[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Paul Kosinski clamav-users at iment.com
Sun Jul 1 23:24:45 EDT 2018


The debug flag on the freshclam invocation seems only to report on the
processing that happens *after* the cvd is successfully downloaded.

So... I went to a more basic level and captured the actual network
traffic with pcap and then examined it with wireshark.

I found an update attempt that failed because the mirrors were "not
synchronized" and then went to the capture files to find the DNS that
retrieved the version number, and the HTTP that retrieved the data.
(These are in separate pcap files because our DNS uses our old DSL, but
HTTP uses the faster cable modem.)  Anyway, here is a summary of a
typical "not synchronized" failure.

Here is an excerpt from the freshclam log from Sunday 01 July 2018 at
09:36:01 EDT (aka 13:36:01 GMT):

  daily.cvd version from DNS: 24713
  Retrieving http://db.us.clamav.net/daily.cvd
  Ignoring mirror 104.16.189.138 (due to previous errors)
  Trying host db.us.clamav.net (104.16.185.138)...
  Using ip '10.11.14.160' for fetching.
  Trying to download http://db.us.clamav.net/daily.cvd (IP: 104.16.185.138)
  Downloading daily.cvd [100%]
  WARNING: Mirror 104.16.185.138 is not synchronized.

Indeed, when we look at the captured DNS TXT record and compare it to
the captured downloaded data, we see that it in fact is *not* synchronized!

First, the wireshark decode of the TXT record, showing that the current
version is in fact 24713.

  No.     Time            Source                Port   Destination           Port   Length Protocol Info
     4723 09:36:02.098521 147.75.64.146         53     10.25.26.60           26793  148    DNS      Standard query response 0x5469  TXT
  
  Frame 4723: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits)
  Ethernet II, Src: 6c:72:20:41:d1:32 (6c:72:20:41:d1:32), Dst: fc:aa:14:5a:1b:68 (fc:aa:14:5a:1b:68)
  Internet Protocol Version 4, Src: 147.75.64.146 (147.75.64.146), Dst: 10.25.26.60 (10.25.26.60)
  User Datagram Protocol, Src Port: 53 (53), Dst Port: 26793 (26793)
  Domain Name System (response)
      [Request In: 4722]
      [Time: 0.044517000 seconds]
      Transaction ID: 0x5469
      Flags: 0x8400 Standard query response, No error
      Questions: 1
      Answer RRs: 1
      Authority RRs: 0
      Additional RRs: 1
      Queries
          current.cvd.clamav.net: type TXT, class IN
      Answers
          current.cvd.clamav.net: type TXT, class IN
              Name: current.cvd.clamav.net
              Type: TXT (Text strings)
              Class: IN (0x0001)
              Time to live: 30 minutes
              Data length: 43
              TXT Length: 42
              TXT: 0.100.0:58:24713:1530451740:1:63:47569:322
      Additional records
          <Root>: type OPT
              Name: <Root>
              Type: OPT (EDNS0 option)
              UDP payload size: 1680
              Higher bits in extended RCODE: 0x0
              EDNS0 version: 0
              Z: 0x8000
                  Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
                  Bits 1-15: 0x0 (reserved)
              Data length: 0


Next is the HTTP request and (truncated) response from 104.16.185.138,
as provided by wireshark's handy Follow TCP Stream. Note that the
response says that the version is only 24712, not 24713!

  GET /daily.cvd HTTP/1.0
  Host: db.us.clamav.net
  User-Agent: ClamAV/0.99.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
  Connection: close
  
  HTTP/1.1 200 OK
  Date: Sun, 01 Jul 2018 13:36:20 GMT
  Content-Type: application/octet-stream
  Content-Length: 48149793
  Connection: close
  Set-Cookie: __cfduid=d88ed50c4d496c2c73f2f8c6f2579b9bb1530452180; expires=Mon, 01-Jul-19 13:36:20 GMT; path=/; domain=.clamav.net; HttpOnly
  Last-Modified: Sun, 01 Jul 2018 04:40:58 GMT
  ETag: "5b385b5a-2deb521"
  Expires: Sun, 01 Jul 2018 08:40:58 GMT
  Cache-Control: max-age=3600
  Cache-Control: public
  CF-Cache-Status: HIT
  Accept-Ranges: bytes
  Server: cloudflare
  CF-RAY: 433942cde659ae1a-BOS
  
  ClamAV-VDB:01 Jul 2018 00-40 -0400:24712:2000714:63:6b67a9289bf468a7bc9caead0b485bfd:8PaJxsXEfye3s7v74s7ahRQ1IaryM7UxzfE8Cnb8g2l+wLIMC6wCwIvh3wvbLJzDtSMkeerx8s1O1K/TYiCf445F+79Srhgc/Rl1Qokm2IsUNOL4J2VbzRM/Akq0eTQhHk999P7Irz0MyLJWzNeXaKDWN0LmUmcpZrBTjhJYzQg:neo:1530420019


My conclusion is that the cause of this is a typical race condition:
the DNS TXT record is updated before Cloudflare has propagated the new
cvd file to all the mirrors.


I have attached the full freshclam log for this failing update attempt
to this email, The pcap file is far too big for email, but can be
retrieved via the following full URL (directory listing is blocked):

  http://iment.com/paste-bin/ClamAV-104-16-185-138.pcap







On Sun, 1 Jul 2018 00:37:35 +0000
"Joel Esler (jesler)" <jesler at cisco.com> wrote:

> Ping.clamav.net is an identification lookup.  Helps us see what
> versions people are running out there and what version of ClamAV
> people are using.  It’s failure shouldn’t stop the update process.
> Please give us a debug. 
> 
> Sent from my iPhone
> 
> > On Jun 30, 2018, at 19:28, Paul Kosinski <clamav-users at iment.com>
> > wrote:
> > 
> > We are *still* failing to get ClamAV cvd files updates reliably --
> > even after deleting mirrors.dat before each attempt!
> >
> > [... and much, much more ...]
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freshclam-log.txt
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180701/2fdfe562/attachment.txt>


More information about the clamav-users mailing list