Slashdot Mirror
ClamAV Forced Upgrade Breaks Email Servers
An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"
The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."
And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.
Enough with this nonsense, we're all enabling Microsoft to produce sub-par, insecure, unstable and easily corrupted products.
Diagnostic-Code: smtp; /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory) at (eval 55) line 310.
/usr/bin/clamscan unexpected exit 50, output="LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later.
451-4.5.0 Error in processing, id=02792-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x83d7540) Too many retries to talk to
ClamAV-clamscan av-scanner FAILED:
At least their error messages are descriptive and informative.
It exists for a reason.
"I use a Mac because I'm just better than you are."
This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.
Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.
I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.
It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.
morcego
The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.
See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/
/~mikeg
Should have switched to Norton. They would have had weeks of impossible-to-ignore yellow and black pop-ups demanding their credit card number as ample warning...
Those freetards just don't understand the valuable features provided by quality proprietary software.
...and guess what! I'm almost sure I have had enough of free software.
Not to say that it odes not do its work but because there is no incentive "not to break stuff", read 'continued revenue streams', folks just do as they please and we get hurt.
Heck! Is this the "freedom" you want?
If it breaks because a remote server went away it sounds like it is time to possibly have another look at that code.
Got Code?
some tesxt to avoid lameness filter... But the parent is SPOT ON!
Either :
-Follow the mailing list where there as been numerous e-mails telling that the support would end
or
-Use a repository that updates your server easily
Wining was not an option here...
Menzoberranzan Networks
End of Life Announcement: ClamAV 0.94.x
Oct 5, 2009
All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)
This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.
We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.
We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.
Thanks for your cooperation!
FUCK JEWS
When they are exceedingly attractive, female, not married, and expressing interest, I do.
Reply to That ||
IIRC, ClamAV doesn't have real-time scanning anyway. Does it have a first party mail server scanning plugin now, or am I totally misunderstanding the issue here.
Be careful, though. Natalie Portman might pour hot grits on you.
As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.
/~mikeg
I just tried to update:
/etc/debian_version
... /var/lib/clamav/daily.cld: Malformed database
:(
# cat
5.0.4
aptitude output during update:
Setting up clamav-daemon (0.94.dfsg.2-1lenny2)
Starting ClamAV daemon: clamd LibClamAV Warning:
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning:
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load
ERROR: Malformed database
It appears debian repositories also need to be updated.
NOTE: I removed the * (star) chars from the warnings due to junk filter.
This space is not for rent.
Be careful, though. Natalie Portman might pour hot grits on you.
Where do I sign up sir?
Reply to That ||
With a name like ClamAV, my bet would be the Scientologists.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
First you complain when Microsoft releases an update that won't install on compromised systems because it would break them entirely.
Now ClamAV is put in a similar position. They have three choices due to the bug in 0.94:
1. Continue supporting 0.94, flood out their update servers with full updates since incrementals won't work with that version much longer.
2. Stop supporting 0.94, leaving users who don't know to update basically unprotected.
3. Send a clear message to users who haven't updated that their antivirus solution is now broken and they need to upgrade.
To me, 3 is the obvious choice. If this was a paid solution or if it cost a fucking dime to upgrade I might see a point to complaining, but to anyone who was still using 0.94 just man the fuck up, apt-get update, apt-get upgrade, and get on with it.
This is not like Microsoft disabling XP to get you to upgrade to Vista, this is more comparable to an aircraft with faulty parts being grounded by the FAA. Those using 0.94 were doomed to a broken solution one way or another, they could not continue using it and expect it to do its job, so they needed a kick in the ass to upgrade.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
A lot of server stuff in linux work so well that you can even forget that it is running at all, for years. Clamav is such kind of software, you install/configure it, set the automatic signature updates, and forget that it is there. But still, some periodic checks in logs that all are working as expected is good, even if is just some artificial ignorance well applied, specially when clamav started warning on this months ago.
"ClamAV forced upgrade breaks email servers" should read "Failure to upgrade despite six months warning breaks email servers" or "Inattentive server admins cause massive downtime".
Oh just suck it! Please!
Show me a shop that has redundant PBXs e.g. Nortel Option 61 AND a AT&T/Lucent/Avaya Definity for backup.
Show me a carrier that uses Nortel DMS-100 AND a Alcatel-Lucent 5ESS for backup.
We're talking about virus scanning for freaking email. It might be mission critical to some pathetic PHB but, it's fricking EMAIL!
Just suck it!
