No Package Updates for ClamAV

[jktrndd]

Cannot upgrade the ClamAV by installing the rpm package locally.

1. ClamAV version, settings and system details:
On the command line, run:

<username & machine name>:~> clamconf -n
Checking configuration files in /etc

Config file: clamd.conf

LogFile = "/var/log/clamd.log"
LogFileMaxSize = "2097152"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogRotate = "yes"
PidFile = "/run/clamav/clamd.pid"
LocalSocket = "/run/clamav/clamd-socket"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "vscan"

Config file: freshclam.conf

LogFileMaxSize = "104857600"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogRotate = "yes"
PidFile = "/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf

LogSyslog = "yes"
LogFacility = "LOG_MAIL"
PidFile = "/run/clamav/clamav-milter.pid"
User = "vscan"
ClamdSocket = "unix:/run/clamav/clamd-socket"
MilterSocket = "/run/clamav/clamav-milter-socket"

Software settings

Version: 0.103.11
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV RAR

Database information

Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
daily.cld: version 27371, sigs: 2065716, built on Sun Aug 18 04:38:12 2024
bytecode.cld: version 335, sigs: 86, built on Tue Feb 27 10:37:24 2024
Total number of signatures: 8713229

Platform information

uname: Linux 4.12.14-122.222-default #1 SMP Tue Jul 9 16:14:33 UTC 2024 (6108cdd) x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0axxxxxxxx000000000xxxxx

Build information

GNU C: 12.3.0 (12.3.0)
CPPFLAGS:
CFLAGS: -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -DFP_64BIT -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector
LDFLAGS:
Configure: '--prefix=/usr' '--libdir=/usr/lib64' '--mandir=/usr/share/man' '--sysconfdir=/etc' '--disable-clamav' '--disable-static' '--with-dbdir=/var/lib/clamav' '--with-user=vscan' '--with-group=vscan' '--enable-milter' '--enable-check' '--enable-clamdtop' '--disable-timestamps' '--disable-yara' 'CXX=g++-12' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector' 'CC=gcc-12' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -fstack-protector -O2 -Wall -D_FORTIFY_SOURCE=2 -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -DFP_64BIT' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
sizeof(void*) = 8
Engine flevel: 132, dconf: 132

2. Provide the specific steps needed to reproduce the issue
We tried upgrading ClamAV by local installing the downloaded package clamav-1.3.1.linux.x86_64.rpm from the official site: https://www.clamav.net/downloads.
By local installing the file using zypper, we get below error. Which is a risk and not recommendable action based on security measures.

Command:

zypper in ./clamav-1.3.1.linux.x86_64.rpm

Package header is not signed!

clamav-1.3.1-1.x86_64 (Plain RPM files cache): Signature verification failed [6-File is unsigned]
Abort, retry, ignore? [a/r/i] (a): a
Problem occurred during or after installation or removal of packages:
Installation aborted by user

We did push my testing even further and tried to get past the installation without prompts, however it broke freshclam and clamd service which are important.
There were so many missing directories and files that adding them back by copying the contents and permissions on a working server, DID NOT resolve the issue.

Command:

rpm -Uvh clamav-1.3.1.linux.x86_64.rpm

Errors:

[micahsnyder]

@jktrndd The clamav packages that we provide differ from most package provided by linux distributions. https://docs.clamav.net/manual/Installing.html#installing-with-an-installer

Our install path is under /usr/local. This may be the same depending on your system.
Our database directory is under /usr/local/share/clamav. Some distributions will put it under /var/lib/clamav.
Our config directory is under /usr/local/etc/clamav. Some distributions will put it under /etc/clamav. We also don't provide pre-configured config files. You may need to create your own or else copy from your previous install.

I don't recall if our packages include systemd service files, and the ones that may be on your system from your previous install might point to the wrong directories for things.

[jktrndd]

Hello, we downloaded both sig and rpm package from the official clamAV site: https://www.clamav.net/downloads and Installed the package under /usr/local

rpm -ivh clamav-1.3.0.linux.x86_64.rpm

Configured below files. Please refer to attached for the file content.

