ClamAV not running after Core-Update 198 --> 199

Security
1

Hello together,

after the core update from 198 to 199 the ClamAV service is not running anymore.

I tried the following after restart IPFire for the core update 199:

  • Uninstall ClamAV over WebGui
  • Restart IPFire again
  • Reinstall ClamAV over WebGui

without succsess.

PakFire Log shows for me no errors:

The Log of ClamAV shows the following messages/entries:

20:01:11 freshclam[4477]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:57:31 freshclam[3917]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:55:59 freshclam[3569]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:49:28 freshclam[4162]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:48:44 freshclam[3977]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:38:27 clamd[4204]: Broken or not a CVD file
19:38:27 clamd[4204]: Bytecode: Security mode set to “TrustSigned”.
19:38:27 clamd[4204]: Not loading PUA signatures.
19:38:27 clamd[4204]: Reading databases from /var/lib/clamav
19:38:27 clamd[4204]: Log file size limited to 1048576 bytes.
19:38:27 clamd[4204]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:38:27 clamd[4204]: Received 0 file descriptor(s) from systemd.
19:38:27 freshclam[4197]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:36:46 clamd[3954]: Broken or not a CVD file
19:36:46 clamd[3954]: Bytecode: Security mode set to “TrustSigned”.
19:36:46 clamd[3954]: Not loading PUA signatures.
19:36:46 clamd[3954]: Reading databases from /var/lib/clamav
19:36:46 clamd[3954]: Log file size limited to 1048576 bytes.
19:36:46 clamd[3954]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:36:46 clamd[3954]: Received 0 file descriptor(s) from systemd.
19:36:46 freshclam[3947]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:34:00 clamd[3599]: Broken or not a CVD file
19:34:00 clamd[3599]: Bytecode: Security mode set to “TrustSigned”.
19:34:00 clamd[3599]: Not loading PUA signatures.
19:34:00 clamd[3599]: Reading databases from /var/lib/clamav
19:34:00 clamd[3599]: Log file size limited to 1048576 bytes.
19:34:00 clamd[3599]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:34:00 clamd[3599]: Received 0 file descriptor(s) from systemd.
19:34:00 freshclam[3571]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:26:52 clamd[12973]: Broken or not a CVD file
19:26:52 clamd[12973]: Bytecode: Security mode set to “TrustSigned”.
19:26:52 clamd[12973]: Not loading PUA signatures.
19:26:52 clamd[12973]: Reading databases from /var/lib/clamav
19:26:52 clamd[12973]: Log file size limited to 1048576 bytes.
19:26:52 clamd[12973]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:26:52 clamd[12973]: Received 0 file descriptor(s) from systemd.
19:26:52 freshclam[12966]: Failed to create a new code-signature verifier: Can’t verify: Invalid certs directory ‘/var/ipfire/clamav/certs/’: No such file or directory (os error 2)
19:26:48 clamd[3659]: Socket file removed.
19:26:48 clamd[3659]: -– Stopped at Wed Jan 7 19:26:48 2026
19:26:48 clamd[3659]: Pid file removed.
19:26:44 freshclam[3643]: Update process terminated
19:16:26 clamd[3659]: SelfCheck: Database status OK.
19:06:25 clamd[3659]: Self checking every 600 seconds.
19:06:25 clamd[3659]: OneNote support enabled.
19:06:25 clamd[3659]: HWP3 support enabled.
19:06:25 clamd[3659]: XMLDOCS support enabled.
