freshclam AV stops updating on my ReadyNAS

There's a much longer thread on this here: https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/Antivirus-scanner-definition-file-u...

If you have ssh enabled, you could try manually editing /etc/freshclam.conf as described here: https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/Antivirus-scanner-definition-file-u... It'd be useful to know if it solves the problem.

Hi @StephenB 

Thanks for the tip!

I have implemented your suggestion

"If you have ssh enabled, you could try manually editing /etc/freshclam.conf as described here: https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/Antivirus-scanner-definition-file-u... It'd be useful to know if it solves the problem."

TestDatabases=false is set in my /etc/freshclam.conf.

I ran freshclam -v after setting the above and it ran successfully as noted below

I have rebooted the ReadyNAS and will now monitor if the change resolves the problem

@StephenB, The AV has updated twice since TestDatabases=false is set in my /etc/freshclam.conf.

So far so good...

Good to hear.  Hopefully it will continue to work ok.

Hi @StephenB 

I checked again today (Feb 16) and the AV has not updated fince Feb 11 so sadly the change TestDatabases=false setting in my /etc/freshclam.conf has failed to rectify or workaround the issue as seen in the log below

I ran freshclam -v which ran successfully and my AV updated to 59.26081 from 59.26076 though there are some interesting messages highlighted below

Freshclam seems to have disabled the AV and did not re-enable it.  This has not happened in the past.  Any thoughts?

I manually enabled AV successfully as noted belowNow back to the successful running of Freshclam.  These details are noted below.  Nothing unusual execpt for the warning in red text at the end.

ClamAV update process started at Tue Feb 16 11:18:32 2021
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1349
Software version from DNS: 0.103.1
main.cvd version from DNS: 59
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 26081
Retrieving http://database.clamav.net/daily-26077.cdiff
Trying to download http://database.clamav.net/daily-26077.cdiff (IP: 104.16.219.84)
Downloading daily-26077.cdiff [100%]
cdiff_apply: Parsed 10182 lines and executed 10182 commands
Retrieving http://database.clamav.net/daily-26078.cdiff
Trying to download http://database.clamav.net/daily-26078.cdiff (IP: 104.16.219.84)
Downloading daily-26078.cdiff [100%]
cdiff_apply: Parsed 11731 lines and executed 11731 commands
Retrieving http://database.clamav.net/daily-26079.cdiff
Trying to download http://database.clamav.net/daily-26079.cdiff (IP: 104.16.219.84)
Downloading daily-26079.cdiff [100%]
cdiff_apply: Parsed 11600 lines and executed 11600 commands
Retrieving http://database.clamav.net/daily-26080.cdiff
Trying to download http://database.clamav.net/daily-26080.cdiff (IP: 104.16.219.84)
Downloading daily-26080.cdiff [100%]
cdiff_apply: Parsed 10313 lines and executed 10313 commands
Retrieving http://database.clamav.net/daily-26081.cdiff
Trying to download http://database.clamav.net/daily-26081.cdiff (IP: 104.16.219.84)
Downloading daily-26081.cdiff [100%]
cdiff_apply: Parsed 10297 lines and executed 10297 commands
Loading signatures from daily.cld
Properly loaded 4010384 signatures from new daily.cld
daily.cld updated (version: 26081, sigs: 4051203, f-level: 63, builder: raynman)
Querying daily.26081.93.1.0.6810DB54.ping.clamav.net
Can't query daily.26081.93.1.0.6810DB54.ping.clamav.net
bytecode.cvd version from DNS: 331
bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Database updated (8616199 signatures) from database.clamav.net (IP: 104.16.219.84)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

I have searched the file system and indeed clamd.ctl does not exist anywhere on the file system.

Any thoughts on the missing clamd.ctl?

Cheers Rob

Just FYI re WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

Subsequent to the update (quoted below) I have discovered that "/var/run/clamav/clamd.ctl" was created after I enabled AV so I suspect this isnot a contributer to the AV not updating. 

Freshclam when run from root in an SSH session sems to update AV however the AV seems to stop updating after a period of time.