Oy Cruise, you talentless midget, downmods are not for expressing disagreement. Log ion like a man.
P.S. Cocktail. Worst fucking film ever.
P.P.S. That Kidman bitch. You would not believe the noises I got out of her.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I guess now would be a good time to upgrade from 0.91.2.
This is the best Slashdot post I've read all week.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
<SARCASM>
Mmhmm, yes. I agree 1000%. Don't update your virus signatures. Because ya know, new viruses don't get created very often. You can run with signatures over a year old and still have great protection!
</SARCASM>
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
<SARCASM>
Yes, because distributing software for several versions of Free/Net/OpenBSD, each Linux distribution, Windows, Solaris, AIX, HP-UX, etc. is totally feasible for a free project.
It's not like they would have to fund the time, equipment and distribution bandwidth for that, or have to deal with irate admins screaming about how ClamAV breaks their change control policies by automatically installing binaries on production servers.
And software with automatic updates never ships an update that bricks production servers (*cough*Exchange*cough*), so this is a perfect solution.
</SARCASM>
Sometimes I really wonder what happened to the Slashdot crowd's common sense.
/~mikeg
In the three weeks since I inherited the admin position at my office, the sternest warning I ever got from ClamAV was from log messages saying I had an outdated version but "DON'T PANIC." So, I think to myself, it says don't panic, so don't panic--we're going to be building a new mail server in a few months anyway, so why worry? It's not like good open-source developers would ever pull a b.s. Microsoft move like intentionally throwing a kill switch on old versions of their software.
Yeah, caveat emptor, you get what you pay for, etc. I know.
This is why you rely on package management software. There are actual maintainers out there who keep up-to-date on issues like this, that affect their packages.
For instance, if you're running any version of Ubuntu, you are on v0.95.3 or v0.96 right now, so you would not have even known about this EOL had it not been on slashdot. Every time you log into Ubuntu, it will warn you if you need to do some updates.
If you are not a professional system administrator (neither am I, by the way, so I feel for you), you should not bother trying to subscribe to all of the mailing lists for all of the packages you use. You should instead rely on the hard, thankless work put in by the package maintainers to keep you out of trouble.
Make sure you do the security updates for your distro of choice. Choose a stable release of your distro if you don't enjoy constant upgrades.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Limiting yourself to one kind of girl is so... limiting. I don't care if they are purple; if they are hot and don't have diseases, I'm Captain Kirk.
You really should use the volatile repository. It provides updated versions of packages that are required to change (like antivirus), compiled for stable. You end up with stable + required updates.
I woke up this morning to urgent "my site is down" calls from clients on one of my old servers. It turns out that ClamAV was trying to update itself. It would download the update, fail to update, then download again and again until it filled up the hard drive. We don't even do email on this particular server, so it must have gotten turned on months/years ago and then never noticed. We've disabled it, but it was kind of an annoying way to be woken up.
these people are when it comes to understanding how the business software world works. Cutting off support from a software package released 1 year ago? Are you retarded? If a vendor dropped support 2 years into the lifetime of a major software package release we deploy company-wide, we would drop said vendor immideately. 3 year long support is the bare, absolute minimum that is required for a software package for a vendor to get to the table with us. 5+ years and now we are talking.
The only possible sane rationale I can come up with is that ClamAV developers have absolutel no intention whatsoever to aim at anyone besides the hobbyist tinkerer home user segment, because that's the only area where such vendor behaviour can be tolerated and accepted.
I used to think it was great but then I realized it can't detect tons of stuff. I have a habit of feeding it any malware/virus/whatever that I come across and it doesn't detect a lot of them. The Windows ClamAV is especially useless, it doesn't detect hardly anything.
Heh, good ol' Seinfeld :)
Uh, Linux geek since 1999.
If you use a system that has aptitude, then it might be worth it to routinely (at least monthly?) run the following:
sudo aptitude update
sudo aptitude safe-upgrade
You'll get a lot of security updates, if they are out there, which is a good thing!
(your mileage may vary)
Uh, Linux geek since 1999.
I'd likely to be modded down by open source zealots, but using Clamav to solely protect Windows PCs from malware spread by e-mail is insane. ClamAV has one of the lowest malware detection rate amongst other commercial AV solutions. I tested my own sample of around 140 new viruses found on different Windows PCs during last six months and ClamAV could detect only 70 of them. That's ridiculous ... and fearful to say at least.
Sir, you're no Mel Gibson...
ELOI, ELOI, LAMA SABACHTHANI!?
