[clamav-users] PrivateMirror set on client machine. Disable cld downloads

vin9999 vin9999 at protonmail.com
Mon Mar 23 17:54:36 EDT 2020


Hello,

Hope i reply to the correct email. as not really used with email lists.

The wget option is definitely an interesting work around. Could build a script.

I also tried another option in the freshclam.conf for the Client machines:
DatabaseMirror <lan.ip>
DatabaseCustomURL <lan.ip>/main.cvd
DatabaseCustomURL <lan.ip>/bytecode.cvd
DatabaseCustomURL <lan.ip>/daily.cvd
## disable the private mirror (as DatabaseMirror is used)
#PrivateMirror

This works, it only downloads the .cvd files specified with the DatabaseCustomURL. But it seems since recently? i guess... not http:// is used anymore. But changed to https:// to retrieve the .cvd files from a DatabaseMirror (atleast previous version of freshclam used http:// i got the impression of my tests)

I could of course create a self signed certificate, set it up on https on the DatabaseMirror and problem would be resolved too. But it was not my initial intention or approach.

Also I was hoping DatabaseCustomURL would work when PrivateMirror been set, as can specifiy http:// protocol (And overwrite the https) with DatabaseCustomURL. But seems DatabaseCustomURL is ignored when using PrivateMirror.

So actually was looking for:
1. force http:// on DatabaseMirror (not possible i think)
2. Make DatabaseCustomURL work with PrivateMirror (not possible i think)
3. Have some setting in /etc/freshclam.conf that disables .cld downloads. (as i understand from this mailing list, this does not exist).

Several combination, but each was missing something from the other. :) I was going in circles.

At least i understand now there is no such option in /etc/freshclam.conf to disable the attempt to download .cld files. Wanted to make sure. So i would need to choose a work around solution.

Reason for preventing 404 for not existing .cld files, is there are a group of servers accessing the PrivateMirror all connected to a SIEM which reports the 404 on the non existing .cld files, as possible malicious activity. (could also, as another option disable these warnings in the SIEM, but not want go this way too).

Thank you,
Vin

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, March 23, 2020 9:57 PM, Scott A. Wozny via clamav-users <clamav-users at lists.clamav.net> wrote:

> That's a very valid point.  I hesitated to mention it only because my experience with distributed mirrors has been that the files on each mirror are timestamped when the mirror you happen to be talking to at that moment downloaded the file which is inconsistent over the pool.  I wondered if, perhaps, the clamav mirroring structure had found a way around that issue, but when I see freshclam does either a DNS TXT check or a "first 512 byte header comparison" check it made me think this was still an issue and if-modified-since couldn't be relied upon to work until you got to the absolute last mirror to pull down the absolute newest version which could still be pretty inefficient overall (depending on the size of the pool compared to how often files change).  AND this issue would percolate down to the clients of the PrivateMirror unless, of course, the issue with differing timestamps from mirror to mirror has been resolved in some way.
>
> So, I'm curious if your wget --timestamping approach has been tested in this context as truly downloading each file only once or if your point was to note the capability of the wget command?
>
> Thanks,
>
> Scott
>
> ---------------------------------------------------------------
>
> From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of Arjen de Korte via clamav-users <clamav-users at lists.clamav.net>
> Sent: March 23, 2020 4:35 PM
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Cc: Arjen de Korte <build+clamav at de-korte.org>
> Subject: Re: [clamav-users] PrivateMirror set on client machine. Disable cld downloads
>
> Citeren "Scott A. Wozny via clamav-users" <clamav-users at lists.clamav.net>:
>
>> One caveat with that suggestion is that if you move off of freshclam
>> to do your signature retrieval with wget, you give up the
>> efficiencies of just downloading the first 512 bytes of each DB file
>> to see if it's been updated and, if not, going back to sleep until
>> the next check.  Using wget you go from a few KB of bandwidth per
>> server per check to hundreds of MB for each update on each server.
>> If you don't care about bandwidth and disk I/O, then this difference
>> won't matter to you, but if it does, just be aware of the difference.
>
> The --timestamping option of wget will fix that for you and will only
> download the file if the timestamp of the remote file changes:
>
>      wget --timestamping http://database.clamav.net/daily.cvd
>
>> Alternatively, you could emulate what freshclam does and curl the
>> first 512 bytes, do the comparative version checking and then
>> sleeping or doing the full download.  But once you get to that
>> point, you're practically rewriting freshclam and then the option of
>> reaching out to the devel list to modify freshclam to fit your needs
>> for a custom build starts to become a comparable amount of work.
>>
>> Scott
>>
>> ________________________________
>> From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf
>> of G.W. Haywood via clamav-users <clamav-users at lists.clamav.net>
>> Sent: March 23, 2020 12:32 PM
>> To: ClamAV users ML <clamav-users at lists.clamav.net>
>> Cc: G.W. Haywood <clamav at jubileegroup.co.uk>
>> Subject: Re: [clamav-users] PrivateMirror set on client machine.
>> Disable cld downloads
>>
>> Hi there,
>>
>> On Mon, 23 Mar 2020, vin9999 via clamav-users wrote:
>>
>>> ... how can we disable .cld downloads? ...
>>
>> Use something else to download the files?
>>
>> Presumably you use freshclam to keep the private mirror up to date,
>> but there is nothing which forces you to use freshclam to copy files
>> from the private mirror to its clients.  A utility like 'wget' could
>> do what you need.
>>
>> --
>>
>> 73,
>> Ged.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200323/ca02113e/attachment.htm>


More information about the clamav-users mailing list