---

@scrjs wrote:

Hi @StephenB 

I checked again today (Feb 16) and the AV has not updated fince Feb 11 so sadly the change TestDatabases=false setting in my /etc/freshclam.conf has failed to rectify or workaround the issue as seen in the log below

 

 

I ran freshclam -v which ran successfully and my AV updated to 59.26081 from 59.26076 though there are some interesting messages highlighted below

Freshclam seems to have disabled the AV and did not re-enable it.  This has not happened in the past.  Any thoughts?

I manually enabled AV successfully as noted belowNow back to the successful running of Freshclam.  These details are noted below.  Nothing unusual execpt for the warning in red text at the end.

 

ClamAV update process started at Tue Feb 16 11:18:32 2021
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1349
Software version from DNS: 0.103.1
main.cvd version from DNS: 59
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 26081
Retrieving http://database.clamav.net/daily-26077.cdiff
Trying to download http://database.clamav.net/daily-26077.cdiff (IP: 104.16.219.84)
Downloading daily-26077.cdiff [100%]
cdiff_apply: Parsed 10182 lines and executed 10182 commands
Retrieving http://database.clamav.net/daily-26078.cdiff
Trying to download http://database.clamav.net/daily-26078.cdiff (IP: 104.16.219.84)
Downloading daily-26078.cdiff [100%]
cdiff_apply: Parsed 11731 lines and executed 11731 commands
Retrieving http://database.clamav.net/daily-26079.cdiff
Trying to download http://database.clamav.net/daily-26079.cdiff (IP: 104.16.219.84)
Downloading daily-26079.cdiff [100%]
cdiff_apply: Parsed 11600 lines and executed 11600 commands
Retrieving http://database.clamav.net/daily-26080.cdiff
Trying to download http://database.clamav.net/daily-26080.cdiff (IP: 104.16.219.84)
Downloading daily-26080.cdiff [100%]
cdiff_apply: Parsed 10313 lines and executed 10313 commands
Retrieving http://database.clamav.net/daily-26081.cdiff
Trying to download http://database.clamav.net/daily-26081.cdiff (IP: 104.16.219.84)
Downloading daily-26081.cdiff [100%]
cdiff_apply: Parsed 10297 lines and executed 10297 commands
Loading signatures from daily.cld
Properly loaded 4010384 signatures from new daily.cld
daily.cld updated (version: 26081, sigs: 4051203, f-level: 63, builder: raynman)
Querying daily.26081.93.1.0.6810DB54.ping.clamav.net
Can't query daily.26081.93.1.0.6810DB54.ping.clamav.net
bytecode.cvd version from DNS: 331
bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Database updated (8616199 signatures) from database.clamav.net (IP: 104.16.219.84)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

I have searched the file system and indeed clamd.ctl does not exist anywhere on the file system.

Any thoughts on the missing clamd.ctl?

 

Cheers Rob

 

---

---

@scrjs wrote:

Hi @StephenB 

I checked again today (Feb 16) and the AV has not updated fince Feb 11 so sadly the change TestDatabases=false setting in my /etc/freshclam.conf has failed to rectify or workaround the issue as seen in the log below

 

 

I ran freshclam -v which ran successfully and my AV updated to 59.26081 from 59.26076 though there are some interesting messages highlighted below

Freshclam seems to have disabled the AV and did not re-enable it.  This has not happened in the past.  Any thoughts?

I manually enabled AV successfully as noted belowNow back to the successful running of Freshclam.  These details are noted below.  Nothing unusual execpt for the warning in red text at the end.

 