19:06:25 clamd[3659]: HTML support enabled.
19:06:25 clamd[3659]: SWF support enabled.
19:06:25 clamd[3659]: PDF support enabled.
19:06:25 clamd[3659]: OLE2 support enabled.
19:06:25 clamd[3659]: Mail files support enabled.
19:06:25 clamd[3659]: ELF support enabled.
19:06:25 clamd[3659]: Portable Executable support enabled.
19:06:25 clamd[3659]: Heuristic alerts enabled.
19:06:25 clamd[3659]: AlertExceedsMax heuristic detection disabled.
19:06:25 clamd[3659]: Detection using image fuzzy hash enabled.
19:06:25 clamd[3659]: Image (graphics) scanning support enabled.
19:06:25 clamd[3659]: Archive support enabled.
19:06:25 clamd[3659]: Limits: PCREMaxFileSize limit set to 104857600.
19:06:25 clamd[3659]: Limits: PCRERecMatchLimit limit set to 2000.
19:06:25 clamd[3659]: Limits: PCREMatchLimit limit set to 100000.
19:06:25 clamd[3659]: Limits: MaxRecHWP3 limit set to 16.
19:06:25 clamd[3659]: Limits: MaxIconsPE limit set to 100.
19:06:25 clamd[3659]: Limits: MaxPartitions limit set to 50.
19:06:25 clamd[3659]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
19:06:25 clamd[3659]: Limits: MaxScriptNormalize limit set to 20971520 bytes.
19:06:25 clamd[3659]: Limits: MaxHTMLNoTags limit set to 8388608 bytes.
19:06:25 clamd[3659]: Limits: MaxHTMLNormalize limit set to 41943040 bytes.
19:06:25 clamd[3659]: Limits: MaxEmbeddedPE limit set to 41943040 bytes.
19:06:25 clamd[3659]: Limits: Files limit set to 10000.
19:06:25 clamd[3659]: Limits: Recursion level limit set to 17.
19:06:25 clamd[3659]: Limits: File size limit set to 104857600 bytes.
19:06:25 clamd[3659]: Limits: Global size limit set to 419430400 bytes.
19:06:25 clamd[3659]: Limits: Global time limit set to 120000 milliseconds.
19:06:25 clamd[3659]: LOCAL: Setting connection queue length to 200
19:06:25 clamd[3659]: LOCAL: Unix socket file /var/run/clamav/clamd
19:06:05 clamd[3659]: Loaded 3627186 signatures.
19:04:51 clamd[3659]: Bytecode: Security mode set to “TrustSigned”.
19:04:51 clamd[3659]: Not loading PUA signatures.
19:04:51 clamd[3659]: Reading databases from /var/lib/clamav
19:04:51 clamd[3659]: Log file size limited to 1048576 bytes.
19:04:51 clamd[3659]: clamd daemon 1.4.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:04:51 clamd[3659]: Received 0 file descriptor(s) from systemd.
19:04:51 freshclam[3643]: --------------------------------------
19:04:51 freshclam[3643]: bytecode.cld database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
19:04:51 freshclam[3643]: main.cld database is up-to-date (version: 63, sigs: 3287027, f-level: 90, builder: tomjudge)
19:04:51 freshclam[3643]: daily.cld database is up-to-date (version: 27873, sigs: 354760, f-level: 90, builder: svc.clamav-publisher)
19:04:51 freshclam[3643]: ClamAV update process started at Wed Jan 7 19:04:51 2026
19:04:51 freshclam[3643]: freshclam daemon 1.4.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
19:01:37 clamd[3695]: Socket file removed.
19:01:37 clamd[3695]: -– Stopped at Wed Jan 7 19:01:37 2026
19:01:37 clamd[3695]: Pid file removed.
19:01:33 freshclam[3687]: Update process terminated
18:52:26 clamd[3695]: SelfCheck: Database status OK.
18:42:26 clamd[3695]: SelfCheck: Database status OK.
18:32:26 clamd[3695]: SelfCheck: Database status OK.
18:22:26 clamd[3695]: Self checking every 600 seconds.
18:22:26 clamd[3695]: OneNote support enabled.
