×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ClamAV Forced Upgrade Breaks Email Servers

kdawson posted about 4 years ago | from the on-the-half-shell dept.

Security 299

An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

299 comments

GODDAMMIT ALREADY !! (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#31874136)

Who the fuck is to blame?

Re:GODDAMMIT ALREADY !! (2, Funny)

Hognoxious (631665) | about 4 years ago | (#31874634)

With a name like ClamAV, my bet would be the Scientologists.

Re:GODDAMMIT ALREADY !! (0, Offtopic)

Hognoxious (631665) | about 4 years ago | (#31874878)

Oy Cruise, you talentless midget, downmods are not for expressing disagreement. Log ion like a man.

P.S. Cocktail. Worst fucking film ever.

P.P.S. That Kidman bitch. You would not believe the noises I got out of her.

Alternative (4, Insightful)

InsertWittyNameHere (1438813) | about 4 years ago | (#31874160)

The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."

Re:Alternative (5, Insightful)

Anonymous Coward | about 4 years ago | (#31874226)

It's kind of an inflammatory article:

Rather than simply phase this geriatric version out (it was at least one year old, revised to versions .95 and .96 since release, and announcements about the need to upgrade had been made for six months) the development team put to halt instances of V0.94 in production

So, it's a year and two versions out of date AND they'd been saying for 6 months to move off it.. Yet still it's their fault for shutting down the server!? I'm sorry, but how much support do you want for something that's free?

Re:Alternative (4, Informative)

compro01 (777531) | about 4 years ago | (#31874452)

It's quite a bit more extreme than just shutting down one of their servers. They issued a final "signature" update that literally caused each installation of that version to stop functioning.

From the announcement [clamav.net] :

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year.

Re:Alternative (4, Insightful)

HarrySquatter (1698416) | about 4 years ago | (#31874570)

Would you trust an email server that is running a virus scanner that is more than a year out of date?

Re:Alternative (0)

Anonymous Coward | about 4 years ago | (#31874954)

Not everyone has windows users as mail clients.

You shouldn't trust any virus scanner to protect you.

Re:Alternative (5, Interesting)

ccandreva (409807) | about 4 years ago | (#31874666)

It's more complicated than that.

Older versions of clamd were going to crash on signatures that newer versions would accept, and they have been prevented for at least 6 months from using that type of signature. They have posted since then for people to upgrade.

When they did was publish this type of signature (has to do with length, greater than about 900bytes), where the signature itself is an error message, so when the program dumped the signature the error would be displayed.

That's all, not a kill switch as such, but using a known bug to deliver a message, rather than have it just bomb out with a hex dump when they tried to use a larger signature.

Re:Alternative (2, Interesting)

Anonymous Coward | about 4 years ago | (#31874804)

Yep, and when did they post that? 6 months ago. McAfee recently gave us 2 months notice at work that pre 8.x client would no longer be supported - not a problem as 7.1 was eol ages ago - since then there's been 8.0, 8.5 and currently 8.7 which we're moving to.

No big deal for those who properly manage their systems.

Re:Alternative (0, Troll)

geekmansworld (950281) | about 4 years ago | (#31874772)

It may not have occurred to you that some of us only do IT for out organizations part time, and visiting the blogs of every single open-source component on our servers is not always practical.

All our workstations have client antivirus protection, so monitoring the status of this particular component was a low-priority. Little did I know that they intended to huck a grenade into my mail configuration. Thus I spent three hours in the middle of the night feverishly trying to fix our mailserver after a panicked call from my bosses.

ClamAV could have simply become impotent and started filling my log files with warnings about upgrading. But they didn't stop there, they basically sabotaged my whole mail configuration. Yes, SABOTAGED.

I have to worry about hackers, spam-ham tweaking, DNS bugs, user help desk. And now you want to give me a lecture about not keeping my server-side virus up-to-date? Up yours!

I'll be looking for an alternative to ClamAV in the very near future.

