ClamAV v0.97 included in ZCS 8.0.6 and below tags all messages as UNCHECKED

By Jorge de la Cruz on October 24, 2016 in Open Source, PowerTips – Admins, Security & Privacy

Hello Everyone. If you are using ZCS 8.0.6 and prior: starting 22 October 2016, anti-virus definitions will no longer update, and your ClamAV instance will stop working entirely.

ClamAV EOL source: http://blog.clamav.net/2016/05/clamav-097-engine-end-of-life.html

This is a real risk for all outdated ZCS versions, and as a visual symptom, all your messages are being tagged as **UNCHECKED**.

If you try to run the manual update of the DB, you will see the next error that causes a memory allocation error and fills up the logs:

Resolution

The recommended resolution is to upgrade at least to Zimbra Collaboration 8.6 with the latest Patch to obtain the latest ClamAV Release among other updated packages. This ensures that you will have a properly secured email system.

In case your company needs help with the upgrade, Zimbra offers the Zimbra Collaboration Upgrade Assessment. This Assessment is delivered by Zimbra Certified professionals, and it provides expert recommendations, best practices and planning tools for upgrading your Zimbra Collaboration implementation to the latest release.

PROFESSIONAL SERVICES

Workaround

Zimbra Collaboration is the open source leader in email and collaboration. That means your company can benefit from the manual upgrade of some third party packages and keep your email server up, running and secure, while planning your upgrade to the latest ZCS Release.

Disabling the antivirus

You can follow a workaround by disabling antivirus:

zmprov ms `zmhostname` -zimbraServiceEnabled antivirus
zmcontrol restart

This workaround will let your Zimbra Collaboration platform run without antivirus. However, we don’t recommend it.

Manual upgrade of ClamAV component

For those who don’t want to upgrade now, although we strongly recommended it, you can follow the next steps.

Downloads

Use the clamav version our team has generated for your Zimbra environments:

Redhat 6.x: clamav-0.98.4.tar.gz md5 sha256
CentOS 6.x: clamav-0.98.4.tar.gz md5 sha256
SLES 11 64-bit: clamav-0.98.4.tar.gz md5 sha256
Ubuntu 10.04 64-bit: clamav-0.98.4.tar.gz md5 sha256
Ubuntu 12.06 64-bit: clamav-0.98.4.tar.gz md5 sha256

Update Instructions

As root user, move to the /tmp folder.
Download the file from of the previous links, for example for Ubuntu 12.04:

wget https://files.zimbra.com/downloads/clamav/ubuntu12_64/clamav-0.98.4.tar.gz

Extract the file:

tar xzvf clamav-0.98.4.tar.gz

Stop the Zimbra Services:

su - zimbra -c 'zmcontrol stop'

Move the new folder to /opt/zimbra and change the symbolic link:

mv /tmp/clamav-0.98.4 /opt/zimbra
cd /opt/zimbra
rm clamav 
ln -s clamav-0.98.4 clamav 
ls -l clamav

The output line of this latest command will look similar to:

lrwxrwxrwx  1 root root 25 Apr  9 15:39 clamav -> /opt/zimbra/clamav-0.98.4

Start services, if the ClamAV process doesn’t start or you are facing issues with the clamAV process, we recommend to restart the entire server or kill the ClamAV service before start the Zimbra Services:

su - zimbra -c 'zmcontrol start'

Confirm

You can confirm that the new version of ClamAV is running by checking /opt/zimbra/log/clamd.log. The most recent startup in the log should look similar to:

Sat Oct 22 18:42:31 2016 -> +++ Started at Sat Oct 22 18:42:31 2016
Sat Oct 22 18:42:31 2016 -> clamd daemon 0.98.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)

Let us know in the comments if you are facing the issue and if you were able to solve it by following these steps.

