[clamav-users] ClamAV mirrors have gotten worse!

Joel Esler (jesler) jesler at cisco.com
Tue Nov 20 22:39:44 UTC 2018


It's possible.  But, unless there is a vocal minority that no one is chiming in about, you are the only person/group that I have heard complain about the issue...

Millions of people are getting updates from Cloudflare a day, so something is working correctly, and there's been no configuration changes on our side.

If you receive Cloudflare blocks then that's a different story.

On Nov 20, 2018, at 1:55 PM, Paul Kosinski <clamav-users at iment.com<mailto:clamav-users at iment.com>> wrote:

We are using a local mirror to reduce Internet traffic and (mainly) to
reduce load on the ClamAV servers.

It is *only* the "master" (Internet-connected) ClamAV that sees these
delays, where the DNS TXT record advertises updates before whatever
Cloudflare server we (are unlucky enough to) actually hit has the files
available for download. The other ClamAVs on our LAN use an approach
wherein the mirror server (on the "master" ClamAV machine) simply
reports when new cvd (etc.) files are available locally.

It is only the "master" ClamAV that periodically does a DNS TXT query to
decide whether to run freshclam, whose source is the ClamAV (Clouflare)
server. If it does this immediately when the DNS TXT records suggests,
freshclam sometimes fails, complaining about things being out of sync.
(That's when I added the curl prefetch to see if the file really was
what the DNS TXT said.) All this has nothing to do with our local
mirroring,

Somebody suggested that our ISP (Comcast) may be proxying / caching the
ClamAV files -- and doing it badly. If that's the case, I don't know
what we can do about it.


On Tue, 20 Nov 2018 13:09:54 +0000
"Joel Esler (jesler)" <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:

Any particular reason that you are using a local mirror?  I mean, if
not strictly necessary, just point it at our mirrors and call it a
day.

I've talked to a couple people off list in the last few days that
were experiencing errors or delays, and 100% of them were using local
proxies or mirrors.

One was because the proxy didn't know how to address
"HTTP/1.0" (Instead of "HTTP/1.1").

So it could be the smallest of issues, eliminate any issues that are
not strictly relevant.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On Nov 19, 2018, at 9:25 PM, Paul Kosinski <clamav-users at iment.com>
wrote:

Our Internet-facing ClamAV sits on our gateway/firewall and serves
as our local mirror. It accesses the Internet via the NIC whose IP
address is 10.11.14.160. (We used to have two NICs connected to the
Internet, but now only have one, so this is historical only.)

The msg "Using ip '10.11.14.160' for fetching" is produced by the
freshclam binary itself and derives from our freshclam.conf entry:

# Use aaa.bbb.ccc.ddd as client address for downloading databases.
# Useful for multi-homed systems.
# Default: Use OS'es default outgoing IP address.
LocalIPAddress 10.11.14.160

No matter, are we so unlucky -- only 1 out of 3M -- in having the
sync errors reappear? Or are we simply one of far fewer users who
log (and actually examine) their entire freshclam output?

P.S. I have very recently updated our clamavs to 0.100.2. I wonder
if that will improve things in this regard.



On Thu, 15 Nov 2018 19:40:43 +0000
"Joel Esler (jesler)" <jesler at cisco.com> wrote:

Judging by the 60+TB of traffic we are transferring a day, it's
working for at least 3M+ users.

On Nov 15, 2018, at 1:34 PM, Dennis Peterson <dennispe at inetnw.com>
wrote:

On 11/13/18 12:04 PM, Paul Kosinski wrote:
"Why are you looking at October reports?"

It was the first one. And it also shows that the problem began
*before* 0.100.1 was deemed OUTDATED.

So, here's one from this morning.

I also have 4 from yesterday, 3 from Sunday Nov 11 etc. Posting
them all would be a bit tedious.

What does this line mean - that is, what is fetching from that IP?
Local mirror?

Using ip '10.11.14.160' for fetching.

And we're having a completely different experience here with
reliability over the same time span:

Mirror #1
IP: 104.16.189.138
Successes: 19
Failures: 0
Last access: Thu Nov 15 07:01:02 2018
Ignore: No
-------------------------------------
Mirror #2
IP: 104.16.186.138
Successes: 19
Failures: 0
Last access: Wed Nov 14 23:01:03 2018
Ignore: No
-------------------------------------
Mirror #3
IP: 104.16.185.138
Successes: 18
Failures: 0
Last access: Mon Nov 12 21:05:32 2018
Ignore: No
-------------------------------------
Mirror #4
IP: 104.16.187.138
Successes: 18
Failures: 0
Last access: Sun Nov 11 01:07:46 2018
Ignore: No
-------------------------------------
Mirror #5
IP: 104.16.188.138
Successes: 19
Failures: 0
Last access: Mon Nov 12 14:03:05 2018
Ignore: No


_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181120/179c9803/attachment.htm>


More information about the clamav-users mailing list