[clamav-users] Clamav with VPN

Tue May 5 14:45:57 UTC 2020

> > To try to solve this issue, i have added this line in my /etc/hosts file :
> >
> >  * 104.16.218.84 database.clamav.net  
> 
> Don't do things like that.  Sooner or later it will break, and you'll
> find yourself back here again asking why.

Our firewall blocks our mail server from issuing requests via ports 80
and 443, but, after our failure to set up a private mirror that worked
reliably after the switch to Cloudflare (their BOS mirror was usually
behind the DNS TXT reported version, as detailed in many previous
posts), I had to add exceptions for 104.16.218.84 and 104.16.219.84 so
that our mail server could update ClamAV. (And Joel said last July that
these IPs are quite stable for our geo-location "Unless cloudflare
drastically changes things".)

The only other alternative was to set up some sort of on-LAN relay or
proxy (e.g., Squid), which seemed like way overkill.

P.S. Since "G.W. Haywood" <clamav at jubileegroup.co.uk> never accepts
incoming mail, why not switch from CC to BCC in your submissions to
clamav-users and save us a lot of frustration. (Also, your private
email address from which you sent me a private email never accepted my
private reply, it just "timed out" -- twice.)

On Tue, 5 May 2020 12:23:10 +0100 (BST)
"G.W. Haywood via clamav-users" <clamav-users at lists.clamav.net> wrote:

> Hi there,
> 
> On Tue, 5 May 2020, 21ch181 via clamav-users wrote:
> 
> > I use ExpressVPN and each time i want to update the database i see a
> > message in the logs files (syslog and freshclam) ...
> > To try to solve this issue, i have added this line in my /etc/hosts file :
> >
> >  * 104.16.218.84 database.clamav.net  
> 
> Don't do things like that.  Sooner or later it will break, and you'll
> find yourself back here again asking why.
> 
> > Please note that the update work well if i switch off my VPN.  
> 
> It's clear from your log messages that your problem is caused by name
> resolution issues.  It isn't clear exactly what they are, but it's
> obviously associated with the DNS service provided when the VPN is
> running.  Since the ExpressVPN sales pitch makes a thing of encrypting
> your DNS traffic as well as other traffic this isn't a great surprise.
> You could try to debug the name resolution using tools like 'dig', but
> it's not necessarily straightforward and in any case I'm not persuaded
> that there's a case for sending ClamAV database traffic over a VPN.
> All the information (including, now that you've posted to this list,
> the fact that you are using it) is in the public domain.
> 
> > Is someone could give me some solutions to solve this issue please ?  
> 
> Send ClamAV traffic over normal routes.  It's possible that Cloudflare
> is blocking ExpressVPN traffic, but I don't know what you'd be able to
> do about that.  Joel (on this list) might have insights to offer.
> 
> I'd never use a VPN service provided by someone else.  You can't trust
> them.  It's very easy to set up your own, then you know what's going
> on, and you aren't providing raw material from which someone probably
> intends to make a profit.
> 
> I'll leave aside the legality or otherwise of using strong encryption
> in your country, but if you can tell us why you think you need ClamAV
> on your Linux box that might be useful.
> 