Hello!
Sorry if I am misplacing this post. I was tempted to place it on the Virtualmin forum, but then this is not strictly Virtualmin.
I installed LMD / Clamscan some years ago, which worked just fine on my Virtualmin (CentOS 6.9 at this time) machine … until two or three weeks ago, when maldetect was automatically upgraded from version 1.5 into version 1.6
Now, whenever I start a malware scan, issuing, i.e.:
/usr/local/maldetect/maldet --scan-all /home
Maldet starts working, detecting clamAV and stating it will use it for faster scanning, and about 60 - 100 seconds into the scan, it just stops with a message stating that there was an error which could be seen in the log file.
Linux Malware Detect v1.6
(C) 2002-2017, R-fx Networks
(C) 2017, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(14040): {scan} signatures loaded: 12455 (9721 MD5 | 1951 HEX | 783 YARA | 0 USER)
maldet(14040): {scan} building file list for /home, this might take awhile…
maldet(14040): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(14040): {scan} file list completed in 2s, found 382025 files…
maldet(14040): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine…
maldet(14040): {scan} scan of /home (382025 files) in progress…
maldet(14040): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!
maldet(14040): {scan} scan completed on /home: files 382025, malware hits 0, cleaned hits 0, time 98s
maldet(14040): {scan} scan report saved, to view run: maldet --report 170410-1126.14040
I open the /usr/local/maldetect/logs/clamscan_log file and I can’t detect anything useful in there:
Apr 10 11:26:32 virtualmin01 clamscan start
Apr 10 11:26:32 virtualmin01 executed: /bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --fdpass --infected --no-summary -f /usr/local/maldetect/tmp/.find.14040
Apr 10 11:28:07 virtualmin01 clamscan end
Apr 10 11:28:07 virtualmin01 clamscan end
Then, I do inspect the /var/log/messages log and I find a ton of error messages like this one:
Apr 10 10:43:31 virtualmin01 clamd[12297]: lstat() failed on: /home/xxxxxxx/public_html/xxxxxxxxxx
(being the xxx just each home dir and file inside there)
And at the end:
Apr 10 10:43:31 virtualmin01 rsyslogd-2177: imuxsock begins to drop messages from pid 12297 due to rate-limiting
(which I suspect is the event that cuts short and finally stops the scanning attempt)
At this point, I navigate into /usr/local folder and I find /maldetect folder (with version 1.6 inside) and /maldetect.bkxxxx (with older version 1.5 and xxxx being a randomly generated number, I suppose … at this time it was /maldetect.bk13491).
I rename the newest maldetect into another folder name, and then I rename maldetect backup 1.5 version folder into /maldetect and retry the scan, now using maldetect 1.5 instead of 1.6 … and it works like a charm, just as before.
Hence, the problem seems to be maldetect 1.6 while interacting with clamAV and no useful error is being detected by me in order to fix this (my linux knowledge is very limited too). I would like very much to use latest maldetect version, since the CHANGELOG is nice and extensive.
But also, after about 24 hours, the system automatically updates (again) my renamed folder into the new maldetect 1.6 version. So even if I was ok with keep using 1.5 version, I need to rename those folders about each time I run the scan.
I did search the net for this kind of errors, but I could not find even ONE other instance. Maybe anyone in here can point me into the right direction.
Any help appreciated!
Enrique