[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Paul Kosinski clamav-users at iment.com
Sat Jun 30 23:27:52 UTC 2018 

We are *still* failing to get ClamAV cvd files updates reliably -- even
after deleting mirrors.dat before each attempt!

The basic problem seems to be that the query to (e.g.):

  daily.24710.85.1.0.6810BB8A.ping.clamav.net

fails as often as not (e.g.):

  Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net
  Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net

The query fails a lot when issued by freshclam, and it also fails
(times out) a lot when issued by dig.

As far as I can tell by reading the freshclam code, the query is just a
DNS query for the A record (as opposed to a TXT record etc.). I presume
that the prefix part of the FQDN works like it does for blacklists and
indicates whether the prefix is "good" or "bad".

As I investigated further, I ran one test which gave a very interesting
result:

  # dig  xx.ping.clamav.net
  ;xx.ping.clamav.net.            IN      A
  xx.ping.clamav.net.     1       IN      A       5.9.14.57
  ping.clamav.net.        218     IN      NS      ns4.clamav.net.
  ns4.clamav.net.         3053    IN      A       12.167.151.33
  ns4.clamav.net.         3053    IN      A       5.9.14.57
  ns4.clamav.net.         3258    IN      AAAA    2a01:4f8:160:8421::2

Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name
server has 2 unrelated IP addresses. The 12.167.151.33 address appears
to be leased by Sourcefire from AT&T, but the 5.9.14.57 address is
owned by Hetzner.de.


If I now do digs explicitly using the 2 different addresses for ns4,
the Hetzner one works, but the Sourcefire one doesn't:
 
  # while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.        1200    IN      NS      ns4.clamav.net.
  ^C

  # while true; do dig @12.167.151.33 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. IN        A
  ping.clamav.net.        86400   IN      SOA     localhost. root.localhost. 1 604800 86400 2419200 86400
  ^C

This would explain why the DNS query from freshclam is so unreliable.
(Is the Sourcefire instance of ns4 even running a DNS server?)


This behavior is causing us much grief, because a large number of
ClamAV DB updates fail, saying that the mirror is not synchronized,
thus adding that mirror to mirrors.dat (which I now automatically
delete right before freshclam runs!).

Is there anything we can do short of bypassing freshclam, periodically
downloading daily.cvd, bytecode.cvd etc., and seeing if they differ from
the last download?


P.S. Here are traceroutes to the 2 ns4.clamav.net machines; these show
that we *do* have the ability to reach both of them:

  traceroute to ns4.clamav.net (5.9.14.57), 30 hops max, 60 byte packets
   1  dslmodem.iment.local (10.25.26.1)  1.108 ms  1.476 ms  1.942 ms
   2  216.237.102.1 (216.237.102.1)  36.675 ms  39.009 ms  40.798 ms
   3  216.237.98.117 (216.237.98.117)  44.470 ms  46.751 ms  46.998 ms
   4  69.46.227.233.lightower.net (69.46.227.233)  79.273 ms  79.554 ms  79.803 ms
   5  ae22-bstpmalljp1.lightower.net (104.207.214.80)  74.458 ms  76.358 ms  76.582 ms
   6  ae10-bstpmallj93.lightower.net (144.121.35.36)  68.487 ms  69.450 ms  69.548 ms
   7  10ge8-1.core1.bos1.he.net (216.66.32.5)  66.711 ms  41.656 ms  42.851 ms
   8  100ge12-2.core1.nyc4.he.net (184.105.64.53)  43.861 ms  41.986 ms  42.088 ms
   9  100ge11-1.core1.nyc5.he.net (184.105.213.218)  43.702 ms 100ge16-2.core1.lon2.he.net (72.52.92.165)  109.536 ms  112.671 ms
  10  100ge6-2.core1.ams1.he.net (72.52.92.214)  145.347 ms  161.222 ms 100ge8-2.core1.dub1.he.net (184.105.65.246)  103.805 ms
  11  100ge3-2.core1.man1.he.net (72.52.92.197)  107.707 ms  109.637 ms  109.192 ms
  12  100ge16-1.core1.ams1.he.net (184.105.213.65)  128.275 ms core23.fsn1.hetzner.com (213.239.224.249)  128.936 ms 100ge16-1.core1.ams1.he.net (184.105.213.65)  128.679 ms
  13  ex9k1.dc7.fsn1.hetzner.com (213.239.229.234)  134.740 ms hetzner.interxionfra4.nl-ix.net (193.239.117.110)  127.076 ms  127.058 ms
  14  core23.fsn1.hetzner.com (213.239.224.249)  131.271 ms core24.fsn1.hetzner.com (213.239.224.253)  130.748 ms core23.fsn1.hetzner.com (213.239.224.249)  125.226 ms
  15  ns4.clamav.net (5.9.14.57)  127.731 ms  128.609 ms ex9k1.dc7.fsn1.hetzner.com (213.239.229.238)  129.537 ms
  
  traceroute to ns4.clamav.net (12.167.151.33), 30 hops max, 60 byte packets
   1  dslmodem.iment.local (10.25.26.1)  1.104 ms  1.562 ms  2.070 ms
   2  216.237.102.1 (216.237.102.1)  37.613 ms  40.082 ms  41.797 ms
   3  216.237.98.117 (216.237.98.117)  43.653 ms  45.999 ms  47.673 ms
   4  69.46.227.233.lightower.net (69.46.227.233)  49.435 ms  51.731 ms  53.404 ms
   5  ae22-bstpmalljp1.lightower.net (104.207.214.80)  57.317 ms  59.946 ms  61.832 ms
   6  ae10-bstpmallj93.lightower.net (144.121.35.36)  61.904 ms  61.712 ms  64.363 ms
   7  10ge8-1.core1.bos1.he.net (216.66.32.5)  66.045 ms  39.012 ms  37.544 ms
   8  100ge12-2.core1.nyc4.he.net (184.105.64.53)  41.486 ms  41.540 ms  41.395 ms
   9  100ge16-1.core1.ash1.he.net (184.105.223.165)  117.502 ms  47.104 ms  57.578 ms
  10  eqix-ix-dc6.ciscosystems.com (206.126.237.194)  47.562 ms  46.928 ms  46.960 ms
  11  ava-talos2-pp-talos1-vlan2804.vrt.sourcefire.com (198.148.79.102)  48.446 ms  50.351 ms  50.132 ms
  12  moist.vrt.sourcefire.com (198.148.79.134)  50.964 ms  50.374 ms  47.583 ms
  13  * * *
  14  12.167.151.33 (12.167.151.33)  47.663 ms  47.912 ms  47.902 ms

More information about the clamav-users mailing list