clamav, clamav unchecked, unchecked, zcs 8.0.6, zimbra unchecked

Partner Spotlight – Data Privacy and Security with ZPGP by ilger.com

Zimbra Collaboration 8.7.1 is now available

16 Responses to ClamAV v0.97 included in ZCS 8.0.6 and below tags all messages as UNCHECKED

Budi Kurniawan October 25, 2016 at 5:47 AM #

os = suse 11 sp3
zimbra = 8.06

upgrade openssl

#cd /usr/local/src
#wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
#tar -zxf openssl-1.0.2*
#cd openssl-1.0.2*
#./config –prefix=/usr –openssldir=/usr/local/openssl shared
#make
#make test

makesure all test is pass/ok like this:

PASS
test_bad_dtls
../util/shlib_wrap.sh ./bad_dtls_test
make[1]: Leaving directory `/usr/local/src/openssl-1.0.2j/test’
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.2j 26 Sep 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,–noexecstack -m64 –

DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM –

DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: “/usr/local/openssl”

#make install

downlaod clamav for suse 11

#cd /opt/zimbra
#wget https://files.zimbra.com/downloads/clamav/sles11_64/clamav-0.98.4.tar.gz
#tar cf /tmp/clamav-0.98.4.tar clamav-0.98.4
#tar xzvf clamav-0.98.4.tar.gz

$zmantivirusctl stop

#rm clamav
#ln -s clamav-0.98.4 clamav
#ls -l clamav

make sure output like this:
lrwxrwxrwx 1 root root 25 Apr 9 15:39 clamav -> /opt/zimbra/clamav-0.98.4

$zmantivirusctl start

It works for my server

I hope it can help

Thanks
BK
Jorge de la Cruz October 25, 2016 at 12:23 PM #

If there are errors regarding libssl.so.1.0.0, make sure you’ve downloaded the latest version of the binaries. The latest version contains the openssl version used to build clamav, and is approximately 100MB and dated 10/25/2016. The previous version was about 91MB and dated 10/22/2016.
- alex October 29, 2016 at 3:25 PM #
  
  Hi. I’ve got the problem with starting ClamAV after upgrading to version 0.98.
  
  When i try start clamd via Zimbra enviroment:
  Starting clamd…failed.
  
  Or in case of freshclam usage:
  /opt/zimbra/clamav/bin/freshclam: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory
  
  I already tried to get and install the latest package clamav-0.98.4.tar.gz for my OS (Ubuntu 10) according to written above in the article.
  But how to install openssl-1.0.1j which is included?
- Jorge de la Cruz October 29, 2016 at 8:59 PM #
  
  Hi alex,
  Do the same as for the clamav folder, move it to /opt/zimbra and regenerate the symlink
  
  Best regards
Alberto October 25, 2016 at 5:49 PM #

Update process went fine on ubuntu 10.04.
When i restart Zimbra with A/V enabled it fails returning this in clamd.log:

/opt/zimbra/clamav/sbin/clamd: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory

I’m running Zimbra 7.2.6.
Any idea (except upgrading version that will be done next weekend)?
- Jorge de la Cruz October 25, 2016 at 8:12 PM #
  
  Hi Alberto,
  Try now by downloading again the package for your OS, we have added the libssl inside and so on.
  
  Let us know!
- Alberto October 25, 2016 at 11:13 PM #
  
  Uhm, i haven’t find any difference. Is the link https://files.zimbra.com/downloads/clamav/ubuntu10_64/clamav-0.98.4.tar.gz correct?
  […]
  Starting antivirus…Failed.
  Starting amavisd…amavisd is already running.
  Starting freshclam…done.
  Starting clamd…failed.
  […]
  
  and in log still
  “/opt/zimbra/clamav/sbin/clamd: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory”
- Abdul Wahhab November 3, 2016 at 6:05 AM #
  
  pls do the followings.
  
  cd /opt/zimbra/clamav/lib
  then make the symbolic link for the files
  
  ln -s ../../openssl~version/libssl.so.1.0.0 libssl.so.1.0.0 and
  ln -s ../../openssl~version/libcrypto.so.1.0.0 libcrypto.so.1.0.0
  
  su zimbra
  
  now restart your zimbra console or restart the antivirus it will work
Guillermo Reutemann October 25, 2016 at 6:42 PM #

Thanks Jorge. Unfortunately I’m late with zimbra versions (7.2.7) and operating system (CentOS 5.7) and I can not update the clamav. So I’m forced to make migration to CentOS 6. Is there any way to run clamav 0.97 without updates?

