[clamav-users] ClamAV mirrors have gotten worse!
Paul Kosinski
clamav-users at iment.com
Tue Nov 20 18:55:25 UTC 2018
We are using a local mirror to reduce Internet traffic and (mainly) to
reduce load on the ClamAV servers.
It is *only* the "master" (Internet-connected) ClamAV that sees these
delays, where the DNS TXT record advertises updates before whatever
Cloudflare server we (are unlucky enough to) actually hit has the files
available for download. The other ClamAVs on our LAN use an approach
wherein the mirror server (on the "master" ClamAV machine) simply
reports when new cvd (etc.) files are available locally.
It is only the "master" ClamAV that periodically does a DNS TXT query to
decide whether to run freshclam, whose source is the ClamAV (Clouflare)
server. If it does this immediately when the DNS TXT records suggests,
freshclam sometimes fails, complaining about things being out of sync.
(That's when I added the curl prefetch to see if the file really was
what the DNS TXT said.) All this has nothing to do with our local
mirroring,
Somebody suggested that our ISP (Comcast) may be proxying / caching the
ClamAV files -- and doing it badly. If that's the case, I don't know
what we can do about it.
On Tue, 20 Nov 2018 13:09:54 +0000
"Joel Esler (jesler)" <jesler at cisco.com> wrote:
> Any particular reason that you are using a local mirror? I mean, if
> not strictly necessary, just point it at our mirrors and call it a
> day.
>
> I've talked to a couple people off list in the last few days that
> were experiencing errors or delays, and 100% of them were using local
> proxies or mirrors.
>
> One was because the proxy didn't know how to address
> "HTTP/1.0" (Instead of "HTTP/1.1").
>
> So it could be the smallest of issues, eliminate any issues that are
> not strictly relevant.
>
> --
> Joel Esler
> Manager, Communities Division
> Cisco Talos Intelligence Group
> http://www.talosintelligence.com
>
> > On Nov 19, 2018, at 9:25 PM, Paul Kosinski <clamav-users at iment.com>
> > wrote:
> >
> > Our Internet-facing ClamAV sits on our gateway/firewall and serves
> > as our local mirror. It accesses the Internet via the NIC whose IP
> > address is 10.11.14.160. (We used to have two NICs connected to the
> > Internet, but now only have one, so this is historical only.)
> >
> > The msg "Using ip '10.11.14.160' for fetching" is produced by the
> > freshclam binary itself and derives from our freshclam.conf entry:
> >
> > # Use aaa.bbb.ccc.ddd as client address for downloading databases.
> > # Useful for multi-homed systems.
> > # Default: Use OS'es default outgoing IP address.
> > LocalIPAddress 10.11.14.160
> >
> > No matter, are we so unlucky -- only 1 out of 3M -- in having the
> > sync errors reappear? Or are we simply one of far fewer users who
> > log (and actually examine) their entire freshclam output?
> >
> > P.S. I have very recently updated our clamavs to 0.100.2. I wonder
> > if that will improve things in this regard.
> >
> >
> >
> > On Thu, 15 Nov 2018 19:40:43 +0000
> > "Joel Esler (jesler)" <jesler at cisco.com> wrote:
> >
> >> Judging by the 60+TB of traffic we are transferring a day, it's
> >> working for at least 3M+ users.
> >>
> >>> On Nov 15, 2018, at 1:34 PM, Dennis Peterson <dennispe at inetnw.com>
> >>> wrote:
> >>>
> >>> On 11/13/18 12:04 PM, Paul Kosinski wrote:
> >>>> "Why are you looking at October reports?"
> >>>>
> >>>> It was the first one. And it also shows that the problem began
> >>>> *before* 0.100.1 was deemed OUTDATED.
> >>>>
> >>>> So, here's one from this morning.
> >>>>
> >>>> I also have 4 from yesterday, 3 from Sunday Nov 11 etc. Posting
> >>>> them all would be a bit tedious.
> >>>
> >>> What does this line mean - that is, what is fetching from that IP?
> >>> Local mirror?
> >>>
> >>> Using ip '10.11.14.160' for fetching.
> >>>
> >>> And we're having a completely different experience here with
> >>> reliability over the same time span:
> >>>
> >>> Mirror #1
> >>> IP: 104.16.189.138
> >>> Successes: 19
> >>> Failures: 0
> >>> Last access: Thu Nov 15 07:01:02 2018
> >>> Ignore: No
> >>> -------------------------------------
> >>> Mirror #2
> >>> IP: 104.16.186.138
> >>> Successes: 19
> >>> Failures: 0
> >>> Last access: Wed Nov 14 23:01:03 2018
> >>> Ignore: No
> >>> -------------------------------------
> >>> Mirror #3
> >>> IP: 104.16.185.138
> >>> Successes: 18
> >>> Failures: 0
> >>> Last access: Mon Nov 12 21:05:32 2018
> >>> Ignore: No
> >>> -------------------------------------
> >>> Mirror #4
> >>> IP: 104.16.187.138
> >>> Successes: 18
> >>> Failures: 0
> >>> Last access: Sun Nov 11 01:07:46 2018
> >>> Ignore: No
> >>> -------------------------------------
> >>> Mirror #5
> >>> IP: 104.16.188.138
> >>> Successes: 19
> >>> Failures: 0
> >>> Last access: Mon Nov 12 14:03:05 2018
> >>> Ignore: No
>
More information about the clamav-users
mailing list