18:22:26 clamd[3695]: HWP3 support enabled.
18:22:26 clamd[3695]: XMLDOCS support enabled.
18:22:26 clamd[3695]: HTML support enabled.
18:22:26 clamd[3695]: SWF support enabled.
18:22:26 clamd[3695]: PDF support enabled.
18:22:26 clamd[3695]: OLE2 support enabled.
18:22:26 clamd[3695]: Mail files support enabled.
18:22:26 clamd[3695]: ELF support enabled.
18:22:26 clamd[3695]: Portable Executable support enabled.
18:22:26 clamd[3695]: Heuristic alerts enabled.
18:22:26 clamd[3695]: AlertExceedsMax heuristic detection disabled.
18:22:26 clamd[3695]: Detection using image fuzzy hash enabled.
18:22:26 clamd[3695]: Image (graphics) scanning support enabled.
18:22:26 clamd[3695]: Archive support enabled.
18:22:26 clamd[3695]: Limits: PCREMaxFileSize limit set to 104857600.
18:22:26 clamd[3695]: Limits: PCRERecMatchLimit limit set to 2000.
18:22:26 clamd[3695]: Limits: PCREMatchLimit limit set to 100000.
18:22:26 clamd[3695]: Limits: MaxRecHWP3 limit set to 16.
18:22:26 clamd[3695]: Limits: MaxIconsPE limit set to 100.
18:22:26 clamd[3695]: Limits: MaxPartitions limit set to 50.
18:22:26 clamd[3695]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
18:22:26 clamd[3695]: Limits: MaxScriptNormalize limit set to 20971520 bytes.
18:22:26 clamd[3695]: Limits: MaxHTMLNoTags limit set to 8388608 bytes.
18:22:26 clamd[3695]: Limits: MaxHTMLNormalize limit set to 41943040 bytes.
18:22:26 clamd[3695]: Limits: MaxEmbeddedPE limit set to 41943040 bytes.
18:22:26 clamd[3695]: Limits: Files limit set to 10000.
18:22:26 clamd[3695]: Limits: Recursion level limit set to 17.
18:22:26 clamd[3695]: Limits: File size limit set to 104857600 bytes.
18:22:26 clamd[3695]: Limits: Global size limit set to 419430400 bytes.
18:22:26 clamd[3695]: Limits: Global time limit set to 120000 milliseconds.
18:22:26 clamd[3695]: LOCAL: Setting connection queue length to 200
18:22:26 clamd[3695]: LOCAL: Unix socket file /var/run/clamav/clamd
18:22:02 clamd[3695]: Loaded 3627186 signatures.
18:20:53 clamd[3695]: Bytecode: Security mode set to “TrustSigned”.
18:20:53 clamd[3695]: Not loading PUA signatures.
18:20:53 clamd[3695]: Reading databases from /var/lib/clamav
18:20:53 clamd[3695]: Log file size limited to 1048576 bytes.
18:20:53 clamd[3695]: clamd daemon 1.4.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
18:20:53 clamd[3695]: Received 0 file descriptor(s) from systemd.
18:20:53 freshclam[3687]: --------------------------------------
18:20:53 freshclam[3687]: bytecode.cld database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
18:20:53 freshclam[3687]: main.cld database is up-to-date (version: 63, sigs: 3287027, f-level: 90, builder: tomjudge)
18:20:53 freshclam[3687]: daily.cld database is up-to-date (version: 27873, sigs: 354760, f-level: 90, builder: svc.clamav-publisher)
18:20:53 freshclam[3687]: ClamAV update process started at Wed Jan 7 18:20:53 2026
18:20:53 freshclam[3687]: freshclam daemon 1.4.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
18:17:40 clamd[3690]: Socket file removed.
18:17:40 clamd[3690]: -– Stopped at Wed Jan 7 18:17:40 2026
18:17:40 clamd[3690]: Pid file removed.
18:17:36 freshclam[3682]: Update process terminated
18:09:04 clamd[3690]: SelfCheck: Database status OK.
17:59:04 clamd[3690]: SelfCheck: Database status OK.
17:49:03 clamd[3690]: SelfCheck: Database status OK.

