Fix for ClamAV Outage

How to fix the recent ClamAV problem

Latest Information

Update 2018-01-26 20:25 UTC: There is an official announcement by the ClamAV team on the ClamAV® blog.

Update 2018-01-26 18:51 UTC: We have new ClamAV packages that both upgrade to version 0.99.3 and fix the file descriptor leak problem. If you are running our Debian appliance, you can get the latest pacakages by running this command:

apt-get update; apt-get install clamav clamav-base clamav-daemon clamav-freshclam libclamav7

If the update asks if you want to use the maintainer configuration files, select No - Keep current configuration files.

NOTE: Because ClamAV takes a while to start up, you may get this error:
E: Sub-process /usr/bin/dpkg returned an error code (1)
To fix it, simply run the command apt-get -f install a few times until the result is 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

There may be many leftover directories in /tmp whose names begin with clamav-. You should delete them all as follows:

/etc/init.d/clamav-daemon stop; rm -rf /tmp/clamav-*; /etc/init.d/clamav-daemon start

Older Information

Update 2018-01-26 18:10 UTC: The ClamAV developers have released a new signature database that fixes the problem. You should no longer need to perform the following steps. To be prudent, please run freshclam to make sure you have the latest signature database.

Problem Description

Update 2018-01-26 15:48 UTC: A recent signature update from the ClamAV development team badly broke ClamAV, causing it to leak resources and essentially grind to a halt. There is currently no patch or updated signature database available. However, you can work around the problem by removing the bad signature.

To remove the bad signature from the ClamAV database, follow these instructions. NOTE: Paths are for our Debian appliance.

  1. Run the following command to disable the bad signature:
    echo Vbs.Downloader.Generic-6431223-0 >> /var/lib/clamav/local.ign2  
  2. Restart ClamAV: /etc/init.d/clamav-daemon restart
  3. Edit the file /etc/mail/canit/
  4. If the following two lines are commented out, uncomment them so they read as below:
    $Features{'Virus:CLAMD'} = '/usr/sbin/clamd';
    $ClamdSock = '/var/spool/MIMEDefang/clamd.sock';
  5. If the following line is not commented out, we recommend commenting it out. Falling back on the command-line scanner is a bad idea:
    #$Features{'Virus:CLAMAV'} = '/usr/bin/clamscan';
  6. Run the command md-mx-ctrl reread

Perform these steps on all CanIt scanners.