Slashdot Mirror
ClamAV Forced Upgrade Breaks Email Servers
An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"
The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."
And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.
Diagnostic-Code: smtp; /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory) at (eval 55) line 310.
/usr/bin/clamscan unexpected exit 50, output="LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later.
451-4.5.0 Error in processing, id=02792-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x83d7540) Too many retries to talk to
ClamAV-clamscan av-scanner FAILED:
At least their error messages are descriptive and informative.
It exists for a reason.
"I use a Mac because I'm just better than you are."
This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.
Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.
I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.
It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.
morcego
The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.
See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/
/~mikeg
Should have switched to Norton. They would have had weeks of impossible-to-ignore yellow and black pop-ups demanding their credit card number as ample warning...
Those freetards just don't understand the valuable features provided by quality proprietary software.
End of Life Announcement: ClamAV 0.94.x
Oct 5, 2009
All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)
This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.
We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.
We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.
Thanks for your cooperation!
FUCK JEWS
When they are exceedingly attractive, female, not married, and expressing interest, I do.
Reply to That ||
It wasn't the server going away. They delivered an update designed to kill it
The Windows equivalent would be Microsoft Delivering a critical update with XP designed to disable windows, because you haven't updated to Vista yet.
In other words, they used the automatic update service against their own users.
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
Until the developers can either grow up and stop doing stupid shit such as abusing auto-updates to disable their own product.
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).
How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?
How about all those Windows Vista users who haven't upgraded to Windows 7?
Firefox 2 users who haven't upgraded to 3.
Users who are still using IE6.
Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?
As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.
There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.
/~mikeg
I just tried to update:
/etc/debian_version
... /var/lib/clamav/daily.cld: Malformed database
:(
# cat
5.0.4
aptitude output during update:
Setting up clamav-daemon (0.94.dfsg.2-1lenny2)
Starting ClamAV daemon: clamd LibClamAV Warning:
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning:
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load
ERROR: Malformed database
It appears debian repositories also need to be updated.
NOTE: I removed the * (star) chars from the warnings due to junk filter.
This space is not for rent.
Be careful, though. Natalie Portman might pour hot grits on you.
Where do I sign up sir?
Reply to That ||
With a name like ClamAV, my bet would be the Scientologists.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
First you complain when Microsoft releases an update that won't install on compromised systems because it would break them entirely.
Now ClamAV is put in a similar position. They have three choices due to the bug in 0.94:
1. Continue supporting 0.94, flood out their update servers with full updates since incrementals won't work with that version much longer.
2. Stop supporting 0.94, leaving users who don't know to update basically unprotected.
3. Send a clear message to users who haven't updated that their antivirus solution is now broken and they need to upgrade.
To me, 3 is the obvious choice. If this was a paid solution or if it cost a fucking dime to upgrade I might see a point to complaining, but to anyone who was still using 0.94 just man the fuck up, apt-get update, apt-get upgrade, and get on with it.
This is not like Microsoft disabling XP to get you to upgrade to Vista, this is more comparable to an aircraft with faulty parts being grounded by the FAA. Those using 0.94 were doomed to a broken solution one way or another, they could not continue using it and expect it to do its job, so they needed a kick in the ass to upgrade.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
A lot of server stuff in linux work so well that you can even forget that it is running at all, for years. Clamav is such kind of software, you install/configure it, set the automatic signature updates, and forget that it is there. But still, some periodic checks in logs that all are working as expected is good, even if is just some artificial ignorance well applied, specially when clamav started warning on this months ago.
"ClamAV forced upgrade breaks email servers" should read "Failure to upgrade despite six months warning breaks email servers" or "Inattentive server admins cause massive downtime".
Nice FUD. the new DB will break it anyways.. and YES microsoft does this.
They crafted a DB update that used that bug to deliver a message so the logs showed you what happened instead of a "seg fault - error in line 45867"
Do not look at laser with remaining good eye.
From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.
<SARCASM>
Mmhmm, yes. I agree 1000%. Don't update your virus signatures. Because ya know, new viruses don't get created very often. You can run with signatures over a year old and still have great protection!
</SARCASM>
Or do what they should do... include a method for automatically applying version updates.
Or force auto version update instead of disabling.
<SARCASM>
Yes, because distributing software for several versions of Free/Net/OpenBSD, each Linux distribution, Windows, Solaris, AIX, HP-UX, etc. is totally feasible for a free project.
It's not like they would have to fund the time, equipment and distribution bandwidth for that, or have to deal with irate admins screaming about how ClamAV breaks their change control policies by automatically installing binaries on production servers.
And software with automatic updates never ships an update that bricks production servers (*cough*Exchange*cough*), so this is a perfect solution.
</SARCASM>
Sometimes I really wonder what happened to the Slashdot crowd's common sense.
/~mikeg
You really should use the volatile repository. It provides updated versions of packages that are required to change (like antivirus), compiled for stable. You end up with stable + required updates.
I'd likely to be modded down by open source zealots, but using Clamav to solely protect Windows PCs from malware spread by e-mail is insane. ClamAV has one of the lowest malware detection rate amongst other commercial AV solutions. I tested my own sample of around 140 new viruses found on different Windows PCs during last six months and ClamAV could detect only 70 of them. That's ridiculous ... and fearful to say at least.