ClamAV Forced Upgrade Breaks Email Servers

← Back to Stories (view on slashdot.org)

ClamAV Forced Upgrade Breaks Email Servers

Posted by kdawson on Friday April 16, 2010 @05:35AM from the on-the-half-shell dept.

An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"

26 of 299 comments (clear)

Min score:

Reason:

Sort:

Alternative by InsertWittyNameHere · 2010-04-16 05:38 · Score: 4, Insightful

The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."
1. Re:Alternative by Anonymous Coward · 2010-04-16 05:42 · Score: 5, Insightful
  
  It's kind of an inflammatory article:
  
  Rather than simply phase this geriatric version out (it was at least one year old, revised to versions .95 and .96 since release, and announcements about the need to upgrade had been made for six months) the development team put to halt instances of V0.94 in production
  So, it's a year and two versions out of date AND they'd been saying for 6 months to move off it.. Yet still it's their fault for shutting down the server!? I'm sorry, but how much support do you want for something that's free?
2. Re:Alternative by HarrySquatter · 2010-04-16 06:04 · Score: 4, Insightful
  
  Would you trust an email server that is running a virus scanner that is more than a year out of date?
3. Re:Alternative by geekmansworld · 2010-04-16 06:34 · Score: 2, Insightful
  
  When you make assumptions, you're an ass.
  I don't watch TV at work. I'm busy because I'm the only IT guy in our organization, and I do everything, on top of regular office work, on a shoestring budget.
  So while you're sitting in your office preparing the budget to show your boss how many tens of thousands of dollars the new M$ Exchange system is going to cost, maybe think about how lucky you are to be able to do what you love to do full time, with a budget, and proper support staff.
4. Re:Alternative by Fiznarp · 2010-04-16 06:39 · Score: 2, Insightful
  
  I got hit by the shutdown too, however I'm not upset. If I was paying for it I would have been angry at the vendor for not notifying me. But it's a FREE antivirus service. The folks that publish ClamAV updates aren't under any obligation to keep my systems up and running. If my systems were that important, I'd pay for something with an SLA.
5. Re:Alternative by Hylandr · 2010-04-16 06:58 · Score: 1, Insightful
  
  I agree with geekmansworld.
  
  And while someone below complained "And you didn't, and now are going to complain when shit doesn't work?"
  
  Damn right. IT techs aren't the gods our ego's lead us on to believe, and keeping up with a tremendous workload is tough enough without having to predict what software vendor / FOSS app is going to sabotage the works.
  
  In a production environment all changes are tested before deployment with rollback plans at the ready. Any software that has the ability to throw a kill switch into a production environment ( Bug or not ) makes the blacklist for any consideration.
  
  So long ClamAV
  
  - Dan.
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
6. Re:Alternative by Anonymous Coward · 2010-04-16 07:22 · Score: 1, Insightful
  
  You're a retard. So ClamAV fixed a bug that would have caused it to crash, warned you six months in advance of outdated signatures, and you have the gall to shift your irresponsibility onto ClamAV maintainers?
  I wouldn't even suspect a Windows administrator of such negligence. I hope you enjoy OSX. I hear it's made for people like you.
7. Re:Alternative by Jiro · 2010-04-16 07:30 · Score: 4, Insightful
  
  It may not have occurred to you that some of us only do IT for out organizations part time, and visiting the blogs of every single open-source component on our servers is not always practical.
  
  The issue has nothing to do with your servers, really; it has to do with their servers. If you're using a free service on someone else's servers, you really can't be surprised when that service suddenly stops functioning. It's not your equipment.
  
  And I would wager that while visiting the blogs of everything on your servers isn't practical, visiting the blogs of (or subscribing to a mailing list, or other monitoring of) everything that's on your servers but uses someone else's servers is practical
8. Re:Alternative by radtea · 2010-04-16 07:51 · Score: 3, Insightful
  
  This such a perfect example of a loser with attitude that I deserves comment. Look at the breakdown of points, hitting every checkbox:
  1) Implies that anyone who criticizes his failure to do this job is ignorant of his difficult working conditions.
  2) Implies that doing is job is an unreasonable burden that no one could expect, despite other people managing it, sometimes under conditions that he has no idea how difficult they are.
  3) Implies that he did absolutely nothing wrong: his configuration was not an issue--that it was right and reasonable to have his servers configured to crash on failure of this "low priority" component, like a mechanic telling you it's right and reasonable for the wheels to fall off if the radio stops working, because the radio operating correctly is a low priority.
  4) Implies that he's a hero for fixing a problem he caused by his neglect and incompetence. Despite his low pay he's on call all the time, and worked for hours fixing things brilliantly and heroically, despite having mis-configured a low-priority component as a critical system whose incidental failure could crash the whole works.
  5) Blames someone else who did thier job well, and for free. Accuses a supplier of a free service who have been filling his logs with messages for six months of not filling his logs with messages for six months, and then accuses them of deliberately crashing his incompetently configured servers.
  6) Re-iterates how over-worked he is and how much he has to do.
  7) Proclaims he's going to look for another free service to blame his next failure on Real Soon Now.
  Classic, classic whiner. Your job may suck, man, and that may not be all your fault, but if you don't fix the attitude you'll be stuck in the suck for a long, long time...
  