Regards
- Jorge de la Cruz October 25, 2016 at 8:14 PM #
  
  Hi Guillermo,
  We don’t have a package for CentOS 5/RHEL 5, so sorry. You can always disable the antivirus, which is not recommended. Or add in front of your Zimbra actual server, another MTA in CentOS 6 with ZCS 8.6 for example, for the moment.
  
  Best regards
Abdul Wahhab October 26, 2016 at 6:38 AM #

We are using centos 6.4(Final) and zimbra version is Release 8.0.0_GA_5434.RHEL6_64_20120907144639 CentOS6_64 FOSS edition. I have downloaded https://files.zimbra.com/downloads/clamav/rhel6_64/clamav-0.98.4.tar.gz . I have followed the way you have mentioned above. but from clamav.log I am getting /opt/zimbra/clamav/sbin/clamd: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory and the output of zmcontrol status is given below
antispam Running
antivirus Stopped
zmclamdctl is not running
zmfreshclamctl is not running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
zmconfigd Running

Please advice what shall we do.

Thanks in advance.

Abdul Wahhab
- Tony Publiski October 26, 2016 at 4:03 PM #
  
  For those getting the libssl errors, can you please send the following output:
  
  ls -la /opt/zimbra
- Abdul Wahhab October 27, 2016 at 11:55 AM #
  
  The output of /otp/zimbra is given below
  drwxr-xr-x. 3 root root 4096 Aug 14 2013 ..
  lrwxrwxrwx 1 root root 28 Aug 15 2013 altermime -> /opt/zimbra/altermime-0.3.10
  drwxr-xr-x 3 root root 4096 Aug 15 2013 altermime-0.3.10
  lrwxrwxrwx 1 root root 29 Aug 15 2013 amavisd -> /opt/zimbra/amavisd-new-2.8.0
  drwxrwxr-x 4 root root 4096 Aug 15 2013 amavisd-new-2.8.0
  lrwxrwxrwx 1 root root 27 Aug 15 2013 aspell -> /opt/zimbra/aspell-0.60.6.1
  drwxr-xr-x 6 root root 4096 Aug 15 2013 aspell-0.60.6.1
  drwxr-xr-x 2 zimbra zimbra 4096 Aug 15 2013 backup
  -rw-r—– 1 zimbra zimbra 1014 Oct 26 12:28 .bash_history
  -r–r–r– 1 zimbra zimbra 350 Sep 7 2012 .bash_profile
  -r–r–r– 1 zimbra zimbra 1255 Sep 7 2012 .bashrc
  lrwxrwxrwx 1 root root 22 Aug 15 2013 bdb -> /opt/zimbra/bdb-5.2.36
  drwxr-xr-x 6 root root 4096 Aug 15 2013 bdb-5.2.36
  drwxr-xr-x 2 root root 4096 Aug 15 2013 bin
  lrwxrwxrwx 1 root root 32 Aug 15 2013 cbpolicyd -> /opt/zimbra/cbpolicyd-2.1.0-beta
  drwxr-xr-x 5 root root 4096 Aug 15 2013 cbpolicyd-2.1.0-beta
  lrwxrwxrwx 1 root root 13 Oct 26 12:02 clamav -> clamav-0.98.4
  dr-xr-xr-x 9 root root 4096 Aug 15 2013 clamav-0.97.5
  dr-xr-xr-x 9 root root 4096 Oct 22 18:14 clamav-0.98.4
  dr-xr-xr-x 9 root root 4096 Oct 26 11:56 clamav-0.98.4_o