Re:Alternative (-1, Troll)

Quantos (1327889) | about 4 years ago | (#31874874)

Then you need to be far more attentive and dilligent at what you do.
Get off your ass, turn off the Simpsons, and do the job you get paid to do.
If you aren't willing to do the job you have, there are many others that will - and probably without the poor me whiny attitude.

So you had 6 months to upgrade (5, Insightful)

gparent (1242548) | about 4 years ago | (#31874184)

And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.

Re:So you had 6 months to upgrade (0, Offtopic)

cbreak (1575875) | about 4 years ago | (#31874216)

Who are you talking to? And why are you so angry? Could it be that you were one of the affected? Maybe you try to spread your failed responsibility by blaming other people for what you blame yourself?

Re:So you had 6 months to upgrade (1)

X0563511 (793323) | about 4 years ago | (#31874458)

Don't know about gparent, but I'm effected by endless clueless customers whining that their email server broke.

Re:So you had 6 months to upgrade (1)

poena.dare (306891) | about 4 years ago | (#31874636)

Oh this is awesome! I'll be able to bill many more hours to fix this one once the emails start rolling in... hey, WTFs wrong with my mail server?

Re:So you had 6 months to upgrade (-1, Troll)

Anonymous Coward | about 4 years ago | (#31874288)

uh, dude. you should seek some counseling.

Re:So you had 6 months to upgrade (3, Funny)

Anonymous Coward | about 4 years ago | (#31874386)

go fuck yourself

uh. this is slashdot. for most of us, that is a redundant instruction.

what would have been far more offensive is

go fuck someone else

as we all know that's not possible for most of us. ...you insensitive clod.

Re:So you had 6 months to upgrade (5, Interesting)

johnshirley (709044) | about 4 years ago | (#31874568)

Kinda my attitude, too. Had this affect a bunch of servers yesterday. Started researching, found the cause, and solved the problem in 30 minutes on 35 or so servers. Totally my own damned fault for not staying upgraded. Worst impact was that messages were delayed on a few mail server for half an hour and uploads to a handful of webservers threw errors because of the way I scan them. Users tried again. Problem solved.

Re:So you had 6 months to upgrade (1)

GungaDan (195739) | about 4 years ago | (#31874678)

I only got hit on one server. Lucky me. Aptitude safe-upgrades for me every night, but I had been lazy about reviewing the logs. Otherwise I might have noticed the "automatically held back" messages about clamav over the past couple of weeks... oops.

Re:So you had 6 months to upgrade (1, Insightful)

The Moof (859402) | about 4 years ago | (#31874962)

So you had 6 months to upgrade and you didn't, and now are going to complain when shit doesn't work?

No, but they'll complain (rightfully so) when the developers issue a "killswitch" command causing the software to quit working. So it's not like the servers disappear and stuff broke from obsolescence, they issued a command to the servers and had the software shut itself down (documented here [clamav.net] ).

Make Microsoft Products Illegal Already (0, Troll)

Anonymous Coward | about 4 years ago | (#31874200)

Enough with this nonsense, we're all enabling Microsoft to produce sub-par, insecure, unstable and easily corrupted products.

FUCK JEWS (-1, Troll)

Anonymous Coward | about 4 years ago | (#31874202)

FUCK JEWS

Re:FUCK JEWS (5, Funny)

jDeepbeep (913892) | about 4 years ago | (#31874388)

FUCK JEWS

When they are exceedingly attractive, female, not married, and expressing interest, I do.

Got This Bounce This Morning (5, Informative)

WrongSizeGlass (838941) | about 4 years ago | (#31874206)

Diagnostic-Code: smtp;
451-4.5.0 Error in processing, id=02792-02, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x83d7540) Too many retries to talk to /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory) at (eval 55) line 310.

ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 50, output="LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later.

At least their error messages are descriptive and informative.

Re:Got This Bounce This Morning (1)

Slipped_Disk (532132) | about 4 years ago | (#31874374)

At least their error messages are descriptive and informative.