Here is what they should have done, to wake up all the system administrators who didn't happen to notice the announcements: Gradually wean people off the old version by shutting down the ClamAV server for an hour, then six hours, then a day, then three days, and finally shut it down permanently. At the end of that process I guarantee you there would be almost zero affected systems left to break after the permanent shutdown deadline. The better admins and bigger systems will notice the problem immediately during the short shutdowns and have plenty of time to upgrade. The systems that are still vulnerable after the entire weaning process need to be broken anyway so that someone will finally pay attention and fix them.
Shutting it down permanently, even after making "announcements" for a few months will never allow every single user of any product sufficient time to notice that something is about to happen. It's a simple fact of life, not every system admin is a computer expert, not every admin knows what the last admin did or is subscribed to the same mailing lists or visits the same technical websites. Stopping an external service like that on a temporary and gradually increasing basis would allow almost 100% of the end users to finally figure out or do the research to realize what was happening and upgrade their systems in time for the final permanent shutdown.
Things like this always remind me of the Hitchhiker's Guide where they posted the "announcement" that the Earth would be destroyed, giving everyone on Earth plenty of time to leave. Unfortunately the announcement was posted in an office on the home planet of the aliens who came through and destroyed the Earth, so no one on Earth ever saw it, and it was only posted for like 30 days anyway. People always have this weird idea that just because something is "announced" to a specific community that is paying attention it means that everyone else will magically know you made an announcement, but that isn't how the real world works. People also have this weird idea that not knowing everything about everything in the technical universe is somehow the same as being incompetent. The world is not perfect. Upgrade procedures and policies for any external software service must acknowledge this or suffer the wrath of the 90% of the system admin community who are NOT God-like in their omniscience.
Clamav want to call me irresponsible to use a Fedora 3...!!!
But surely they was irresponsible too due this.
I was trying to upgrade clamav several months, but do not exists updated version available.
I simply cannot to upgrade the server, nor to upgrade clamav.
Solution: disable clamav.
Totally my own damned fault for not staying upgraded.
Do you enjoy whipping yourself too???
You had working but out of date anti-virus. That's bad, but not as bad as no anti-virus at all, and arguably not as bad as disruption of your business and no functionality. Yet you choose to blame yourself? What about the schmuck who has an out of date piece of software that doesn't play nice with a later version? Providing free software does not mean you get to fuck with my business! What is the point of having antivirus software anyway? It is to prevent disruptions to your business by viruses? The trade off for slowing down your system with antivirus scanning is suppose to be reduced risk and disruption for your business.
It is your fault. Your fault not just for failing to update your antivirus, but for being so accepting of this from an antivirus company. Security types seem to have lost their mind and lost their ability to reason lately.
These posts express my own personal views, not those of my employer
I understand the ClamAV team's motivation, but hitting a kill switch on software that is only a year old is extremely rude. Had a proprietary vendor done it, /. posters would have been up in arms.
We have many customers running ClamAV. We managed to upgrade almost all of them before the kill switch, and the rest (the ones we were unable to contact) we got within hours after the kill switch.
However, I'm now being forced into the ironic position of having to recommend non-open-source software over open-source software. Here's why: Some of our clients specify that we're not allowed to provide software with a built-in "kill switch". We know ClamAV has such a switch, so we may be disqualified from using it. (Sure, proprietary software may have a similar switch, but we don't know for a fact it does... unlike ClamAV.)
All in all, Sourcefire handled this very badly, IMO. They could have done it much more gracefully.
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
It would be nice if package managers integrated this for the sysadmin. Maybe the output of chkconfig could be consulted.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You've entirely missed that having decent rules to deal with attachments solves 99% of the virus problem. These days email server antivirus scans are to catch a virus hidden inside a zip file. If it's a directly executable attachment it should be blocked to save MS Outlook users from it, and of course the scanners look at the file type instead of trusting what the file name says it is.
On a web proxy it would be a far bigger deal but most web traffic isn't virus scanned yet.
Back to addressing the rant, as others have said clamav has the error message "LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***", along with a few other lines.
As for the open/closed argument I had a very similar problem with a commercial antivirus program that made a lot of changes which stopped it running on my mail server - that's why I started running clamav in the first place to cover the gap. Now I run both.
Once recently I had to call a guy in noc to tell him all our people were getting warnings from Thunderbird that an email about to be sent contained a virus attached in a pdf. When he looked into it, (he had just gotten home to his terminal as he talked to me on his mobile) he started doing stuff. He started getting me to test mail.example1.com, then mail.example2.com ...etc. the three servers that handle mail in out company. In the end, he just said 'fuck it' and disabled it completely.
