is
done differently from the way Debian does it. In the case of ClamAV,
it's not just different locations for lots of files; Debian packages
the single ClamAV package from Sourcefire into several, so you install
separate packages for the scanner, the updater and the daemon. Theory
I guess says that you might not necessarily want all of them so you're
given a choice. Practice seems to say it all gets confusing. If you
install from Debian packages, then install from the upstream sources
without cleaning up very thoroughly first, not only can you get very
confused but things might not work - and they might not work in some
non-obvious ways, especially if the versions were different.
So the first question: Have you at any stage installed ClamAV from a
Debian (or other) package, have you subsequently built from source,
and if you did those things did you make absolutely sure that all the
Debianated stuff was removed (purged) before building from source?
Second: If you're comfortable with all the above, do you know exactly
where all your ClamAV configuration files and databases are? Do you
know what is responsible for updating the databases, do you know that
nothing else is doing anything to them, and are you sure that they're
being updated how and when you think they're being updated? If yes,
please can you show us full directory listings of them including
timestamps and file sizes? It might also be useful to see md5sums for
each file.
Third: Check back in the mailing archives of this list for this post:
Date: Mon, 26 Aug 2019 16:38:16 +0100 (BST)
From: G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Disable official database
Try starting clamd with no databases. Check if it's running OK, by
connecting to its socket from the command line with a tool like telnet
and sending the 'PING' command. Does it reply 'PONG'? Please report
back here with the results. In addition to telling us something, this
will likely be useful exercise.
Finally, for now: What exactly are you doing with ClamAV on Debian?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users&data=02%7C01%7C%7C7209ce4245544172e4ab08d76aa52e02%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095129984278079&sdata=aW58c2k3zhlo0IzxZau2JZP4nf0BfoFvbrjxNzo5mgw%3D&reserved=0<
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-users&data=02%7C01%7C%7C440379374ca74d1c0df108d76aac1f7c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095159797582028&sdata=iSeeF%2FWPmCTmSkLEjUoK8e16i4ixoxyHzVT%2B1u7QChM%3D&reserved=0>
Help us build a comprehensive ClamAV guide:
https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq&data=02%7C01%7C%7C7209ce4245544172e4ab08d76aa52e02%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095129984278079&sdata=Reeldb%2FC8D7WdlpcNzOwgZ993IYy6Om1QnlppzF2m7k%3D&reserved=0<
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq&data=02%7C01%7C%7C440379374ca74d1c0df108d76aac1f7c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095159797592029&sdata=F0piHG0gs82SNZbBNfhQg5Cp9jfWgrflk%2B55YL%2F7BuA%3D&reserved=0>
https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml&data=02%7C01%7C%7C7209ce4245544172e4ab08d76aa52e02%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095129984278079&sdata=IhhybIWX05mPXXk497nNkU5VVOGqbAabKopZ%2FOD3w%2F0%3D&reserved=0<
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml&data=02%7C01%7C%7C440379374ca74d1c0df108d76aac1f7c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637095159797592029&sdata=eoUAdla8xhPWHEU3Xex%2Btb1LWZSurlguQ8y13APO4ns%3D&reserved=0>