Seriously -- I got a bunch of qmail deferrals & the bounce/deferral messages were all utter shit ("451 qq error").
This guy wins 100 internets for having a FUCKING USEFUL BOUNCE MESSAGE -- I want to buy him a case of his preferred alcoholic beverage.

[clamav-announce] (4, Insightful)

0racle (667029) | about 4 years ago | (#31874208)

It exists for a reason.

Re:[clamav-announce] (1)

1s44c (552956) | about 4 years ago | (#31874302)

It exists for a reason.

I'm going to subscribe to it now. I don't want to go though that again.

But I can't subscribe to the announce list for every free software product I use, I'd do nothing else but read these lists.

Re:[clamav-announce] (5, Informative)

entrigant (233266) | about 4 years ago | (#31874378)

announce lists are intentionally very low traffic. I'm subscribed to over 50, and I rarely receive more than 4 or 5 mails a week at most.

Re:[clamav-announce] (1)

0racle (667029) | about 4 years ago | (#31874524)

This is what e-mail rules are for and to echo what the other poster said, they do not generate much traffic. While there is probably very little reason to subscribe to lists for absolutely every piece of software you run, you should probably subscribe to the announce lists for the major products you use.

Re:[clamav-announce] (0)

Anonymous Coward | about 4 years ago | (#31874672)

Bingo!

this is common (4, Insightful)

digitalsushi (137809) | about 4 years ago | (#31874236)

This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.

Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".

Re:this is common (0, Insightful)

Anonymous Coward | about 4 years ago | (#31874352)

You' and people like you are the reason we have so many fucking spambots. Thanks!

Re:this is common (1)

xaxa (988988) | about 4 years ago | (#31874576)

I got bored with being a "netadmin" once I started university. I moved my family's email to Google Apps, stopped giving free webspace to anyone that didn't already know what "SSH" meant, and haven't regretted it one bit.

I do still have the server, but it only runs Apache. I looked into hosting, but I use ~20GB for photographs. Hosting for that is too expensive.

(Although, I did run aptitude dist-upgrade every couple of months so probably wouldn't have been hit by this problem.)

No fallback ? (4, Insightful)

morcego (260031) | about 4 years ago | (#31874238)

People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.

I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.

It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.

Re:No fallback ? (1)

0racle (667029) | about 4 years ago | (#31874290)

I don't know, I think I'd rather mail pile up in the queue if my spam or AV product broke. I think I'd do something like this on purpose.

Re:No fallback ? (1)

Fiznarp (233) | about 4 years ago | (#31874476)

Yeah, noone really got hurt here.. just some delayed mail. I logged into my effected server and had clamav upgraded in 10 mins. It wasn't ideal but now I know I should have subscribed to the mailing list!

Re:No fallback ? (1)

morcego (260031) | about 4 years ago | (#31874546)

"Passing e-mails without checking in case the AV failed" is not really a fallback, at least not one I would recommend.

I was talking about having a second, different AV for that.

Re:No fallback ? (2, Informative)

1s44c (552956) | about 4 years ago | (#31874512)

I had two mail servers, on two Internet connections. If either went down I'd get an alert and could fix it without mail being affected. I didn't expect both to stop processing mail at the same time. It's always the stuff you don't expect to fail that fails.

My mail was queued on DMZ mailers so nothing was lost, but it was delayed. Some of it may have been business critical.

Re:No fallback ? (0, Flamebait)

morcego (260031) | about 4 years ago | (#31874590)

1s44c, please don't take this as criticism toward you. I'm just taking this as an example.

Most people on IT really have no idea what high-availability is. They should talk to some people on the telecom industry.

For example: having 2 systems that are virtually equal, one as backup as the other, is just not HA. For real HA, you need to have 2 systems as different from each other as possible, including bands. One box is Intel ? Make the other AMD. It is even better if you can have a PC and a non-PC system, but usually you can't justify the budget for that.

This is called "single point of failure". And, as you said, that is EXACTLY where the problem will happen.

