[clamav-users] VirusDB Updates Broken?

Paul Kosinski clamav-users at iment.com
Wed Jun 27 00:24:02 UTC 2018 

Joel,

Sorry to have been somewhat cryptic: I assumed the context of the
posting I was nominally replying to.

By "broken", I meant that freshclam cannot retrieve daily.cvd files
from the new CloudFlare IPs. In fact, I just now removed mirrors.dat,
and all(?) the new CloudFlare IPs report "not synchronized", probably
due to the ping.clamav.net failures (see below):

  WARNING: Mirror 104.16.185.138 is not synchronized.
  WARNING: Mirror 104.16.186.138 is not synchronized.
  WARNING: Mirror 104.16.187.138 is not synchronized.
  WARNING: Mirror 104.16.188.138 is not synchronized.
  WARNING: Mirror 104.16.189.138 is not synchronized.

The command "host -t txt current.cvd.clamav.net" reports as follows:

  current.cvd.clamav.net descriptive text "0.100.0:58:24699:1530048540:1:63:47550:322"

But the freshclam log reports some variant of:

  Querying daily.0.85.0.0.6810BD8A.ping.clamav.net
  Can't query daily.0.85.0.0.6810BD8A.ping.clamav.net
  Giving up on db.us.clamav.net...

None of my local recursive DNS, my off-site Web server (in another
state), or (apparently) 8.8.8.8 or 8.8.4.4 can resolve
daily.0.85.0.0.6810BD8A.ping.clamav.net, but mxtoolbox.com resolves it,
(via ns4.clamav.net) to:

  5.9.14.57 at Hetzner Online AG (AS24940)

Weird.

However, it seems I *can* get at the daily.cvd file by means of direct HTTP
access to "http://db.us.clamav.net/daily.cvd", which accesses the same
CloudFlare IPs that are allegedly "not synchronized".

The result of all this confusion is that the last time I got a
daily.cvd via freshclam was before CloudFlare:

  Monday 25 June 2018 at 09:06:26
  Database updated (6556585 signatures) from db.us.clamav.net (IP: 200.236.31.1)

I am going to have to use the direct HTTP until [whenever]?


------------------------------------

On Tue, 26 Jun 2018 20:01:09 +0000
"Joel Esler (jesler)" <jesler at cisco.com> wrote:

> Define broken in your context?  Doesn't have the file?  (Humor me, so
> I understand from your parlance)
> 
> 
> 
> > On Jun 26, 2018, at 2:59 PM, Paul Kosinski <clamav-users at iment.com>
> > wrote:
> > 
> > ALL of the db.xx.clamav.net (plus database.clamav.net) apparently
> > point to CloudFlare, and they are ALL broken. (And have been for
> > many hours.)
> > 
> > 
> > On Tue, 26 Jun 2018 11:09:08 -0700
> > Dave Warren <dw at thedave.ca> wrote:
> > 
> >> As that is a Cloudflare IP, I believe it possibly could represent
> >> one or more backend mirrors as it may return different content
> >> depending on the hostname provided.
> >> 
> >> On Tue, Jun 26, 2018, at 06:41, Robin Bourne wrote:
> >>> Joel, 
> >>> 
> >>> I'm now getting "WARNING: Mirror 104.16.188.138 is not
> >>> synchronized." when using the CDN. Could it be related to the
> >>> changes made to fix this as my definitions are 3 revisions out?> 
> >>> Thanks, 
> >>> 
> >>> On 25 June 2018 at 04:28, Joel Esler (jesler)
> >>> <jesler at cisco.com> wrote:>> Al,
> >>>> 
> >>>> 
> >>>> Thanks. We are aware.  Looking into it.  
> >>>> 
> >>>> Sent from my iPhone
> >>>> 
> >>>> 
> >>>>> On Jun 24, 2018, at 23:12, Al Varnell <alvarnell at mac.com> wrote:
> >>>>> 
> >>>>> Yes, but all but one was empty.
> >>>>> 
> >>>>> Sent from my iPad
> >>>>> 
> >>>>> -Al-
> >>>>> 
> >>>>>> On Jun 24, 2018, at 19:42, Paul Kosinski
> >>>>>> <clamav-users at iment.com> wrote:>>  >> 
> >>>>>> I've gotten several daily.cvd updates in that period. They came
> >>>>>> from>>  >> several IP addresses associated with
> >>>>>> from>>  >> http://db.us.clamav.net/.
> >>>>>> 
> >>>>>> 
> >>>>>> On Sun, 24 Jun 2018 18:08:59 -0700
> >>>>>> Al Varnell <alvarnell at mac.com> wrote:
> >>>>>> 
> >>>>>>> Just wanted to point out that there has only been one
> >>>>>>> signature
> >>>>>>> added>>  >>> to the VirusDB by daily updates in the last 32
> >>>>>>> added>>  >>> hours.
> >>>>>>> 
> >>>>>>> 
> >>>>>>> -Al-

More information about the clamav-users mailing list