ClamAV update process started at Tue Feb 16 11:18:32 2021
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1349
Software version from DNS: 0.103.1
main.cvd version from DNS: 59
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 26081
Retrieving http://database.clamav.net/daily-26077.cdiff
Trying to download http://database.clamav.net/daily-26077.cdiff (IP: 104.16.219.84)
Downloading daily-26077.cdiff [100%]
cdiff_apply: Parsed 10182 lines and executed 10182 commands
Retrieving http://database.clamav.net/daily-26078.cdiff
Trying to download http://database.clamav.net/daily-26078.cdiff (IP: 104.16.219.84)
Downloading daily-26078.cdiff [100%]
cdiff_apply: Parsed 11731 lines and executed 11731 commands
Retrieving http://database.clamav.net/daily-26079.cdiff
Trying to download http://database.clamav.net/daily-26079.cdiff (IP: 104.16.219.84)
Downloading daily-26079.cdiff [100%]
cdiff_apply: Parsed 11600 lines and executed 11600 commands
Retrieving http://database.clamav.net/daily-26080.cdiff
Trying to download http://database.clamav.net/daily-26080.cdiff (IP: 104.16.219.84)
Downloading daily-26080.cdiff [100%]
cdiff_apply: Parsed 10313 lines and executed 10313 commands
Retrieving http://database.clamav.net/daily-26081.cdiff
Trying to download http://database.clamav.net/daily-26081.cdiff (IP: 104.16.219.84)
Downloading daily-26081.cdiff [100%]
cdiff_apply: Parsed 10297 lines and executed 10297 commands
Loading signatures from daily.cld
Properly loaded 4010384 signatures from new daily.cld
daily.cld updated (version: 26081, sigs: 4051203, f-level: 63, builder: raynman)
Querying daily.26081.93.1.0.6810DB54.ping.clamav.net
Can't query daily.26081.93.1.0.6810DB54.ping.clamav.net
bytecode.cvd version from DNS: 331
bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Database updated (8616199 signatures) from database.clamav.net (IP: 104.16.219.84)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl: No such file or directory

I have searched the file system and indeed clamd.ctl does not exist anywhere on the file system.

Any thoughts on the missing clamd.ctl?

 

Cheers Rob

 

---

---

@scrjs wrote:

I have discovered that "/var/run/clamav/clamd.ctl" was created after I enabled AV so I suspect this isnot a contributer to the AV not updating. 

 

Freshclam when run from root in an SSH session sems to update AV however the AV seems to stop updating after a period of time.

My understanding from other forums is that clamd.ctl should be created when the service is started, so that's consistent with your experience.

Any thoughts on how long it takes for AV to stop updating?  Are you getting a notice that the update is failing?  If not, has the service crashed?

Hi @StephenB 

Thanks again

"Any thoughts on how long it takes for AV to stop updating?"

In this case it updated twice then stopped.

"Are you getting a notice that the update is failing?"

No I am not getting any notification.  Wish I was - any ideas?

"If not, has the service crashed?"

I did not check and your correct I should have done that. When I login to the UI it shows as enabled for what that is worth.

I presume I look for a clamavd running?  Can you confirm what I should look for?

@StephenB 

Futher to my previous update

---

@scrjs wrote:

Hi @StephenB 

Thanks again

 

"Any thoughts on how long it takes for AV to stop updating?"

In this case it updated twice then stopped.

 

"Are you getting a notice that the update is failing?"

No I am not getting any notification.  Wish I was - any ideas?

 

"If not, has the service crashed?"

I did not check and your correct I should have done that. When I login to the UI it shows as enabled for what that is worth.

I presume I look for a clamavd running?  Can you confirm what I should look for?

 

---

I know what to look for to see if ClamAV is running.  I just checked and it is running at the moment

root 3370 1 91 11:59 ? 09:39:25 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

---

@scrjs wrote:

Can you confirm what I should look for?

 

---

I'd start by checking the status of the services and timer

# systemctl status clamav-freshclam.service
# systemctl status clamav-freshclam.timer
# systemctl status clamav-daemon.service

The clamav-freshclam service is normally inactive (it is triggered by the timer).  But you should still see status from the last time it ran.

hi @StephenB 

Thanks so much for the advise

---

@StephenB wrote:

---

@scrjs wrote:

Can you confirm what I should look for?

 

---

I'd start by checking the status of the services and timer

 

# systemctl status clamav-freshclam.service
# systemctl status clamav-freshclam.timer
# systemctl status clamav-daemon.service

The clamav-freshclam service is normally inactive (it is triggered by the timer).  But you should still see status from the last time it ran.

---

The output from these commands which I ran a few moments ago look as expected "I think" for a correctly running ClamAV. Can you confirm?