Oh just suckit! Please! (0)

Anonymous Coward | about 4 years ago | (#31874850)

Oh just suck it! Please!

Show me a shop that has redundant PBXs e.g. Nortel Option 61 AND a AT&T/Lucent/Avaya Definity for backup.

Show me a carrier that uses Nortel DMS-100 AND a Alcatel-Lucent 5ESS for backup.

We're talking about virus scanning for freaking email. It might be mission critical to some pathetic PHB but, it's fricking EMAIL!

Just suck it!

*Correction* (5, Interesting)

Slipped_Disk (532132) | about 4 years ago | (#31874242)

The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.

See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ [clamav.net]

Re:*Correction* (2, Informative)

WrongSizeGlass (838941) | about 4 years ago | (#31874332)

From the link:

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

[snip]

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

FYI, ClamAV, DOA != cooperation.

Re:*Correction* (1)

gumbi west (610122) | about 4 years ago | (#31874342)

So, they did the right thing. What is the big deal?

Yes, they did the right thing... (4, Insightful)

Slipped_Disk (532132) | about 4 years ago | (#31874564)

As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.

There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.

Re:*Correction* (3, Insightful)

petermgreen (876956) | about 4 years ago | (#31874806)

I personally consider use of a remote signature update system as a kill switch to be abuse of the update system.

Re:*Correction* (0)

Anonymous Coward | about 4 years ago | (#31874442)

Thanks for spoiling all the fun.. you could had just waited a little more and enjoy the fireworks. Alas, perhaps I'll get lucky and catch some open source bashing in the next article.

Re:*Correction* (5, Insightful)

Anonymous Coward | about 4 years ago | (#31874500)

Wow. They could have just stopped publishing updates for older versions; they do have some method of versioning, right?. Older installations could have kept chugging along using the older definitions and newer installations could get the newer definitions. But to remotely *DISABLE* older installations? I don't care if the product and service is free or not; that is pretty fucked up.

Re:*Correction* (3, Insightful)

HarrySquatter (1698416) | about 4 years ago | (#31874594)

What's fucked up about it? It's a huge security problem to be running an email server that is using a virus scanner whose definitions are over a year old.

Re:*Correction* (2, Informative)

GungaDan (195739) | about 4 years ago | (#31874712)

Definitions were upgraded, though, weren't they? Just the engine was a year old...

Re:*Correction* (0)

Anonymous Coward | about 4 years ago | (#31874726)

It's an even bigger problem when there are NO definitions what so ever for it. I'd much rather have out of date definitions than no definitions, as at least I'll be able to catch some viruses.

Re:*Correction* (4, Informative)

compro01 (777531) | about 4 years ago | (#31874738)

The definitions were up to date (but would become out of date when they started pushing large (>980 bytes) definition updates next month, which the old version cannot handle), but the version was not.

Re:*Correction* (1)

jargonCCNA (531779) | about 4 years ago | (#31874708)

That’s a very good thing to point outstill, though, it’s certainly not fair that having ClamAV get administratively killed from afar means that your email service coughs and dies.

Re:*Correction* (1)

Slipped_Disk (532132) | about 4 years ago | (#31874830)

Well, you *can* configure your email system in such a way that when ClamAV goes away it still passes mail (though obviously most people, myself included, do not configure our systems that way).

That's an admin's choice to make, and like almost every choice there are tradeoffs: Potentially pass virus-laden mail, or potentially queue/defer/reject mail until the scanner comes back on line.

Tisk, tisk... (4, Funny)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#31874272)

Should have switched to Norton. They would have had weeks of impossible-to-ignore yellow and black pop-ups demanding their credit card number as ample warning...

Those freetards just don't understand the valuable features provided by quality proprietary software.

Re:Tisk, tisk... (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#31874314)

The fact you're talking about Norton as though it's a worthwhile product proves that you don't know what you're talking about.