/etc/freshclam.conf
/etc/clamd.conf

Initialized the malware database:

systemctl start freshclam

Error:

systemctl enable freshclam

systemctl status freshclam

ERROR: This tool requires libclamav with functionality level 211 or higher (current f-level: 200)

journalctl -xe

Check status after running freshclam:

freshclam *wait for 10-15 mins

ERROR: Can't open /var/log/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log). ERROR: initialize: libfreshclam init failed. ERROR: Initialization error!

The same error is observed when trying to start clamd service.

Start and enable the service clamd:

systemctl start clamd

systemctl enable clamd

Check the status of the service clamd with:

systemctl status clamd

ERROR: This tool requires libclamav with functionality level 211 or higher (current f-level: 200)

Note: We did not use the latest version 1.4.1, since it is requiring a higher available version for glibc which is not available in our system.

Error:

[micahsnyder]

ERROR: This tool requires libclamav with functionality level 211 or higher (current f-level: 200)

This error means that there is a mismatch between the freshclam version and the libclamav version. We use "functionality level" compare versions for this sort of situation and also for determining if features used in signatures are supported by the current version. You can cross-reference them here.

In this case:

• freshclam's functionality level is 211 which equals clamav 1.4.1.
• libclamav's functionality level is 200 which equals clamav 1.3.0.

So it seems like you do have (some of) 1.4.1 still installed and the service is running that freshclam instead of the 1.3.0 version.

Best bet may be to try to remove all clamav programs and libraries and then install again.

[jktrndd]

Hello, we just want to clarify that we didn't use the latest version 1.4.1 during testing, since it is requiring a higher available version for glibc which is not available in our system. Does it still have mismatch error? Because both errors it show that the current f-level is 200.

ERROR: This tool requires libclamav with functionality level 211 or higher (current f-level: 200)

Can you show us the mismatch between the freshclam version and libclamav version so we can better understand? Thank you

[micahsnyder]

This tool

freshclam

requires libclamav with functionality level 211 or higher

requires libclamav version 1.4.1 or higher

(current f-level: 200)

current libclamav found says it is version 1.3.0

[micahsnyder]

If it helps any, this is how the check works in the code:

int check_flevel(void)
{
    if (cl_retflevel() < CL_FLEVEL) {
        fprintf(stderr, "ERROR: This tool requires libclamav with functionality level %u or higher (current f-level: %u)\n", CL_FLEVEL, cl_retflevel());
        return 1;
    }
    return 0;
}

Ref: https://github.com/Cisco-Talos/clamav/blob/main/common/misc.c#L185-L192

The check_flevel() function is called at the very start of freshclam: https://github.com/Cisco-Talos/clamav/blob/main/freshclam/freshclam.c#L1660

The check_flevel() function is a part of ClamAV's "common" library which gets statically linked into freshclam and other ClamAV programs. CL_FLEVEL is a #define macro so it is hardcoded in that function, and is that first number "211" translating to version 1.4.1. So it is definitively freshclam version 1.4.1 that is running.

[jktrndd]

This is noted. We'll check on this.

Also, may we know if we can use this ClamAV version 0.103.12-3.33.1 ? Does this have the same EOL that will expire on September 14, 2024?

[micahsnyder]

The Sept 14, 2024 EOL date for 0.103 means that my team will no longer create bug patch or security patch versions for 0.103. If a security bug that affects 0.103 is discovered, third party distributions may still backport fixes for the 0.103 release, but we won't.

In ~1 year (Sept 14, 2025) we expect to block the 0.103 release from downloading signatures. At that time you'll need to upgrade to a supported version to keep using ClamAV.

In short, you may continue using 0.103.12 until Sept 14, 2025.

Full details on our EOL policy are here: https://docs.clamav.net/faq/faq-eol.html#version-support-matrix

[jktrndd]

Just to confirm, is 0.103.12 version still part of the expected EOL last September 14, 2024? Or is there an exception for this particular version for the EOL?

[micahsnyder]

Yes 0.103.12 is a patch version for the 0.103 LTS release. It is still affected by 0.103 EOL, but it will be functional until at least Sept-14 2025.