some errors in syslog in new installation

That is suspicious that /run/clamav/clamd.ctl socket has no permissions. Do

Code:

sudo chmod a+rw /run/clamav/clamd.ctl

Then test if clamav runs. See in the logs.

 

/etc/apt/sources.list

Code:

# deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

# deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
# deb http://security.ubuntu.com/ubuntu bionic-security main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu bionic partner
# deb-src http://archive.canonical.com/ubuntu bionic partner

deb http://security.ubuntu.com/ubuntu bionic-security main restricted
# deb-src http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
# deb-src http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
# deb-src http://security.ubuntu.com/ubuntu bionic-security multiverse

ls -la /etc/apt/sources.list.d/
total 8
drwxr-xr-x 2 root root 4096 Apr 20 2018 .
drwxr-xr-x 6 root root 4096 Nov 4 21:15 ..

 

What have you installed from bionic-backports?
Show

Code:

apt-cache policy clamav

 

apt-cache policy clamav
clamav:
Installed: 0.100.2+dfsg-1ubuntu0.18.04.1
Candidate: 0.100.2+dfsg-1ubuntu0.18.04.1
Version table:
*** 0.100.2+dfsg-1ubuntu0.18.04.1 500
500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
100 /var/lib/dpkg/status
0.99.4+addedllvm-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

 

I have also run
sudo chmod a+rw /run/clamav/clamd.ctl
but still the problem looks like the same.

Code:

 Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           `-extend.conf
   Active: active (running) since Sun 2018-11-04 21:18:09 IST; 3s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 17697 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
  Process: 17696 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
 Main PID: 17698 (clamd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/clamav-daemon.service
           `-17698 /usr/sbin/clamd --foreground=true

Nov 04 21:18:09 server2 systemd[1]: Starting Clam AntiVirus userspace daemon...
Nov 04 21:18:09 server2 mkdir[17696]: /bin/mkdir: cannot create directory '/run/clamav': File exists
Nov 04 21:18:09 server2 systemd[1]: Started Clam AntiVirus userspace daemon.

 

You did not say what you have installed from bionic-backports.
My quess is stuff installed from there has broken something.
Unless you have modified clamav settings yourself?

 

Did you after that restart clamav?

Code:

systemctl restart clamav-daemon

 

chmod a+rw /run/clamav/clamd.ctl
root@server2:/# systemctl restart clamav-daemon
root@server2:/# service clamav-daemon status
* clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
`-extend.conf
Active: failed (Result: exit-code) since Sun 2018-11-04 23:28:55 IST; 2s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 25487 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, status=1/FAILURE)
Process: 25486 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Process: 25485 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
Main PID: 25487 (code=exited, status=1/FAILURE)

Nov 04 23:28:36 server2 systemd[1]: Starting Clam AntiVirus userspace daemon...
Nov 04 23:28:36 server2 mkdir[25485]: /bin/mkdir: cannot create directory '/run/clamav': File exists
Nov 04 23:28:36 server2 systemd[1]: Started Clam AntiVirus userspace daemon.
Nov 04 23:28:55 server2 clamd[25487]: Sun Nov 4 23:28:55 2018 -> !Failed to change socket ownership to group clamav
Nov 04 23:28:55 server2 systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE
Nov 04 23:28:55 server2 systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.

 

I read elsewhere that it could be the /etc/password issue
the passwd entry in the file looks like this:
cat /etc/passwd | grep 'clam'
clamav:x:113:121::/var/lib/clamav:/bin/false

so is the entry above okay or it needs change?

 

Did you remove the /run/clamav before restarting clamav-daemon?

 

No I didn't.

 

Tried after removing
systemctl restart clamav-daemon
systemctl status clamav-daemon.service

* clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
`-extend.conf
Active: failed (Result: exit-code) since Mon 2018-11-05 00:18:45 IST; 48s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 3578 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, status=1/FAILURE)
Process: 3577 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Process: 3576 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=0/SUCCESS)
Main PID: 3578 (code=exited, status=1/FAILURE)

Nov 05 00:18:26 server2 systemd[1]: Starting Clam AntiVirus userspace daemon...
Nov 05 00:18:26 server2 systemd[1]: Started Clam AntiVirus userspace daemon.
Nov 05 00:18:45 server2 clamd[3578]: Mon Nov 5 00:18:45 2018 -> !Failed to change socket ownership to group clamav
Nov 05 00:18:45 server2 systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE
Nov 05 00:18:45 server2 systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.

 

What have you done in addition to the Perfect Server Guide? What did you install from backports? What settings have you altered?