Re:Tisk, tisk... (0)

Anonymous Coward | about 4 years ago | (#31874728)

That must have been the loudest WHOOSH I ever heard! I think I may be deaf for life now.

I was hit hard too...! (1, Insightful)

bogaboga (793279) | about 4 years ago | (#31874292)

...and guess what! I'm almost sure I have had enough of free software.

Not to say that it odes not do its work but because there is no incentive "not to break stuff", read 'continued revenue streams', folks just do as they please and we get hurt.

Heck! Is this the "freedom" you want?

Re:I was hit hard too...! (1)

biryokumaru (822262) | about 4 years ago | (#31874572)

Heck! Is this the "freedom" you want?

What, the freedom for your system to be very slightly unstable if you fail to upgrade a piece of software a year out of date after six months of warnings?

Re:I was hit hard too...! (1)

NuShrike (561140) | about 4 years ago | (#31874602)

Yes, because you're not paying for it! Do you expect companies who have to make a buck be nice to leechers like you?

When was the last time you donated to OpenBSD for all their contributions such as OpenSSH? If so many of your are going to be evil leechers, then companies have no choice and all the say.

Re:I was hit hard too...! (1)

morcego (260031) | about 4 years ago | (#31874626)

You know the "free" part there doesn't mean you are free not to do a good job, right ? Because, you know, you are not.

People still should know what they are doing. I never saw this announcement regarding 0.94, but nevertheless, none of my servers stopped.

Re:I was hit hard too...! (1)

MasterPatricko (1414887) | about 4 years ago | (#31874690)

Having a working but out-of-date antivirus solution can be considered to be worse than having no antivirus solution at all, because it gives pretense of security that isn't really there. You might never have upgraded if they hadn't killed the old version forcibly.

And if you bothered to RTFA you would learn that there was a bug in old versions that was basically eating their bandwidth. Considering that you aren't contributing to their upkeep costs, they definitely have the right to do something about it unilaterally.

Considering the updates are FREE, and they gave you SIX MONTHS warning, they did the right thing.

Re:I was hit hard too...! (1)

thePowerOfGrayskull (905905) | about 4 years ago | (#31874842)

Heck! Is this the "freedom" you want?

Yes, thanks. While I have seen some frustrating breakages in OSS before (I recall several different Ubuntu updates that broke Xorg, the bastards), this isn't one of them. The software is a year out of date. You're given six months warning. Continuing to run after that time (if it were possible) would mean that your long-outdated version is no longer receiving definition updates -- so you'd be left with a false sense of security that you're somehow protected when you weren't.

if they had just issued a routine update that broke servers that's one thing. But they've been announcing this for six months. If you were on clamav-announce list (the ONLY way they have to get in contact with users otherwise too busy to check their web site) you would have learned about this long before it was an issue.

Even a month ago, you probably could have used that freedom to set up your own server and use outdated definitions for years to come. Now it's down to the wire, and it sounds like you don't have that luxury... but is that their fault? They communicated well in advance. Why blame them because you weren't listening?

Re:I was hit hard too...! (1)

Lumpy (12016) | about 4 years ago | (#31874866)

Why because you were too lazy to update your AV software from a year ago?

ClamAV did the right thing, they could have simply shoved out the new AV database that would have had your AV crash with a wierd error, because your horribly out of date version was incompatible with the new larger database format. but no they made sure you had a informative error so you would know what to do.

But it's their fault and OSS fault... DAMN THOSE OSS PEOPLE!

so clam breaks if a remote server is down? (1)

codepunk (167897) | about 4 years ago | (#31874298)

If it breaks because a remote server went away it sounds like it is time to possibly have another look at that code.

Re:so clam breaks if a remote server is down? (2, Informative)

mysidia (191772) | about 4 years ago | (#31874410)

It wasn't the server going away. They delivered an update designed to kill it

The Windows equivalent would be Microsoft Delivering a critical update with XP designed to disable windows, because you haven't updated to Vista yet.

In other words, they used the automatic update service against their own users.