  drwxrwxr-x 13 zimbra zimbra 4096 Oct 26 12:03 conf
  -rw——- 1 root root 2194 Aug 15 2013 config.9522
  drwxr-xr-x 2 root root 4096 Aug 15 2013 contrib
  lrwxrwxrwx 1 root root 23 Aug 15 2013 curl -> /opt/zimbra/curl-7.25.0
  drwxr-xr-x 6 root root 4096 Aug 15 2013 curl-7.25.0
  lrwxrwxrwx 1 root root 32 Aug 15 2013 cyrus-sasl -> /opt/zimbra/cyrus-sasl-2.1.25.4z
  drwxr-xr-x 6 root root 4096 Aug 15 2013 cyrus-sasl-2.1.25.4z
  drwxr-xr-x 12 zimbra zimbra 4096 Aug 15 2013 data
  drwxrwxr-x 3 zimbra zimbra 4096 Oct 26 12:03 db
  drwxr-xr-x 2 zimbra zimbra 4096 Aug 15 2013 docs
  lrwxrwxrwx 1 root root 24 Aug 15 2013 dspam -> /opt/zimbra/dspam-3.10.1
  drwxr-xr-x 7 root root 4096 Aug 15 2013 dspam-3.10.1
  -r–r–r– 1 zimbra zimbra 62 Sep 7 2012 .exrc
  drwxr-xr-x 3 zimbra zimbra 4096 Aug 15 2013 extensions-extra
  drwxr-xr-x 2 zimbra zimbra 4096 Aug 15 2013 fbqueue
  lrwxrwxrwx 1 root root 25 Aug 15 2013 heimdal -> /opt/zimbra/heimdal-1.5.2
  drwxr-xr-x 7 root root 4096 Aug 15 2013 heimdal-1.5.2
  lrwxrwxrwx 1 root root 23 Aug 15 2013 httpd -> /opt/zimbra/httpd-2.4.2
  drwxr-xr-x 15 root root 4096 Aug 15 2013 httpd-2.4.2
  drwxr-xr-x 3 zimbra zimbra 4096 Aug 15 2013 index
  -rw-r–r– 1 root root 4014 Aug 15 2013 .install_history
  lrwxrwxrwx 1 root root 23 Aug 15 2013 java -> /opt/zimbra/jdk1.7.0_05
  drwxr-xr-x 8 root root 4096 Aug 15 2013 jdk1.7.0_05
  lrwxrwxrwx 1 root root 39 Aug 15 2013 jetty -> /opt/zimbra/jetty-distribution-7.6.2.z4
  drwxr-xr-x 15 root root 4096 Aug 15 2013 jetty-distribution-7.6.2.z4
  -r–r–r– 1 zimbra zimbra 52 Sep 7 2012 .ldaprc
  drwxrwxr-x 4 root root 4096 Aug 15 2013 lib
  drwxrwxr-x 4 root root 4096 Aug 15 2013 libexec
  lrwxrwxrwx 1 root root 30 Aug 15 2013 libmemcached -> /opt/zimbra/libmemcached-1.0.6
  drwxr-xr-x 6 root root 4096 Aug 15 2013 libmemcached-1.0.6
  lrwxrwxrwx 1 root root 26 Aug 15 2013 libtool -> /opt/zimbra/libtool-2.2.6b
  drwxr-xr-x 4 root root 4096 Aug 15 2013 libtool-2.2.6b
  drwxrwxr-x 2 zimbra zimbra 126976 Oct 26 20:00 log
  drwxrwxr-x 3 zimbra zimbra 4096 Sep 7 2012 logger
  lrwxrwxrwx 1 root root 39 Aug 15 2013 mailboxd -> /opt/zimbra/jetty-distribution-7.6.2.z4
  drwxr-xr-x 3 root root 4096 Aug 15 2013 mta
  lrwxrwxrwx 1 root root 59 Aug 15 2013 mysql -> /opt/zimbra/mysql-standard-5.5.24-pc-linux-gnu-i686-glibc23
  drwxrwxr-x 8 root root 4096 Aug 15 2013 mysql-standard-5.5.24-pc-linux-gnu-i686-glibc23
  lrwxrwxrwx 1 root root 26 Aug 15 2013 net-snmp -> /opt/zimbra/net-snmp-5.7.1
  drwxr-xr-x 9 root root 4096 Aug 15 2013 net-snmp-5.7.1