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-02-16 12:15:29 AEDT; 19h ago
  Process: 4507 ExecStart=/usr/bin/freshclam --quiet (code=exited, status=1/FAILURE)
 Main PID: 4507 (code=exited, status=1/FAILURE)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.timer
● clamav-freshclam.timer - Anti-Virus Definition Update Timer
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.timer; static; vendor preset: disabled)
   Active: active (waiting) since Tue 2021-02-16 11:58:34 AEDT; 19h ago

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

root@xxxxxReadyNAS:~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-16 11:59:00 AEDT; 19h ago
 Main PID: 3370 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─3370 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

Feb 17 06:41:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:41:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:51:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:51:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:01:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:01:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:11:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:11:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:21:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:21:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.

Hi @StephenB 

I have been looking into the commands you gave in update

---

@scrjs wrote:

hi @StephenB 

Thanks so much for the advise

---

@StephenB wrote:

---

@scrjs wrote:

Can you confirm what I should look for?

 

---

I'd start by checking the status of the services and timer

 

# systemctl status clamav-freshclam.service
# systemctl status clamav-freshclam.timer
# systemctl status clamav-daemon.service

The clamav-freshclam service is normally inactive (it is triggered by the timer).  But you should still see status from the last time it ran.

---

The output from these commands which I ran a few moments ago look as expected "I think" for a correctly running ClamAV. Can you confirm?

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-02-16 12:15:29 AEDT; 19h ago
  Process: 4507 ExecStart=/usr/bin/freshclam --quiet (code=exited, status=1/FAILURE)
 Main PID: 4507 (code=exited, status=1/FAILURE)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.timer
● clamav-freshclam.timer - Anti-Virus Definition Update Timer
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.timer; static; vendor preset: disabled)
   Active: active (waiting) since Tue 2021-02-16 11:58:34 AEDT; 19h ago

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

root@xxxxxReadyNAS:~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-16 11:59:00 AEDT; 19h ago
 Main PID: 3370 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─3370 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

Feb 17 06:41:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:41:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:51:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 06:51:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:01:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:01:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:11:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:11:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:21:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.
Feb 17 07:21:10 xxxxxReadyNAS clamd[3370]: SelfCheck: Database status OK.

---

I disabled ClamAV and re-enable it and this time see

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: inactive (dead)

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.timer
● clamav-freshclam.timer - Anti-Virus Definition Update Timer
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.timer; static; vendor preset: disabled)
   Active: active (waiting) since Wed 2021-02-17 10:01:25 AEDT; 35s ago

Feb 17 10:01:25 xxxxxReadyNAS systemd[1]: Started Anti-Virus Definition Update Timer.

root@xxxxxReadyNAS:~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-02-17 10:01:25 AEDT; 59s ago
 Main PID: 4922 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─4922 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

Feb 17 10:01:25 xxxxxReadyNAS systemd[1]: Started Clam AntiVirus userspace daemon.
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Received 0 file descriptor(s) from systemd.
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: clamd daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Running as user root (UID 0, GID 0)
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Log file size limited to 1048576 bytes.
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Reading databases from /var/lib/clamav
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Not loading PUA signatures.
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Only loading official signatures.
Feb 17 10:01:26 xxxxxReadyNAS clamd[4922]: Bytecode: Security mode set to "TrustSigned".

This looks more normal to me, however would appreciate your thoughts...

Interestingly when I first sent you output from # systemctl status clamav-freshclam.service we had a FAILURE repeated below.

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2021-02-16 12:15:29 AEDT; 19h ago
  Process: 4507 ExecStart=/usr/bin/freshclam --quiet (code=exited, status=1/FAILURE)
 Main PID: 4507 (code=exited, status=1/FAILURE)

compared to now 

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: inactive (dead)

You stated "The clamav-freshclam service is normally inactive (it is triggered by the timer).  But you should still see status from the last time it ran."

What should I expect? (sorry for my naivety linux is not my stength) 

The second status looks correct to me. 

It does look like the service had failed for some reason earlier, though there's not enough info to say why.  I'm not sure if the log rotation would have given more clues or not.

Hi @StephenB 

Many thanks for the continued discussion below

---

@StephenB wrote:

The second status looks correct to me. 