From now on, my recommended course of action is that all mail administrators running clamav should REMOVE or DISABLE any automatic updates of ClamAV rules, make sure to comment out any crontab entries for freshclam.

Until the developers can either grow up and stop doing stupid shit such as abusing auto-updates to disable their own product.

Or do what they should do... include a method for automatically applying version updates.

Or force auto version update instead of disabling.

Re:so clam breaks if a remote server is down? (1)

Nasarius (593729) | about 4 years ago | (#31874776)

The Windows equivalent would be Microsoft Delivering a critical update with XP designed to disable windows, because you haven't updated to Vista yet.

No, not even remotely close. Upgrading ClamAV is trivial and costs nothing. If you're not keeping your security software up to date, you've failed utterly.

Re:so clam breaks if a remote server is down? (3, Insightful)

Lumpy (12016) | about 4 years ago | (#31874892)

Nice FUD. the new DB will break it anyways.. and YES microsoft does this.

They crafted a DB update that used that bug to deliver a message so the logs showed you what happened instead of a "seg fault - error in line 45867"

Re:so clam breaks if a remote server is down? (1)

Buelldozer (713671) | about 4 years ago | (#31874910)

What were they supposed to do exactly?

They've been warning users for 6 months that this was coming. The new style signature files for .95 and up were GOING to crash .94 installations. They're mirrors can't support supplying both old and new style signatures and the .95+ clients would have been _less secure_ because of a constrained signature file size. On top of all that if you'd go read their statement they ALSO cannot support an auto upgrade to .95 because of server constraints.

Also, I have a feeling that if they had found a way to force everyone to .95 we would have had people on here screaming about how the forced update broke their server and that they shouldn't have done that.

Face it, they gave six months warning. You, and everyone else, had plenty of time to get their poop in a group and upgrade to the latest package.

Re:so clam breaks if a remote server is down? (1)

compro01 (777531) | about 4 years ago | (#31874518)

It isn't a remote server shutting down, they issued a "signature" update that caused each installation of a version prior to 0.95 to stop functioning.

Re:so clam breaks if a remote server is down? (1)

X0563511 (793323) | about 4 years ago | (#31874660)

You could try taking another look at the problem.

The server is up. It specifically tells 0.94.x and earlier that "thou art broken"

It's not like they didn't tell... (0, Flamebait)

Drizzt Do'Urden (226671) | about 4 years ago | (#31874322)

Either :

-Follow the mailing list where there as been numerous e-mails telling that the support would end

or

-Use a repository that updates your server easily

Wining was not an option here...

Re:It's not like they didn't tell... (0)

Anonymous Coward | about 4 years ago | (#31874418)

Wining was not an option here...

What about dining?

Re:It's not like they didn't tell... (4, Insightful)

mysidia (191772) | about 4 years ago | (#31874484)

SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).

How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?

How about all those Windows Vista users who haven't upgraded to Windows 7?

Firefox 2 users who haven't upgraded to 3.

Users who are still using IE6.

Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?

Re:It's not like they didn't tell... (0)

NuShrike (561140) | about 4 years ago | (#31874628)

Since this is a cloud/net based product, they just cut your ability to access their servers right? Perfectly legit and exactly what you described in your first sentence.

Re:It's not like they didn't tell... (1)

wolrahnaes (632574) | about 4 years ago | (#31874692)

If any of those examples were providing services where support ending means the thing is not doing its job anymore, you might have a point.

In this case, no more updates for 0.94 means 0.94 effectively does not work. There is nothing at all preventing any user from upgrading to the current version, so there's nothing wrong with forcing them to do so when the old solution is no longer working.

Re:It's not like they didn't tell... (1)

VoxMagis (1036530) | about 4 years ago | (#31874714)

I totally agree. I was bitten by this on several servers. The sad part is that in some cases this is NOT really always our choice here.

Sometimes management or customers (in my case) CHOOSE to not allow me to spend the time or money to do more than the minimums. In this current economy, it's become a serious situation.

