[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Dennis Peterson dennispe at inetnw.com
Tue Jul 3 03:02:35 EDT 2018


I had completely forgotten about freshclam grabbing the entire file to determine 
currency. I recall knocking off a quick script to avoid that which included:

curl -q -r 35-39 http://db.us.clamav.net/daily.cvd |strings

It returns the ID of what ever version is on the mirror. I've added strings to 
the end as a safety valve in case someone wants to try it with different 
arguments to the -r.

Being retired I no longer sweat the small schtuff, but when I was responsible 
for hundreds of servers I used every trick in the book to avoid wasting time 
(CFengine was involved and freshclam was not). Because the filename daily.xxx is 
overloaded (version agnostic) this kind of trick was needed.

dp

On 7/2/18 6:37 PM, Paul Kosinski wrote:
> Any system whereby new versions of files are announced before they are
> actually available to automated downloads is awkward (to say the least).
>
> If, in addition, a server which doesn't have the announced version is
> blacklisted by the automated downloader, the whole mechanism can grind
> to a halt (as it has for us).
>
> Even if a server which is out of sync (i.e., behind) is not
> blacklisted, but merely temporarily skipped, it uses extra bandwidth in
> the current scheme. In the case of daily.cvd, the only way freshclam
> detects that the server is out of sync is by downloading the whole file
> (currently about 47 MB) -- the waste of bandwidth is enormous. For
> example, our logs this afternoon show 15 complete downloads of
> daily.cvd over about 1 hour. Of these, all but the last failed due to
> out of sync. This is why we have recently taken to deleting mirrors.dat
> before each freshclam run -- to compensate for the blacklisting -- and
> running freshclam 3 times an hour hoping for sync.
>
> This behavior is both unreasonable and inefficient.
>
> P.S. Just before I sent this mail, I sent some proposals for how ClamAV
> might possibly avoid this behavior.
>




More information about the clamav-users mailing list