 

It does look like the service had failed for some reason earlier, though there's not enough info to say why.  I'm not sure if the log rotation would have given more clues or not.

---

Which log was rotated?  Is there another mechanism to get this information?

I will check

# systemctl status clamav-freshclam.service

In a few days...

---

@scrjs wrote: Which log was rotated?  Is there another mechanism to get this information?

Your first status includes

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Systemd consolidates the logs, and that is what was rotated.  There's no other mechanism.

Thanks for letting me know @StephenB 

---

@StephenB wrote:

---

@scrjs wrote: Which log was rotated?  Is there another mechanism to get this information?

Your first status includes

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Systemd consolidates the logs, and that is what was rotated.  There's no other mechanism.

---

I'll check again in a few days

---

@scrjs wrote:

Hi @StephenB 

Many thanks for the continued discussion below

---

@StephenB wrote:

The second status looks correct to me. 

 

It does look like the service had failed for some reason earlier, though there's not enough info to say why.  I'm not sure if the log rotation would have given more clues or not.

---

Which log was rotated?  Is there another mechanism to get this information?

I will check

# systemctl status clamav-freshclam.service

In a few days...

---

Hi @StephenB 

I rebooted the ReadyNAS yesterday and just checked the status and noted the failure in 

clamav-freshclam.service - ClamAV virus database updater

This service yesterday, after the reboot, showed

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: inactive (dead)

which looks correct.  Checking just now (Feb 21) it shows

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2021-02-20 16:55:56 AEDT; 19h ago
 Main PID: 5129 (code=exited, status=1/FAILURE)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Unfortunatly again no log info.

Ran freshclam -v with the following results and then checked clamav-freshclam.service with the following results with the service stilled in FAILED status

root@xxxxxReadyNAS:~# freshclam -v
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Sun Feb 21 12:29:49 2021
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1666
Software version from DNS: 0.103.1
main.cvd version from DNS: 59
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 26086
Retrieving http://database.clamav.net/daily-26086.cdiff
Trying to download http://database.clamav.net/daily-26086.cdiff (IP: 104.16.218.84)
Downloading daily-26086.cdiff [100%]
cdiff_apply: Parsed 4327 lines and executed 4327 commands
Loading signatures from daily.cld
Properly loaded 3982440 signatures from new daily.cld
daily.cld updated (version: 26086, sigs: 4008487, f-level: 63, builder: raynman)
Querying daily.26086.93.1.0.6810DA54.ping.clamav.net
Can't query daily.26086.93.1.0.6810DA54.ping.clamav.net
bytecode.cvd version from DNS: 332
bytecode.cld is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
Database updated (8573482 signatures) from database.clamav.net (IP: 104.16.218.84)
Clamd successfully notified about the update.

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2021-02-20 16:55:56 AEDT; 19h ago
 Main PID: 5129 (code=exited, status=1/FAILURE)

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Is any way to detail detail on what happened to "clamav-freshclam.service - ClamAV virus database updater" cause the failure "failed (Result: exit-code) since Sat 2021-02-20 16:55:56 AEDT" ?

Are you seeing any errors in system.log, kernel.log, system-journal.log around the time that that service failed?

---

@StephenB wrote:

Are you seeing any errors in system.log, kernel.log, system-journal.log around the time that that service failed?

---

Hi @StephenB 

Can you please let me know the path to these logs?

I can't find them...

Also just checked the commands and this time I have some log info before they rotated and see the following (time now is 17:58 on Feb 22) with a failue in ClamAV virus database updater

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2021-02-22 17:17:34 AEDT; 35min ago
 Main PID: 4077 (code=exited, status=1/FAILURE)