Did anybody has an idea how I can restart ClamAV? Many Thanks…

2

Just for information:

After first run to install core update 199 and ClamAV the IPFire the install job stopped with the following message:

DOWNLOAD ERROR: The downloaded file (ipfire/pakfire2/2.29-x86_64/paks/core-upgrade-2.29-199.ipfire) wasn’t verified by IPFire.org. Sorry - Exiting…

After reboot of IPFire, the second run for core update was successful, after reboot ClamAV dosn’t start.

image
image894×558 38.3 KB

3

This message seems to ring some sort of bell in my head about some posts in the clamav mailing list that I have seen.

I will try and see if I can find anything about this.

Unfortunately I don’t use clamav in IPFire and as far as I am aware none of the other devs do either.

It looks like no IPFire user that uses clamav in it has tested this out during the 6 to 7 weeks of the Testing phase.

As the error message says that /var/ipfire/clamav/certs/ does not exist a simple test might be to create that directory and see if that helps.

I will try and see if I can find anything further out about this.

4

i had the same issue and just created the dir and fired clamav up after that with no errors

5

I can confirm that the clamav installer does not create a certs folder.

obraz
obraz532×181 2.68 KB

Regards

6

That is good news. So then a patch is just needed to create the certs directory in the /var/ipfire/clamav/certs/ location as that seems to be taken by default, although it might be good to make that explicitly so in the freshclam.conf file. Just checked the man page for freshclam.conf and have found the entry that needs to be used to explicitly specify the directory. Just need to discuss in the dev mailing list where the correct place for the directory for those certs should be. Those certs are not something that should be backed up as they are provided by the clamav site. Probably would make more sense to be specified with other tls file locations.

7

As it was not known or spotted that this was a change in 1.5.0 then no one made any changes to create that directoiry so I would have been very surprised if you found it was being created.

1 Like
8

I think it would be good for someone to raise this as a bug so it is recorded and is unlikely to be missed in future. Just leaving it as a post in the forum will very quickly be lost after some period has gone by and many more posts have been created.

1 Like
9

solution works… ClamAV is running, thanks a lot :slight_smile:

10

Hello,

after restart IPfire the following error message is displayed. ClamAV ist not running and can not be started via WebGui.

12:13:47 clamd[4005]: Can’t verify database integrity
12:13:47 clamd[4005]: Bytecode: Security mode set to “TrustSigned”.
12:13:47 clamd[4005]: Not loading PUA signatures.
12:13:47 clamd[4005]: Reading databases from /var/lib/clamav
12:13:47 clamd[4005]: Log file size limited to 1048576 bytes.
12:13:47 clamd[4005]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
12:13:47 clamd[4005]: Received 0 file descriptor(s) from systemd.
12:09:42 clamd[3627]: Can’t verify database integrity
12:09:06 freshclam[3610]: --------------------------------------
12:09:06 freshclam[3610]: Downloaded missing CVD .sign file bytecode-339.cvd.sign
12:09:05 freshclam[3610]: bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
12:09:05 freshclam[3610]: Downloaded missing CVD .sign file main-63.cvd.sign
12:09:05 freshclam[3610]: main.cvd database is up-to-date (version: 63, sigs: 3287027, f-level: 90, builder: tomjudge)
12:09:05 freshclam[3610]: Downloaded missing CVD .sign file daily-27874.cvd.sign
12:09:04 clamd[3627]: Bytecode: Security mode set to “TrustSigned”.
12:09:04 clamd[3627]: Not loading PUA signatures.
12:09:04 clamd[3627]: Reading databases from /var/lib/clamav
12:09:04 clamd[3627]: Log file size limited to 1048576 bytes.
12:09:04 clamd[3627]: clamd daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
12:09:04 clamd[3627]: Received 0 file descriptor(s) from systemd.
12:09:04 freshclam[3610]: daily.cvd database is up-to-date (version: 27874, sigs: 354792, f-level: 90, builder: svc.clamav-publisher)
12:09:04 freshclam[3610]: ClamAV update process started at Thu Jan 8 12:09:04 2026
12:09:04 freshclam[3610]: freshclam daemon 1.5.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)

image
image589×160 3.52 KB

Did anybody knows how I can solve this problem?

11

For information the sys message:

image
image1901×287 9.82 KB

12

Further information:

After uninstall/reinstall ClamAV over WebGui the service runs,

The ClamAV folders contains following files:

image
image552×277 5.48 KB

After resart IPFire the same error messages was displayed and ClamAV not runs anymore. The folders contains following files:

image
image592×365 7.8 KB

13

Further information:

After deleting *.sign files, ClamAV can be started over WebGUI…:face_with_diagonal_mouth: I dont know if ClamAV realy works???

image
image590×426 9.32 KB

image
image961×162 6.14 KB

14

Suricata Log shows following entries during restart IPFire:

3:53:13 suricata: [2743] – Signature(s) loaded, Detect thread(s) activated.
13:53:13 suricata: [2743] – rule reload complete
13:53:12 suricata: [2743] – Rule group caching - loaded: 67 newly cached: 0 total cacheable: 67
13:53:05 suricata: [2743] – tenant id 0: 47528 signatures processed. 1249 are IP-only rules, 5340 are inspecting packet payload, 40786 inspect application layer, 0 are decoder event only
13:53:05 suricata: [2743] – tenant id 0: Threshold config parsed: 0 rule(s) found
13:53:04 suricata: [2743] – tenant id 0: 52 rule files processed. 47525 rules successfully loaded, 1 rules failed, 0 rules skipped
13:51:52 suricata: [2743] – error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download”; flow:to_client,established; content:”-2013.zip
13:51:52 suricata: [2743] – previous keyword has a fast_pattern:only; set. Can’t have relative keywords around a fast_pattern only content
13:51:52 suricata: [2743] – Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml.
13:51:52 suricata: [2743] – Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
13:51:52 suricata: [2743] – Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
13:51:52 suricata: [2743] – Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
13:51:52 suricata: [2743] – rule reload starting
15

Unfortunately, I am experiencing the same behavior with ClamAV here.

16

Okay, I did a search on the messages in this error and found that there is an issue raised in the clamav github system for this.
https://github.com/Cisco-Talos/clamav/issues/1630
The issue description seems to be indicating that this message occurs if the certs directory is not set as the default value defined by clamav of /etc/clamav/certs. This directory would need to exist and it would need to be defined in the clamd.conf file with an entry of
CVDCertsDirectory = "/etc/clamav/certs"

From that issue it seems that if any other directory than the default value is used then this error message is given.
The issue was raised on 8th Dec and is still open.

There is also a link to another closed issue
https://github.com/Cisco-Talos/clamav/issues/1588
which seems to indicate that a file clamav.crt should also be in that certs file and should have been installed as part of the clamav-1.5.x build. It was commented out in the rootfile. However it would have been placed in the /var/ipfire/clamav/certs/ directory.

That file can be obtained from the following link mentioned in the second issue listed above.

https://github.com/Cisco-Talos/clamav/blob/main/certs/clamav.crt

Before changing the location of the certs directory it would be worth getting a copy of that file, placing it in the /var/ipfire/clamav/certs/ directory that you created and then trying clamav again.

There is also a mention in both issues that the CVD_CERTS_DIR environment variable might also need to be set to the certs directory path to overcome the issue with not using the clamav default path for the certs directory.
First check that the environment variable is not already set somehow by running the command
echo CVD_CERTS_DIR

EDIT: It should come back with an empty result

You can then test setting that environment variable by running the bash command
export CVD_CERTS_DIR='/var/ipfire/clamav/certs/
and then see if that combination of environment variable and the provision of the clamav.crt file solve things or not.

17

After discussion with @ms the clamav version will be reverted to 1.4.3 and so will become available as an addon update in your pakfire.

The best thing is therefore to ignore all the previous change suggestion and to remove any changes you have already made to your systems, ie the creation of the certs directory etc, and then when the reverted clamav becomes available in pakfire I will flag it up here and you will be able to update back to the older version of clamav and I will then do a new patch submit for the update to clamav-1.5.1 for CU200 or CU201 and when that goes to Testing phase it will be really great if someone that actually uses clamav in IPFire would be able to do testing and evaluation of it to make sure that it works.

EDIT:
The reversion patch has been merged into the core199 git repository.
It now needs to be built again. After the build is completed the updated files need to be copied to their correct locations. I will flag up when each of these stages occurs.

4 Likes
18

Hi @bonnietwin ,

many thanks for your feedback.

I will do so and give feedback here in the community.

When CU200 or CU201 is planned?

19

CU201 hasn’t been started yet.

CU200 is the current Next repository in our git system. That will likely go to Testing somewhere near the end of January but we don’t have any fixed release schedules.

It will depend on my timing availability on when I can look at doing a fresh update patch for clamav-1.5.1. I want to make sure that I understand those signature cert validations well enough to stand a good chance of having a working clamav system.

1 Like
20

Am I right in thinking that the old CLamAV version will soon be available in PakFire and we will then be able to install it?