I really appreciate CLAM and the coders that support and maintain it. It is their prerogative to make the call. I just wish they would have done it differently. If a closed-vendor did this (see the examples in the parent post), there would be geek-riots in the street.

I was lucky - I had been planning this move for awhile, so I had everything happy rather quickly.

Now, on another note - if the maintainers had pushed an announcement of the result of this plan to Slashdot, Digg, etc. maybe there would be less howling. I have to maintain MANY different Open Source products, no matter how hard I try, I can't keep track of each of them through web pages and announce lists.

Re:It's not like they didn't tell... (1)

Buelldozer (713671) | about 4 years ago | (#31874956)

You're missing the fundamental issue. Upgrading to .95 _was_ the minimum requirement. You should have gone to your clients and said "This work needs to be performed to keep your AntiVirus current for your email server.".

Re:It's not like they didn't tell... (1)

natehoy (1608657) | about 4 years ago | (#31874768)

The problem here is that once support services end, they stop writing new signatures for the old version of ClamAV. If an administrator has been ignoring (or has been unaware of) the impending end-of-life of ClamAV for the past 6 months, they are going to remain unaware of the problem basically forever.

There are four ways to handle this:

1. Contact all of your users. How?? Those who have subscribed to the updates list already know. You don't have to register to have ClamAV, so for most of the rest they won't have an email address.

2. Make the software tell the user it is about to expire. How?? There isn't a communications process written into ClamAV that can send a signal up to the GUI and most people don't monitor every line of their syslogs.

3. Just shut down the update server so you won't offer the users signature updates any more. Users will continue along for long periods of time with increasingly outdated antivirus definitions. This is a really, really bad idea.

4. Give people ample warning over as many channels as you can, then break it so people notice that something is wrong.

#4 is not ideal. But it's the best of the options.

Personally, I have ClamAV on all of my machines, but it's the Ubuntu/Mint supported version out of the repositories, so it gets updated. I think ClamAV would be well-served putting up Debian and RPM repositories and making people install the software using the repos, and not offering it for direct download any more.

Re:It's not like they didn't tell... (1)

morcego (260031) | about 4 years ago | (#31874650)

Or maybe people should ... you know ... not apply updates directly to their production servers without testing them first ?

No, that would be too radical. Who ever heard of updates causing problems ? It would never happen.

Re:It's not like they didn't tell... (1)

Slipped_Disk (532132) | about 4 years ago | (#31874740)

Or maybe people should ... you know ... not apply updates directly to their production servers without testing them first ?

No, that would be too radical. Who ever heard of updates causing problems ? It would never happen.

Tell me, do you sandbox a full environment and test every virus signature update prior to rolling it out?
If so, what is the length of your pre-deployment testing cycle? How many people are dedicated to your test team, and how do you justify their salaries?

(Not trying to be a dick, I'm genuinely curious if anyone goes to this level of overkill, and how they manage to get it approved. I had to fight uphill both ways in the snow to get a dev environment built...)

Re:It's not like they didn't tell... (1)

Drizzt Do'Urden (226671) | about 4 years ago | (#31874802)

Anti-Virus updates are considered priorities here.

It is tested on a server, if it works good we update production. It takes less than 15min of my time..

EOL annountment from Oct 2009 (5, Informative)

Anonymous Coward | about 4 years ago | (#31874346)

End of Life Announcement: ClamAV 0.94.x
Oct 5, 2009

All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

Hm... (1)

Knara (9377) | about 4 years ago | (#31874450)

IIRC, ClamAV doesn't have real-time scanning anyway. Does it have a first party mail server scanning plugin now, or am I totally misunderstanding the issue here.