This can also cause DansGuardian to break if you use ClamAV on your web proxy. As others have said, for Debian, etc. the fix is in the volatile repos. Ubuntu 8.04 LTS on the other hand...
To be fair, the ClamAV authors have been pushing the upgrade for months...
--
Ubuntu: An African word meaning "Crippled Debian".
Actually, it's worse than it sounds. I had a server that didn't have the software upgraded and it used 100% of the disk, causing the ldap database to be annihilated.
On some mail servers I administer ClamAV went totally wonky after the "shutdown" signature. Instead of letting messages pass through as if it wasn't there, it simply got stuck in a loop state for every received message until all resources (memory and CPU time) were all gone.
To me the "shutdown" signature method failed miserably. And a product, FOSS or commercial, that needs to kill old installations because the infrastructure to provide services and updates wouldn't cope with the added pressure of maintaining them deserves an EPIC FAIL. It's a pass for me, thanks.
And yes, I knew ClamAV before 0.95 was going to be dismissed, but I was waiting to see what was going to happen. I can't afford to go around dozen of systems to manually update the AV engine because some nutters didn't think a way to update their AV *ENGINE* from their side. Why do WE have to update the ClamAV engine? Avast and AVG does it automatically. Poor design, again...
ClamAV is now officially an unreliable product, badly engineered and administered.
FGS, it's been on a 0.9x version for ages, it's just a pathetic excuse, a "get out of jail free" card. If they truly believed in their product it should have been at a v 1.x by now.
R.I.P. ClamAV, dead before born.
AC because I can't be @**sed to create an account to post a message every geologic era.
pingback: http://openwallet.de/?p=275
QUOTE:
2010-04-16: I found a solution.
$ echo “deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free” >> /etc/apt/sources.list
$ apt-get update /etc/init.d/amavis restart
$ apt-get install clamav
$ apt-get upgrade
$
greetings from germany,
atthias
I know for a fact that there are some positively ancient versions of ClamAV in one email appliance, because there are never any core upgrades, only the main antispam engine. Considering the nature of the logs that are shown to the user, I doubt most admins could notice their ClamAV installation failing hard.
I realize you have to give old users a kick, but couldn't they have done this where it doesn't kill the engine but still throws a bad enough error to show up somewhere? Then again, they could have been real dicks and simply pushed an update that flags everything as bad and marks it as virus:YOURECLAMAVISOLDSOITDIED.2010
An alternative would have been to supply an "unsafe" (or similar) switch with which to continue working with the old stuff. Everyone would be forced to acknowledge their servers were unsafe, but they wouldn't be brought to their knees by dependency upgrade hell. Speaking from painful personal experience :-)
Basically though, there's no real excuse to not upgrade, apart from being too darned lazy...
R.
Read the story.
TFA is unclear.
Just go to the primary source (and note that the warning dates back from october 2009)
They didn't just disable new updates. They disabled the Antivirus engine altogether.
There isn't such a thing as the ability to remotely disable the engine. There's no such thing as a built-in remote kill switch.
Simply : Up to .94, ClamAv can't have signature much longer that 900-something bytes long in incremental update.
Up until now, they haven't needed such long and complex signature yet.
But now they need to be able to ship such signatures (they enable more complex detection algorithms).
Thus 2010-04-15's update contains a longer signature.
If you don't update the signatures and use an older file or pull the whole signature file instead of the incremental backup, the outdated ClamAV will still work.
If you update, the signatures will cause ClamAv to output an error message.
That's all of it.
Given that : .94 is two generation old (current is not .95, but .96) ...their action doesn't seem illogical.
-
- that the warnings are dating back from october (ample time for admins to react)
- that they always insist (and even display warning messages from clamav it self) that the best protection is to always use the latest clamav version
- they need the ability to do longer than-900 signature soon, it's important for complex detections.
- non-incremental updates are not an option due to the excessive stress they would put onto the mirror server
The alternative would be to keep refraining from using the long signatures, although they are needed for complex detections. On the grounds that there are still a couple of admins still using .94 despite all of the above.
Or start distributing long signature in full signature files and kill their mirror servers.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I work at Sourcefire (however I do not work directly with ClamAV) and I believe their action is justified. Why should Sourcefire have to lend its name to an inferior product that is superseded by a year of development efforts?