Feb 22 17:17:34 xxxxxReadyNAS systemd[1]: Starting ClamAV virus database updater...
Feb 22 17:17:34 xxxxxReadyNAS freshclam[4077]: ClamAV update process started at Mon Feb 22 17:17:34 2021
Feb 22 17:17:34 xxxxxReadyNAS freshclam[4077]: main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Feb 22 17:17:34 xxxxxReadyNAS freshclam[4077]: daily.cld is up to date (version: 26087, sigs: 4008904, f-level: 63, builder: raynman)
Feb 22 17:17:34 xxxxxReadyNAS freshclam[4077]: bytecode.cld is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
Feb 22 17:17:34 xxxxxReadyNAS systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=1/FAILURE
Feb 22 17:17:34 xxxxxReadyNAS systemd[1]: Failed to start ClamAV virus database updater.
Feb 22 17:17:34 xxxxxReadyNAS systemd[1]: clamav-freshclam.service: Unit entered failed state.
Feb 22 17:17:34 xxxxxReadyNAS systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'.


root@xxxxxReadyNAS:~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-02-22 17:01:22 AEDT; 52min ago
 Main PID: 3329 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─3329 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

Feb 22 17:13:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:13:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:23:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:23:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:33:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:33:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:43:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:43:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:53:05 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:53:05 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.


root@xxxxxReadyNAS:~# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-02-22 17:01:22 AEDT; 52min ago
 Main PID: 3329 (clamd)
   CGroup: /system.slice/clamav-daemon.service
           └─3329 /usr/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf

Feb 22 17:13:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:13:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:23:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:23:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:33:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:33:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:43:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:43:04 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:53:05 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.
Feb 22 17:53:05 xxxxxReadyNAS clamd[3329]: SelfCheck: Database status OK.

Ran freshclam -v and all appears up to date

root@xxxxxReadyNAS:~# freshclam -v
Current working dir is /var/lib/clamav
Max retries == 5
ClamAV update process started at Mon Feb 22 18:04:29 2021
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 548
Software version from DNS: 0.103.1
main.cvd version from DNS: 59
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd version from DNS: 26087
daily.cld is up to date (version: 26087, sigs: 4008904, f-level: 63, builder: raynman)
bytecode.cvd version from DNS: 332
bytecode.cld is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)

Thoughts?

---

@scrjs wrote:

---

@StephenB wrote:

Are you seeing any errors in system.log, kernel.log, system-journal.log around the time that that service failed?

---

Hi @StephenB 

Can you please let me know the path to these logs?

I can't find them...

Download the log zip file from the NAS web ui.  These logs are extracted from the systemd journal when you download the zip - they don't exist in the OS partition.

You could also attempt to search the journal directly with journalctl, but there's a lot of stuff in there, so you'd want to filter the search.  That could result in missing some errors.

---

@scrjs wrote:

---

@StephenB wrote:

Are you seeing any errors in system.log, kernel.log, system-journal.log around the time that that service failed?

---

Hi @StephenB 

Also just checked the commands and this time I have some log info before they rotated and see the following (time now is 17:58 on Feb 22) with a failue in ClamAV virus database updater

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2021-02-22 17:17:34 AEDT; 35min ago
 Main PID: 4077 (code=exited, status=1/FAILURE)

Thoughts?

 

---

If you manually start the service with systemctl start clamav-freshclam.service do you see the same failure?

Hi @StephenB 

I did a log update yesterday that seems to have been lost. 

What I can confirm is that when the clamav-freshclam.service - ClamAV virus database updater is in a FAILED status, a systemctl start clamav-freshclam.service does in fact restart the service.

Since that start after it failed the services continues to run as noted below and updated my AV this morning successfully

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: inactive (dead) since Wed 2021-02-24 08:24:18 AEDT; 4h 51min ago
  Process: 5693 ExecStart=/usr/bin/freshclam --quiet (code=exited, status=0/SUCCESS)
 Main PID: 5693 (code=exited, status=0/SUCCESS)