  --
  Blasphemy is a human right. Blasphemophobia kills.
9. Re:Alternative by Anonymous Coward · 2010-04-16 08:32 · Score: 1, Insightful
  
  It may not have occurred to you that some of us only do IT for out organizations part time, and visiting the blogs of every single open-source component on our servers is not always practical.
  Why not just keep your software relatively up to date? It's really not that difficult. If you're using Linux and you're distribution's ClamAV package it's done automatically. If you're running Windows and ClamWin it will notify you when new releases are available.
10. Re:Alternative by syousef · 2010-04-16 10:09 · Score: 3, Insightful
  
  Would you trust an email server that is running a virus scanner that is more than a year out of date?
  Would you trust a company who would remotely shut off your anti-virus?
  
  --
  These posts express my own personal views, not those of my employer
So you had 6 months to upgrade by gparent · 2010-04-16 05:39 · Score: 5, Insightful

And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.
1. Re:So you had 6 months to upgrade by The+Moof · 2010-04-16 06:32 · Score: 1, Insightful
  
  So you had 6 months to upgrade and you didn't, and now are going to complain when shit doesn't work?
  No, but they'll complain (rightfully so) when the developers issue a "killswitch" command causing the software to quit working. So it's not like the servers disappear and stuff broke from obsolescence, they issued a command to the servers and had the software shut itself down (documented here).
[clamav-announce] by 0racle · 2010-04-16 05:40 · Score: 4, Insightful

It exists for a reason.

--
"I use a Mac because I'm just better than you are."
this is common by digitalsushi · 2010-04-16 05:42 · Score: 4, Insightful

This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.
Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".

--
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
1. Re:this is common by Anonymous Coward · 2010-04-16 05:50 · Score: 0, Insightful
  
  You' and people like you are the reason we have so many fucking spambots. Thanks!
No fallback ? by morcego · 2010-04-16 05:43 · Score: 4, Insightful

People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.
I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.
It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.

--
morcego
I was hit hard too...! by bogaboga · 2010-04-16 05:46 · Score: 1, Insightful

...and guess what! I'm almost sure I have had enough of free software.
Not to say that it odes not do its work but because there is no incentive "not to break stuff", read 'continued revenue streams', folks just do as they please and we get hurt.
Heck! Is this the "freedom" you want?
Re:It's not like they didn't tell... by mysidia · 2010-04-16 05:58 · Score: 4, Insightful

SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).
How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?
How about all those Windows Vista users who haven't upgraded to Windows 7?
Firefox 2 users who haven't upgraded to 3.
Users who are still using IE6.
Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?
Re:*Correction* by Anonymous Coward · 2010-04-16 05:59 · Score: 5, Insightful

Wow. They could have just stopped publishing updates for older versions; they do have some method of versioning, right?. Older installations could have kept chugging along using the older definitions and newer installations could get the newer definitions. But to remotely *DISABLE* older installations? I don't care if the product and service is free or not; that is pretty fucked up.
Yes, they did the right thing... by Slipped_Disk · 2010-04-16 06:04 · Score: 4, Insightful

As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.

--
/~mikeg
Re:*Correction* by HarrySquatter · 2010-04-16 06:06 · Score: 3, Insightful

What's fucked up about it? It's a huge security problem to be running an email server that is using a virus scanner whose definitions are over a year old.
What the fuck Slashdot? by wolrahnaes · 2010-04-16 06:12 · Score: 3, Insightful

First you complain when Microsoft releases an update that won't install on compromised systems because it would break them entirely.
Now ClamAV is put in a similar position. They have three choices due to the bug in 0.94:
1. Continue supporting 0.94, flood out their update servers with full updates since incrementals won't work with that version much longer.
2. Stop supporting 0.94, leaving users who don't know to update basically unprotected.
3. Send a clear message to users who haven't updated that their antivirus solution is now broken and they need to upgrade.
To me, 3 is the obvious choice. If this was a paid solution or if it cost a fucking dime to upgrade I might see a point to complaining, but to anyone who was still using 0.94 just man the fuck up, apt-get update, apt-get upgrade, and get on with it.
This is not like Microsoft disabling XP to get you to upgrade to Vista, this is more comparable to an aircraft with faulty parts being grounded by the FAA. Those using 0.94 were doomed to a broken solution one way or another, they could not continue using it and expect it to do its job, so they needed a kick in the ass to upgrade.

--
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Re:*Correction* by petermgreen · 2010-04-16 06:21 · Score: 3, Insightful

I personally consider use of a remote signature update system as a kill switch to be abuse of the update system.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Re:so clam breaks if a remote server is down? by Lumpy · 2010-04-16 06:27 · Score: 3, Insightful

Nice FUD. the new DB will break it anyways.. and YES microsoft does this.
They crafted a DB update that used that bug to deliver a message so the logs showed you what happened instead of a "seg fault - error in line 45867"

--
Do not look at laser with remaining good eye.
Re: automatic binary updates by Slipped_Disk · 2010-04-16 06:46 · Score: 2, Insightful

From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
<SARCASM>
Mmhmm, yes. I agree 1000%. Don't update your virus signatures. Because ya know, new viruses don't get created very often. You can run with signatures over a year old and still have great protection!
</SARCASM>

Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
<SARCASM>
Yes, because distributing software for several versions of Free/Net/OpenBSD, each Linux distribution, Windows, Solaris, AIX, HP-UX, etc. is totally feasible for a free project.
It's not like they would have to fund the time, equipment and distribution bandwidth for that, or have to deal with irate admins screaming about how ClamAV breaks their change control policies by automatically installing binaries on production servers.
And software with automatic updates never ships an update that bricks production servers (*cough*Exchange*cough*), so this is a perfect solution.
</SARCASM>
Sometimes I really wonder what happened to the Slashdot crowd's common sense.

--
/~mikeg