 

No sure Taleman,
I am not that expert to answer what you mean.
but yes I have build some custom php like 7.0.32 and 5.4.45 which I have installed, besides that
I have installed a package
policyd-rate-limit
but I am still trying to make it work.
I don't remember anything besides this.

 

Are you still working on this?
I think you should reconfigure clamav, seems it is somehow messed up now. Try

Code:

sudo dpkg-reconfigure clamav-daemon

Then test like before and look at file /var/log/clamav/clamav.log.
If this does not help, increase log verbosity in /etc/clamav/clamd.conf, change the line

Code:

LogVerbose false

to

Code:

LogVerbose true

 

Hi Taleman,
I have run the command as below:
apt-get purge clamav-daemon
apt-get -y install clamav-daemon
sudo dpkg-reconfigure clamav-daemon - accepted all default values.
updated /etc/clamav/clamd.conf - LogVerbose true

The logs are like this:

Code:

Mon Nov  5 17:16:05 2018 -> Received 0 file descriptor(s) from systemd.
Mon Nov  5 17:16:05 2018 -> clamd daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Mon Nov  5 17:16:05 2018 -> Running as user clamav (UID 113, GID 121)
Mon Nov  5 17:16:05 2018 -> Log file size limited to 4294967295 bytes.
Mon Nov  5 17:16:05 2018 -> Reading databases from /var/lib/clamav
Mon Nov  5 17:16:05 2018 -> Not loading PUA signatures.
Mon Nov  5 17:16:05 2018 -> Bytecode: Security mode set to "TrustSigned".
Mon Nov  5 17:16:22 2018 -> Loaded 6701352 signatures.
Mon Nov  5 17:16:25 2018 -> LOCAL: Removing stale socket file /var/run/clamav/clamd.ctl
Mon Nov  5 17:16:25 2018 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Mon Nov  5 17:16:25 2018 -> LOCAL: Setting connection queue length to 15
Mon Nov  5 17:16:25 2018 -> ERROR: Failed to change socket ownership to group clamav
Mon Nov  5 17:17:40 2018 -> +++ Started at Mon Nov  5 17:17:40 2018
Mon Nov  5 17:17:40 2018 -> Received 0 file descriptor(s) from systemd.
Mon Nov  5 17:17:40 2018 -> clamd daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Mon Nov  5 17:17:40 2018 -> Running as user clamav (UID 113, GID 121)
Mon Nov  5 17:17:40 2018 -> Log file size limited to 4294967295 bytes.
Mon Nov  5 17:17:40 2018 -> Reading databases from /var/lib/clamav
Mon Nov  5 17:17:40 2018 -> Not loading PUA signatures.
Mon Nov  5 17:17:40 2018 -> Bytecode: Security mode set to "TrustSigned".
Mon Nov  5 17:17:57 2018 -> Loaded 6701352 signatures.
Mon Nov  5 17:17:59 2018 -> LOCAL: Removing stale socket file /var/run/clamav/clamd.ctl
Mon Nov  5 17:17:59 2018 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Mon Nov  5 17:17:59 2018 -> LOCAL: Setting connection queue length to 15
Mon Nov  5 17:17:59 2018 -> ERROR: Failed to change socket ownership to group clamav
Mon Nov  5 17:17:59 2018 -> Closing the main socket.

 

the entry for clamav in /etc/group
clamav:x:123
amavis:x:125:clamav

 

The log shows clamav-daemoin runs as user clamav group 121, and gid 121 is dovecot (on your host).
I don't know why the groups are messed up like this. Try adding clamav user to group clamav. That might fix this.
Did you copy /etc/passwd or /etc/groups from some other host?

 

Thanks Till and Taleman,
I think the issue is resolved now.
Run the command
usermod -a -G clamav clamav

and now it looks like working fine
the command service clamav-daemon status show like this:

Code:

* clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           `-extend.conf
   Active: active (running) since Mon 2018-11-05 18:12:26 IST; 2min 38s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 31093 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
  Process: 31092 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=0/SUCCESS)
 Main PID: 31094 (clamd)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/clamav-daemon.service
           `-31094 /usr/sbin/clamd --foreground=true

Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> Mail files support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> OLE2 support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> PDF support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> SWF support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> HTML support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> XMLDOCS support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> HWP3 support enabled.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> Self checking every 3600 seconds.
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> *Listening daemon: PID: 31094
Nov 05 18:12:45 server2 clamd[31094]: Mon Nov  5 18:12:45 2018 -> *MaxQueue set to: 100