Feb 24 08:22:40 xxxxxReadyNAS systemd[1]: Starting ClamAV virus database updater...
Feb 24 08:22:44 xxxxxReadyNAS freshclam[5693]: ClamAV update process started at Wed Feb 24 08:22:44 2021
Feb 24 08:22:44 xxxxxReadyNAS freshclam[5693]: main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Feb 24 08:22:46 xxxxxReadyNAS freshclam[5693]: Downloading daily-26089.cdiff [100%]
Feb 24 08:24:03 xxxxxReadyNAS freshclam[5693]: daily.cld updated (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
Feb 24 08:24:09 xxxxxReadyNAS freshclam[5693]: Can't query daily.26089.93.1.0.6810DA54.ping.clamav.net
Feb 24 08:24:09 xxxxxReadyNAS freshclam[5693]: bytecode.cld is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
Feb 24 08:24:17 xxxxxReadyNAS freshclam[5693]: Database updated (8565157 signatures) from database.clamav.net (IP: 104.16.218.84)
Feb 24 08:24:17 xxxxxReadyNAS freshclam[5693]: Clamd successfully notified about the update.
Feb 24 08:24:18 xxxxxReadyNAS systemd[1]: Started ClamAV virus database updater.

Netgear are asking for logs, however we have always seens that this failure occurs without any notification so log collection before rotation is difficult.

Thoughts...

---

@scrjs wrote:

Netgear are asking for logs, however we have always seens that this failure occurs without any notification so log collection before rotation is difficult.

 

Thoughts...

 

---

They are apparently actively working on a hot fix, so perhaps you should just restart the service manually if you see it fails again.

How quickly are your logs rotating?  (journalctl will tell you the oldest log entry, since by default it lists the oldest first).

Hi @StephenB 

---

@StephenB wrote:

---

@scrjs wrote:

Netgear are asking for logs, however we have always seens that this failure occurs without any notification so log collection before rotation is difficult.

 

Thoughts...

 

---

They are apparently actively working on a hot fix, so perhaps you should just restart the service manually if you see it fails again.

 

How quickly are your logs rotating?  (journalctl will tell you the oldest log entry, since by default it lists the oldest first).

---

Yes I was aware Netgear are working on a Hotfix so you suggestion makes sense.

I just ran journalctl and currently it suggests

-- Logs begin at Mon 2021-02-22 21:30:50 AEDT, end at Wed 2021-02-24 22:13:22 AEDT. --

The begin date is just after a boot of the NAS so they have not yet rotated.

Just checked systemctl status clamav-freshclam.service which continues to run as noted below 

root@xxxxxReadyNAS:~# systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; static; vendor preset: disabled)
   Active: inactive (dead) since Wed 2021-02-24 08:24:18 AEDT; 4h 51min ago
  Process: 5693 ExecStart=/usr/bin/freshclam --quiet (code=exited, status=0/SUCCESS)
 Main PID: 5693 (code=exited, status=0/SUCCESS)

Feb 24 08:22:40 xxxxxReadyNAS systemd[1]: Starting ClamAV virus database updater...
Feb 24 08:22:44 xxxxxReadyNAS freshclam[5693]: ClamAV update process started at Wed Feb 24 08:22:44 2021
Feb 24 08:22:44 xxxxxReadyNAS freshclam[5693]: main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Feb 24 08:22:46 xxxxxReadyNAS freshclam[5693]: Downloading daily-26089.cdiff [100%]
Feb 24 08:24:03 xxxxxReadyNAS freshclam[5693]: daily.cld updated (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
Feb 24 08:24:09 xxxxxReadyNAS freshclam[5693]: Can't query daily.26089.93.1.0.6810DA54.ping.clamav.net
Feb 24 08:24:09 xxxxxReadyNAS freshclam[5693]: bytecode.cld is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
Feb 24 08:24:17 xxxxxReadyNAS freshclam[5693]: Database updated (8565157 signatures) from database.clamav.net (IP: 104.16.218.84)
Feb 24 08:24:17 xxxxxReadyNAS freshclam[5693]: Clamd successfully notified about the update.
Feb 24 08:24:18 xxxxxReadyNAS systemd[1]: Started ClamAV virus database updater.

I hope the hotfix will be available soon...

---

@scrjs wrote:

Hi @StephenB 

---

I just ran journalctl and currently it suggests

-- Logs begin at Mon 2021-02-22 21:30:50 AEDT, end at Wed 2021-02-24 22:13:22 AEDT. --

The begin date is just after a boot of the NAS so they have not yet rotated.

The journal doesn't start fresh when the NAS reboots.  2 days isn't much retention, my main NAS goes back about a month.

Have you enabled the audit service?  Just wondering what is generating so many log entries.