Don’t you just love it….

…when your working production system stops working because a developer
decides to send you a ‘stop working code’….

Starting clamav_clamd.
LibClamAV Warning:
***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is
outdated.     ***
LibClamAV Warning: *** DON'T PANIC! Read
http://www.clamav.net/support/faq ***
LibClamAV Warning:
***********************************************************
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version
has reached End of Life! Please upgrade to version 0.95 or later. For
more information see  www.clamav.net/eol-clamav-094 and
www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load /var/db/clamav/daily.cld: Malformed database
ERROR: Malformed database

Especially when you haven't upgraded because attempting to upgrade you get:

libtool: link: rm -f .libs/clamscan.nm .libs/clamscan.nmS .libs/clamscan.nmT
libtool: link: (cd .libs && cc -O2 -fno-strict-aliasing -pipe -c
-fno-builtin "clamscanS.c")
libtool: link: rm -f ".libs/clamscanS.c" ".libs/clamscan.nm"
".libs/clamscan.nmS" ".libs/clamscan.nmT"
libtool: link: cc -O2 -fno-strict-aliasing -pipe -o .libs/clamscan
output.o getopt.o optparser.o actions.o misc.o clamscan.o others.o
manager.o  -L/usr/local/lib ../libclamav/.libs/libclamav.so -lbz2 -lz
-lthr -Wl,-rpath -Wl,/usr/local/lib
../libclamav/.libs/libclamav.so: undefined reference to `gethostbyname_r'
*** Error code 1
1 error
*** Error code 1
1 error
*** Error code 2
1 error
*** Error code 1

Stop in /usr/ports/security/clamav.
*** Error code 1

Stop in /usr/ports/security/clamav.

Yes I know you get what you pay for, but stop catching viruses is one thing, killing my mail system is an entirely different issue..! Upgrading the OS on a production system is something that needs planning…! (and usually means it’s time to replace the hardware completely.)

For the non-techies reading… ClamAV is a free Anti-Virus system that is written as a community project. A ‘stop working code’ is a code that is specifically designed to stop a product working (usually after a specific time period etc). In my case all my mail servers (including the big SORBS spamtrap servers) are using ClamAV to filter out viruses from the mail stream. There was quite a controversy some years ago when ClamAV decided to add an ‘anti-phishing’ filter to the software without telling anyone.. since then I amongst a lot of others have been reluctant to upgrade to every ‘point release’ due to new ‘undocumented’ features screwing with my mail system.

The latest trick by the ClamAV developers seems to be ’cause all the software to crash/shutdown’ and has been done with very little notice. I for one was in the middle of moving house today and in my ‘most important’ system have been attempting to upgrade for some time. I have been unable to date because the newer versions of the software make a call to a library function that does not exist on my system. The particular system has no ‘remote console’ so if I attempt to upgrade the OS (in Windows terms, formatting and reloading from CD) the machine will be dead to everyone unless I fly to Australia (Brisbane) and do it there myself!!!!

Anyway my message to all ClamAV users is simple.. you get what you pay for.. which means as it’s free, you get nothing of use. Trash it and switch to Sophos which will cost you money, but appears in testing to be one of the best on the market!

UPDATE: It appears from the many private comments that I received in private that my statement about ‘you get what you pay for’ were made without any substantive research, and as such I have been made aware there are a number of free AV engines that do not suffer from the ‘you get what you pay for syndrome’. So my advice and a lesson for me is do your research, companies who provide free services/utilities do have strict controls on what happens with the code and are worth considering.

11 Replies to “Don’t you just love it….”

    1. Problem is I’m not subscribed – and even if I had, my main email address has been offline since Oct 2009 due to circumstances beyond my control. The real issue is the server needs an OS upgrade and until the devel code I am writing is finished and deployed it can’t be upgraded (it’s a production server.)

      Michelle

      PS: I have instructions on how to hack it to make it work on the old OS now thanks to a friend.

  1. Yep, it is a bit bad style and I can understand that you are annoyed. This could probably have been better announced in advance.
    But running a > 1 yr outdated virus scanner on a production machine isn’t really good either, right? And if you read their explanation then their only other option would have been to just stop delivering updates for the old engine, which would have meant effectively no protection and many admins not even noticing this. That would be more than annoying – dangerous that is to say.
    Ths I think it was better to cause the systems to break so that people notice it at least.

    This is a bit like with outdated spam RBLs. Despite warnings some people use them. At some point the only thing to get these admins to reconsider is to “list the entire world”. Then these admins do what they were supposed to do – look at what RBLs they use.

    Neither RBLs nor virus filters are “fire-and-forget” weapons. Yet too many use em like this. Don’t you agree?

    1. As an RBL maintainer I see your point, however I would have been happy for it to stop working in a fail open way. Most appliances (all the ones I have used in production) fail open if something goes wrong. Milters+Postfix temp fail when the Milter daemon goes away. If clamd barfed and quit but the milter logged warnings that it was ‘fail-open’ mode – no problem. Instead I lost mail because ClamD quit and so did ClamAV-Milter .. very bad form… same as listing the world.. very bad form and should only be done as a last resort.

      Michelle

  2. To be fair, if you’re running a production system(s) you should be monitoring the updates list out of ClamAV. They announced this several weeks ago…also you could’ve upgraded to the 0.95 series anytime in the last 12 months and been OK. It’s been in Ubuntu-backports for quite sometime.

    Agreed I don’t see why Sourcefire thought it was a good idea to force daemons to shutdown, but on the otherhand there was truly ample time.

    1. If you read my post you’d see that I can’t upgrade (and I can tell you I have tried way back in July 2009)… Since Oct 2009 I haven’t had access to my main email so I wouldn’t have got the notifications even if I had been subscribe.

Leave a Reply