  lrwxrwxrwx 1 root root 26 Aug 15 2013 opendkim -> /opt/zimbra/opendkim-2.6.0
  drwxr-xr-x 7 root root 4096 Aug 15 2013 opendkim-2.6.0
  lrwxrwxrwx 1 root root 30 Aug 15 2013 openldap -> /opt/zimbra/openldap-2.4.31.7z
  drwxrwxr-x 9 root root 4096 Aug 15 2013 openldap-2.4.31.7z
  lrwxrwxrwx 1 root root 26 Aug 15 2013 openssl -> /opt/zimbra/openssl-1.0.1c
  drwxr-xr-x 6 root root 4096 Aug 15 2013 openssl-1.0.1c
  -r–r–r– 1 zimbra zimbra 9 Sep 7 2012 .platform
  lrwxrwxrwx 1 root root 36 Aug 15 2013 postfix -> /opt/zimbra/postfix-2.10-20120422.2z
  drwxr-xr-x 6 root root 4096 Aug 15 2013 postfix-2.10-20120422.2z
  drwxr-xr-x 3 zimbra zimbra 4096 Oct 26 12:01 redolog
  lrwxrwxrwx 1 root root 23 Aug 15 2013 rsync -> /opt/zimbra/rsync-3.0.9
  drwxr-xr-x 4 root root 4096 Aug 15 2013 rsync-3.0.9
  drwxr-x—. 2 zimbra zimbra 4096 Aug 15 2013 .saveconfig
  lrwxrwxrwx 1 root root 26 Aug 15 2013 snmp -> /opt/zimbra/net-snmp-5.7.1
  drwx—— 2 zimbra zimbra 4096 Aug 15 2013 .ssh
  drwxr-xr-x 6 zimbra zimbra 4096 Aug 15 2013 ssl
  drwxr-xr-x 4 zimbra zimbra 4096 Jan 13 2016 store
  lrwxrwxrwx 1 root root 26 Aug 15 2013 tcmalloc -> /opt/zimbra/tcmalloc-1.8.3
  drwxr-xr-x 5 root root 4096 Aug 15 2013 tcmalloc-1.8.3
  -rw-r–r– 1 zimbra zimbra 0 Sep 7 2012 .viminfo
  lrwxrwxrwx 1 root root 24 Aug 15 2013 zeromq -> /opt/zimbra/zeromq-3.2.0
  drwxr-xr-x 5 root root 4096 Aug 15 2013 zeromq-3.2.0
  drwxrwxr-x 7 root root 4096 Aug 15 2013 zimbramon
  drwxrwxr-x 2 zimbra zimbra 4096 Aug 15 2013 zimlets
  dr-xr-xr-x 17 zimbra zimbra 4096 Aug 15 2013 zimlets-deployed
  -rw-r—– 1 zimbra zimbra 0 Aug 14 2013 .zmmailbox_history
  -rw-r—– 1 zimbra zimbra 0 Aug 14 2013 .zmprov_history
  drwxr-xr-x 1171 zimbra zimbra 36864 Oct 26 03:33 zmstat
Juan October 26, 2016 at 9:13 AM #

Gracias, funciono a la primera con Ubuntu 10 y Zimbra Appliance zca-8.0.4
adem October 31, 2016 at 1:47 PM #

I can do it, Actually unchecked is delete, but Cpu is %99 working clamdav :)
Radit January 13, 2017 at 10:34 AM #

i’ve got this error in freshclam.log.
clamav 0.99.2
ubuntu 14.04

[LibClamAV] cli_loadldb: logical signature for Email.Trojan.Toa-5557761-0 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Email.Trojan.Toa-5558733-0 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Email.Trojan.Toa-5558735-0 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Email.Trojan.Toa-5558737-0 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Email.Trojan.Toa-5558739-0 uses PCREs but support is disabled, skipping