Re:Hm... (1, Informative)

Anonymous Coward | about 4 years ago | (#31874596)

IIRC, ClamAV doesn't have real-time scanning anyway. Does it have a first party mail server scanning plugin now, or am I totally misunderstanding the issue here.

yes it does and has had it for a while

[me@server clamav-0.96] ./configure --enable-milter

works with sendmail and postfix

Debian Debs Outdated (4, Informative)

TypoNAM (695420) | about 4 years ago | (#31874582)

I just tried to update:

# cat /etc/debian_version
5.0.4

aptitude output during update:

Setting up clamav-daemon (0.94.dfsg.2-1lenny2) ...
Starting ClamAV daemon: clamd LibClamAV Warning:
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning:
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can't load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.ndb
LibClamAV Error: Can't load /var/lib/clamav/daily.cld: Malformed database
ERROR: Malformed database

It appears debian repositories also need to be updated. :(

NOTE: I removed the * (star) chars from the warnings due to junk filter.

Re:Debian Debs Outdated (2, Informative)

iYk6 (1425255) | about 4 years ago | (#31874754)

The ClamAV package in Debian Lenny-Volatile is 0.95.3. You're using the package from Debian Lenny, which is stable, and doesn't mesh well with ClamAV, which is either the latest and greatest or broken.

Debian Volatile is meant specifically for this kind of thing.

Re:Debian Debs Outdated (1)

johnshirley (709044) | about 4 years ago | (#31874838)

Maybe try to uninstall and purge your existing configs then reinstall from the global repository. Might take care of it in just a few minutes.

What the fuck Slashdot? (3, Insightful)

wolrahnaes (632574) | about 4 years ago | (#31874658)

First you complain when Microsoft releases an update that won't install on compromised systems because it would break them entirely.

Now ClamAV is put in a similar position. They have three choices due to the bug in 0.94:
1. Continue supporting 0.94, flood out their update servers with full updates since incrementals won't work with that version much longer.
2. Stop supporting 0.94, leaving users who don't know to update basically unprotected.
3. Send a clear message to users who haven't updated that their antivirus solution is now broken and they need to upgrade.

To me, 3 is the obvious choice. If this was a paid solution or if it cost a fucking dime to upgrade I might see a point to complaining, but to anyone who was still using 0.94 just man the fuck up, apt-get update, apt-get upgrade, and get on with it.

This is not like Microsoft disabling XP to get you to upgrade to Vista, this is more comparable to an aircraft with faulty parts being grounded by the FAA. Those using 0.94 were doomed to a broken solution one way or another, they could not continue using it and expect it to do its job, so they needed a kick in the ass to upgrade.

Re:What the fuck Slashdot? (0)

Anonymous Coward | about 4 years ago | (#31874886)

Yeah, but they didn't send a clear message, they've disabled the product remotly. Sure, the message was posted on the web for 6 months, but I don't read the websites of all the hundreds opensource packages I use. If this was posted to Slashdot yesterday, I'm sure a lot of anger would be avoided...

Re:What the fuck Slashdot? (1)

BassMan449 (1356143) | about 4 years ago | (#31874918)

wolrahnaes is exactly right. ClamAV was put in a position where they could easily end up with many email servers running with out of date antivirus definitions, but still think everything was working great. That is far more serious of a situation then stalling a few peoples email queues to force them to update. Had they silently stopped updating it would be way to easy for newly written viruses to spread because you would have such a large group of people who thought they were protected but weren't.

Overconfidence (2, Informative)

gmuslera (3436) | about 4 years ago | (#31874696)

A lot of server stuff in linux work so well that you can even forget that it is running at all, for years. Clamav is such kind of software, you install/configure it, set the automatic signature updates, and forget that it is there. But still, some periodic checks in logs that all are working as expected is good, even if is just some artificial ignorance [ranum.com] well applied, specially when clamav started warning on this months ago.

Misleading, yes? (3, Informative)

thePowerOfGrayskull (905905) | about 4 years ago | (#31874744)

"ClamAV forced upgrade breaks email servers" should read "Failure to upgrade despite six months warning breaks email servers" or "Inattentive server admins cause massive downtime".

Now would be a good time.. (0)

Anonymous Coward | about 4 years ago | (#31874908)

I guess now would be a good time to upgrade from 0.91.2.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...